340 likes | 495 Views
Most Recent Advances: A Review of DC BlackHat 2007. Aaron Newman CTO/Founder Application Security, Inc. Agenda. Overview of BlackHat 2007 Cursor Snarfing Cursor Injection Local Binary Exploits Database Network Protocols Resources, Conclusion, and Wrap Up. Overview of BlackHat 2007.
E N D
Most Recent Advances: A Review of DC BlackHat 2007 Aaron NewmanCTO/Founder Application Security, Inc.
Agenda • Overview of BlackHat 2007 • Cursor Snarfing • Cursor Injection • Local Binary Exploits • Database Network Protocols • Resources, Conclusion, and Wrap Up
Presentations on Hacking Oracle • Three independent researchers • Presenting details on new vulnerabilities • Presenting new classes, or methods, or attacks • Each presentation entirely different focus • PL/SQL attacks • Network Protocol attacks • Binary level attacks • Outstanding vulnerabilities • All three listed security vulnerabilities • Waiting for security fixes from Oracle • Unknown when to expect specific fixes
How does it work? • Using the DBMS_SQL package • You PARSE a SQL statement • BIND variable • EXECUTE the cursor • FETCH_ROWS • Then CLOSE the cursor • A CURSORS has a HANDLE • Handles work until cursor or session is closed
How to exploit? • Find a function or stored procedure • That is using DBMS_SQL • Cause an exception to occur • Which leaves the cursor dangling • Rebind your new value to the CURSOR • EXECUTE the cursor under higher privileges • Where does this occur • In your home-grown PL/SQL • In the built-in SQL from Oracle
Solutions • Check your own code • Anytime you use DBMS_SQL • Check exceptions and close the CURSORS EXCEPTION WHEN OTHERS THEN IF DBMS_SQL.IS_OPEN(CURSOR) THEN DBMS_SQL.CLOSE_CURSOR(CURSOR); END IF; • Risk Level • Medium
How does it work? • Leverages PL/SQL Injection vulnerabilities • Allows you to inject arbitrary SQL • Into a PL/SQL Injection vulnerability • Escalates Medium or Low Risk vulnerabilities • Makes them High Risk or Critical
Understanding PL/SQL Vulnerabilities • Problem with dynamic SQL • EXECUTE IMMEDIATE • DBMS_SQL • Danger allowing the user to pass parameters that are used in the parsed SQL statement
Dynamic SQL Example CREATE PROCEDURE BAD_CODING_EXAMPLE ( NEW_PASSWORD VARCHAR2 ) AS TEST VARCHAR2; BEGIN -- DO SOME WORK HERE EXECUTE IMMEDIATE 'UPDATE ' || TABLE_NAME || ' SET ' || COLUMN_NAME || ' = ''' || NEW_PASSWORD || '''‘ WHERE USERNAME= = ''' || CURRENT_USER_NAME || '''; END BAD_CODING_EXAMPLE;
Valid input • SQL Created UPDATE APPLICATION_USERS SET PASSWORD = ‘testabc’ WHERE USERNAME = ‘aaron’ • Input • EXEC BAD_CODING_EXAMPLE( ‘testabc’ );
Hacker input • Input • EXEC BAD_CODING_EXAMPLE( ‘testabc’’, ADMIN=1, FULL_NAME=‘’TEST’ ); • SQL Created • UPDATE APPLICATION_USERS SET PASSWORD = ‘testabc‘, ADMIN=1, FULL_NAME=‘TEST’ WHERE USERNAME = ‘aaron’
How to exploit? • Find a function or stored procedure • That is vulnerable to PL/SQL Injection • Review any of the latest CPUs • Use anonymous PL/SQL blocks • Declare CURSOR and PARSE a SQL statement • Use the CURSOR handle in the PL/SQL Injection • CURSOR runs under elevated privileges
Hacker input • Input • EXEC BAD_CODING_EXAMPLE( ‘testabc’’ || CHR(DBMS_SQL.EXECUTE(4))’ ); • SQL Created • UPDATE APPLICATION_USERS SET PASSWORD = ‘testabc‘ || CHR(DBMS_SQL.EXECUTE(4)) WHERE USERNAME = ‘aaron’
Why? • Argument between researchers and Oracle • Over severity of vulnerabilities • Oracle classifies vulnerabilities as low risk • Researchers say they should be high risk • Researcher finds way to prove Oracle wrong • Need for CREATE FUNCTION privilege • Not anymore • You just need CREATE SESSION
Examples • Check your own code! • SDO_DROP_USER_BEFORE • DDL Trigger when a table is dropped • Yet unnamed vulnerable procedures being fixed • Risk Level • High if you have PL/SQL injection
How does it work? • Debugging the Oracle Process • Looking for vulnerabilities • Inside the Oracle process • Scan for named pipes and other handles • That are not granted appropriate permissions • Non-privileged user on the operating system • Gains control over the Oracle process
How to exploit? • Attach to the operating system • Using Remote Desktop • Using Citrix • Using Terminal Server • Or directly through the console • Relies on valid access or discovering a non-privileged account • How to exploit • Find the security hole on your own database server • Write an exploit • Run it on the target database
Zero-day exploits • Means that you are given zero days to fix the problem • No fix available • Oracle might be working on a fix • Need to find work arounds to mitigate the risk • Restricting access to components • Disabling components • Firewalling the database from everything • Another quoted example of “unnameable” vulnerabilities • That are in the process of being fixed • Purchase the Ultimate 0day Exploits Pack • Risk Level • Medium to Low
How does it work? • Sniffing the Oracle traffic • Looking for vulnerabilities • At the network traffic level • Attacks from reverse engineering proprietary protocol • History of database drivers • Almost always high level risk
How to exploit? • Find a proxy client • Redirect Oracle client drivers to local proxy • Local proxy replaces desired details • Local Proxy then forwards to Oracle Server • How to exploit • Tamper with message structure • Change the expected field size • Change the expected order of messages
Why? • Multiple companies have learned SQL*Net • Required knowledge to provide an IDS/IPS for Oracle • In the course of researching SQL*Net • Simple to manipulate fields to cause “side effects” • Very old code in the network drivers • Backwards compatibility
Examples • By watching Oracle authentication protocol packets • You can determine the difference between • An invalid username and an invalid password • Even subtle differences can be leveraged • Time to respond • Type of response • Another quoted example of “unnameable” vulnerabilities • That are in the process of being fixed • Risk Level • High
How Do You Address These Vulnerabilities? • Stay Patched • Stay on top of all the security alerts and bulletins • Defense in Depth • Multiple Levels of Security • Regularly perform audits and penetration tests on your database • Encryption of data-in-motion / data-at-rest / data-in-use • Monitor database activity log files • Implement database intrusion detection and auditing • Especially if you can’t stay patched!
Questions? Thank you • Questions on • Vulnerabilities • Locking down the database anewman@appsecinc.com