1 / 44

Oracle Vulnerabilities and Security Assessment

Information System Security. Oracle Vulnerabilities and Security Assessment. Outline. Oracle Vulnerabilities Oracle Security Assessment. Outline. Oracle Vulnerabilities Oracle Security Assessment. Ways to attack. Outline. Oracle Vulnerabilities Users/Passwords PL/SQL injection

deirdra
Download Presentation

Oracle Vulnerabilities and Security Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information System Security Oracle Vulnerabilities and Security Assessment

  2. Outline • Oracle Vulnerabilities • Oracle Security Assessment Information System Security - Week 10

  3. Outline • Oracle Vulnerabilities • Oracle Security Assessment Information System Security - Week 10

  4. Ways to attack Information System Security - Week 10

  5. Outline • Oracle Vulnerabilities • Users/Passwords • PL/SQL injection • Running System Commands • Other Vulnerabilities Information System Security - Week 10

  6. Users/Passwords • TNS protocol • How Oracle authenticates users? • Vulnerabilities Information System Security - Week 10

  7. TNS protocol Information System Security - Week 10

  8. TNS protocol (cont) • TNS Listener is the hub of all communications in Oracle. • Information gathering can be done through TNS. Connect Client Listener Accept or Redirect Information System Security - Week 10

  9. TNS protocol (cont) Information System Security - Week 10

  10. Authentication process Client Server Send Username Generates Secret Number Send AUTH_SESSKEY Decrypts AUTH_SESSKEY Encrypts Password Compares with the password hash from database. Send AUTH_PASSWORD Authenticated Information System Security - Week 10

  11. How about Oracle 11g Client Server Send Username Generates Secret Number Decrypts AUTH_SESSKEY Generates own AUTH_SESSKEY Combines 2 AUTH_SESSKEY  Encrypt Password Send AUTH_SESSKEY and AUTH_VFR_DATA Authenticated Compares with the password hash from database. Send AUTH_PASSWORD Information System Security - Week 10

  12. Vulnerabilities • Crypto Aspect • If we have the password (hash)  get clear text password Information System Security - Week 10

  13. Vulnerabilities (cont) • Default Usernames/Passwords. • Files for passwords. • Brute-force. Information System Security - Week 10

  14. PL/SQL Injection • Introduction • Procedures, functions • Triggers • VPD Information System Security - Week 10

  15. Introduction • PL/SQL is the programming language built into Oracle extends SQL. • Can call external library (C or Java). • Used to create procedures, functions, triggers… Information System Security - Week 10

  16. Introduction (cont) • Execution privileges. • Definer privileges: “owner” rights. • Invoker privileges: Keyword: AUTHID CURRENT_USER • PL/SQL can be wrapped  working without source: DESCribe feature. Information System Security - Week 10

  17. Procedures • Similar to SQL injection. • PL/SQL injection can occur with a statement like this: Select * from table_name where id=‘USER_INPUT’ Select * from table_name where id=‘XXX’ UNION SELECT …. Information System Security - Week 10

  18. Procedures (cont) • Inject function to PL/SQL statement. • Keyword: AUTONOMOUS_TRANSACTION • Take advantage of what right functions/procedures are based on. Information System Security - Week 10

  19. Triggers • Similar to procedures/functions injection. • Note: Triggers run with definer right. • Some real-world examples: • MDSYS.SDO_DROP_USER_BEFORE • MDSYS.SDO_GEOM_TRIG_INS1 Information System Security - Week 10

  20. VPD • VPD is based on policy function. • Can be exploited through PL/SQL injection to drop policy. • Or exploited to grant EXEMPT ACCESS POLICY privilege • Another way to defeat VPD is reading raw file  HARD Information System Security - Week 10

  21. Running System Commands • Through PL/SQL • Through Java • Access File System • Access Network Information System Security - Week 10

