1 / 38

Seducing the pants off Oracle

Seducing the pants off Oracle. Gary Myers. The period are is courtesy of http://picasaweb.google.com/silverghost1951. Computers don't " get" threats. AUTHENTICATION vs AUTHORISATION. Passwords = AUTHENTICATION mechanism (who am I)

amal
Download Presentation

Seducing the pants off Oracle

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Seducing the pants off Oracle Gary Myers The period are is courtesy of http://picasaweb.google.com/silverghost1951

  2. Computers don't "get" threats

  3. AUTHENTICATION vs AUTHORISATION • Passwords = AUTHENTICATION mechanism (who am I) • With the DBA's username and password, I can convince the database I am the DBA • DBA is typically authorised to do all (or most ) things.

  4. I AM YOUR WORST NIGHTMARE or at least in your Top Ten

  5. I Am Your Worst Nightmare • External consultant (or contractor) • Good understanding of Oracle • Follow a lot of the (public) Oracle security chatter

  6. I Am Your Worst Nightmare • Only around for a short period • Next week, I may be working for your competitor • Next week, I may be unemployed • Motive is often malice or financial gain • Don't rule out sheer incompetence • Financial need often driven by… • Addiction to drugs or alcohol • Gambling debts or expensive women • Sydney house prices

  7. I Am Your Worst Nightmare • I have access to your offices • I have access to your computers • I have access to your databases

  8. I Am Your Worst Nightmare Means Motive Opportunity • I am a consultant (or contractor) • I have a good understanding of Oracle • I follow a lot of the (public) Oracle security talk • I may only be around for weeks • I may be working for your competitor next • I may be unemployed next • I have access to your offices • I have access to your computers • I probably have access to your databases

  9. RISK ASSESSMENT Fall or be shot ?

  10. It's All About Risks • Denial of Service • Unauthorized reads • Unauthorized writes • Unauthorized use • Gateway to the Great Beyond • Falling from buildings or being shot - not so much

  11. DENIAL OF SERVICE Your ride ends now...

  12. Denial of Service • Crash the database (or listener) • Catastrophic data loss • Catastrophic data corruption • Standard DR recovery • Beware : Attack may be repeated

  13. UNAUTHORISED READS No peeking

  14. Unauthorised Reads Someone sees something they shouldn't • Backups • Redo / Undo files • Trace files, dumps and exports • Data in transit (client to/from server) • Operating System (memory) • Development and test databases

  15. Unauthorised Reads • Internal info (eg DBA_USERS) • Inference • Clues about data

  16. Unauthorised Reads • Don't store data you don't need • Don't store a value where a hash will do (eg passwords) • Encrypt personal information • Encrypt financial information • Limit 'back door' access (TDE) • Individual Authentication • Regularly review authorisations • Audit

  17. Unauthorised Reads Around a quarter of staff would steal information such as customer lists when they moved employment TheRegister, 19th August 2010

  18. UNAUTHORISED WRITES Destroying the evidence

  19. Unauthorised Writes • Insert, Update or Deletion of data • Could be 'regular' data • Could be 'tidying away' evidence (audit trail) • Could be data dictionary (rootkit) • Audit (to OS, not DB) • Checksum packages, files…

  20. UNAUTHORISED USE No personal calls !

  21. Unauthorised Use Using the database without permission • Illegal / illicit • PCI • In excess of licensed functionality • Contractors / Consultants • Storing private data on the disks • Cloud

  22. ESCAPING THE DATABASE Out of the frying pan

  23. Escaping The Database • Use dev / test to get to Prod • Use DR to get to Prod • Use database to get to OS • Use DB server to get to other local machines • Use DB server to get to remote machines (HTTP etc) • Use db password for other apps

  24. PASSWORDS

  25. Password security • Hashes = passwords • Crack a million passwords / second • Seven character passwords - Trivial • Eight alphabetic character passwords - Trivial • Eight character passwords plus a '1' on the end - Trivial • Password fuzzers and Rainbow tables

  26. Password Demo • Create fresh user in SQL Plus • Set a reasonable password • Not TIGER or MANAGER • Something that you'd remember though • See whether ORABF will crack it • select 'orabf '||password||':'||username from dba_users where username='GARY'; • cd C:\Documents and Settings\All Users\Documents \Common\orabf-v0.7.6 • orabf 9F868BD4F05CEE80:GARY -c pass_uniq.txt

  27. I AM YOUR WORST NIGHTMARE …and I cheat

  28. WRAPPING The truth is in here

  29. Wrapped Packages • (Python) code for unwrapping 10g+ PL/SQL is on the web • Oracle CPU release : Changed packages WILL be unwrapped and compared to the 'old' version • Shows vulnerabilities in old code • CPUs make vulnerabilities public !

  30. INJECTION EXPLOITS

  31. Exploits • No benefit in discussing specifics • Don't know any current 0-day ones • Others fixed by CPUs • What would you do with the information anyway ? • Hedgehog Sentrigo ?

  32. SQL Injection • SQL injection is one of the major categories of computer vulnerability • Typically poorly designed web applications • Publically available tools that try to penetrate web-sites by crafting URLS.

  33. SQL (and PL/SQL) Injection • Typically AUTHORISATION attacks • Convince the database that you are authorised to perform the action • Bypass any rules saying NO !

  34. Standard Packages • Vulnerabilities in supplied packages often allow for privilege escalation • Accounts like MDSYS have CREATE ANY TRIGGER privilege • Can be abused even if account is locked.

  35. Corkscrew Thinking Multiple steps to get around multiple barriers

  36. AUDIT AND FORENSICS • Caught in the act… or afterwards

  37. Forensics • Database log file • Web / application server log files • Audit to an Operating System file • FTP the file(s) somewhere safe • Log Miner • DDL triggers • Block dumps, AWR, ORA_ROWSCN…

  38. Useful References • Pete Finnegan • www.petefinnigan.com • Alex Kornburst • blog.red-database-security.com • David Litchfield • Hackers Handbooks (Database / Oracle)

More Related