380 likes | 518 Views
Seducing the pants off Oracle. Gary Myers. The period are is courtesy of http://picasaweb.google.com/silverghost1951. Computers don't " get" threats. AUTHENTICATION vs AUTHORISATION. Passwords = AUTHENTICATION mechanism (who am I)
E N D
Seducing the pants off Oracle Gary Myers The period are is courtesy of http://picasaweb.google.com/silverghost1951
AUTHENTICATION vs AUTHORISATION • Passwords = AUTHENTICATION mechanism (who am I) • With the DBA's username and password, I can convince the database I am the DBA • DBA is typically authorised to do all (or most ) things.
I AM YOUR WORST NIGHTMARE or at least in your Top Ten
I Am Your Worst Nightmare • External consultant (or contractor) • Good understanding of Oracle • Follow a lot of the (public) Oracle security chatter
I Am Your Worst Nightmare • Only around for a short period • Next week, I may be working for your competitor • Next week, I may be unemployed • Motive is often malice or financial gain • Don't rule out sheer incompetence • Financial need often driven by… • Addiction to drugs or alcohol • Gambling debts or expensive women • Sydney house prices
I Am Your Worst Nightmare • I have access to your offices • I have access to your computers • I have access to your databases
I Am Your Worst Nightmare Means Motive Opportunity • I am a consultant (or contractor) • I have a good understanding of Oracle • I follow a lot of the (public) Oracle security talk • I may only be around for weeks • I may be working for your competitor next • I may be unemployed next • I have access to your offices • I have access to your computers • I probably have access to your databases
RISK ASSESSMENT Fall or be shot ?
It's All About Risks • Denial of Service • Unauthorized reads • Unauthorized writes • Unauthorized use • Gateway to the Great Beyond • Falling from buildings or being shot - not so much
DENIAL OF SERVICE Your ride ends now...
Denial of Service • Crash the database (or listener) • Catastrophic data loss • Catastrophic data corruption • Standard DR recovery • Beware : Attack may be repeated
UNAUTHORISED READS No peeking
Unauthorised Reads Someone sees something they shouldn't • Backups • Redo / Undo files • Trace files, dumps and exports • Data in transit (client to/from server) • Operating System (memory) • Development and test databases
Unauthorised Reads • Internal info (eg DBA_USERS) • Inference • Clues about data
Unauthorised Reads • Don't store data you don't need • Don't store a value where a hash will do (eg passwords) • Encrypt personal information • Encrypt financial information • Limit 'back door' access (TDE) • Individual Authentication • Regularly review authorisations • Audit
Unauthorised Reads Around a quarter of staff would steal information such as customer lists when they moved employment TheRegister, 19th August 2010
UNAUTHORISED WRITES Destroying the evidence
Unauthorised Writes • Insert, Update or Deletion of data • Could be 'regular' data • Could be 'tidying away' evidence (audit trail) • Could be data dictionary (rootkit) • Audit (to OS, not DB) • Checksum packages, files…
UNAUTHORISED USE No personal calls !
Unauthorised Use Using the database without permission • Illegal / illicit • PCI • In excess of licensed functionality • Contractors / Consultants • Storing private data on the disks • Cloud
ESCAPING THE DATABASE Out of the frying pan
Escaping The Database • Use dev / test to get to Prod • Use DR to get to Prod • Use database to get to OS • Use DB server to get to other local machines • Use DB server to get to remote machines (HTTP etc) • Use db password for other apps
Password security • Hashes = passwords • Crack a million passwords / second • Seven character passwords - Trivial • Eight alphabetic character passwords - Trivial • Eight character passwords plus a '1' on the end - Trivial • Password fuzzers and Rainbow tables
Password Demo • Create fresh user in SQL Plus • Set a reasonable password • Not TIGER or MANAGER • Something that you'd remember though • See whether ORABF will crack it • select 'orabf '||password||':'||username from dba_users where username='GARY'; • cd C:\Documents and Settings\All Users\Documents \Common\orabf-v0.7.6 • orabf 9F868BD4F05CEE80:GARY -c pass_uniq.txt
I AM YOUR WORST NIGHTMARE …and I cheat
WRAPPING The truth is in here
Wrapped Packages • (Python) code for unwrapping 10g+ PL/SQL is on the web • Oracle CPU release : Changed packages WILL be unwrapped and compared to the 'old' version • Shows vulnerabilities in old code • CPUs make vulnerabilities public !
Exploits • No benefit in discussing specifics • Don't know any current 0-day ones • Others fixed by CPUs • What would you do with the information anyway ? • Hedgehog Sentrigo ?
SQL Injection • SQL injection is one of the major categories of computer vulnerability • Typically poorly designed web applications • Publically available tools that try to penetrate web-sites by crafting URLS.
SQL (and PL/SQL) Injection • Typically AUTHORISATION attacks • Convince the database that you are authorised to perform the action • Bypass any rules saying NO !
Standard Packages • Vulnerabilities in supplied packages often allow for privilege escalation • Accounts like MDSYS have CREATE ANY TRIGGER privilege • Can be abused even if account is locked.
Corkscrew Thinking Multiple steps to get around multiple barriers
AUDIT AND FORENSICS • Caught in the act… or afterwards
Forensics • Database log file • Web / application server log files • Audit to an Operating System file • FTP the file(s) somewhere safe • Log Miner • DDL triggers • Block dumps, AWR, ORA_ROWSCN…
Useful References • Pete Finnegan • www.petefinnigan.com • Alex Kornburst • blog.red-database-security.com • David Litchfield • Hackers Handbooks (Database / Oracle)