  22. Through PL/SQL • Use msvcrt.dll library to exec system command. • Must have create library privilege to register library in oracle • Newer versions of Oracle only accept libraries in Oracle_home/bin Information System Security - Week 10

  23. Through PL/SQL (cont) • CREATE OR REPLACE LIBRARY exec_shell AS 'C:\winnt\system32\msvcrt.dll'; • CREATE OR REPLACE PROCEDURE oraexec (cmdstring IN CHAR) • IS EXTERNAL • NAME "system" • LIBRARY exec_shell • LANGUAGE C; • EXEC ORAEXEC('NET USER MYACCOUNT PASSWORD /ADD'); Information System Security - Week 10

  24. Through Java • Don’t need create library privilege. • Require: • Execute on all files. • Write File Descriptor. • Read File Descriptor. Information System Security - Week 10

  25. Through Java (cont) • CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVACMD" AS • import java.lang.*; • import java.io.*; • public class JAVACMD • { • public static void execCommand (String command) throws IOException • { • Runtime.getRuntime().exec(command); • } • }; Information System Security - Week 10

  26. Other ways • Using DBMS Scheduler. • Using Job Scheduler. • Using Alter System statement. Information System Security - Week 10

  27. Access File System • Use UTL_FILE library • Need to have privilege to access DIRECTORY object or create a new one. • Using Java: is similar to running OS command. • Need Read and Write permission Information System Security - Week 10

  28. Access Network • Use UTL_TCP or UTL_HTTP. • Create connection to a remote host  transfer data. Information System Security - Week 10

  29. Other Vulnerabilities • System Configurations • O7_DICTIONARY_ACCESSIBILITY • remote_os_authent • dblink_encrypt_login • .. • TNS protocol settings • Application vulnerabilities Information System Security - Week 10

  30. Other Vulnerabilities • Session attack • http://www.youtube.com/watch?v=jjRrLJEbDQU • Access Control bypass in Login • http://www.securityfocus.com/archive/1/422253 Information System Security - Week 10

  31. Outline • Oracle Vulnerabilities • Oracle Security Assessment Information System Security - Week 10

  32. Oracle Assessment • Vulnerability scanning • Penetration testing Information System Security - Week 10

  33. Vulnerability scanning • Look for evidence of • Vulnerable software versions • Presence or lack of patches • Misconfiguration Information System Security - Week 10

  34. Vulnerability assessment tool • Secure Oracle Auditor™ (SOA) Information System Security - Week 10

  35. Penetration test • A penetration test (pentest) is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source. Information System Security - Week 10

  36. Penetration test • Stages: • Scope/Goal Definition • Information Gathering • Vulnerability Detection • Information Analysis and Planning. • Attack& Penetration/Privilege Escalation. • Result Analysis & Reporting. • Cleanup. Information System Security - Week 10

  37. Information gathering • Footprint • The first and most convenient way that hackers use to gather information. • Includes: internet, remote access,extranet… • Example: whois hvaonline.net Information System Security - Week 10

  38. Information gathering • Example: Information System Security - Week 10

  39. Attack • SQL script Information System Security - Week 10

  40. Vulnerability assessment tool • AppDetectivePro for Oracle • Metasploit Information System Security - Week 10

  41. Database Services Countermeasures • Remove default accounts, assign strong passwords to existing accounts, and begin the audit facility for failed logins. • Keep the databases patched • Reducing the privileges such as PUBLIC, keeping the privileges to a minimum, and auditing access to critical tables and views. Information System Security - Week 10

  42. Summary • Vulnerabilities usually occur based on granting inappropriate privileges. • CREATE ANY PROCEDURE • CREATE ANY TRIGGER • CREATE ANY VIEW • GRANT Something to PUBLIC • … Information System Security - Week 10

  43. References • Oracle Hacker’s HandBook • Database Hacker’s HandBook • http://www.petefinnigan.com/weblog/ • http://soonerorlater.hu/index.khtml?article_id=512 Information System Security - Week 10

  44. Information System Security - Week 10

More Related