1 / 34

Aaron Newman CTO/Founder Application Security, Inc.

Most Recent Advances: A Review of DC BlackHat 2007. Aaron Newman CTO/Founder Application Security, Inc. Agenda. Overview of BlackHat 2007 Cursor Snarfing Cursor Injection Local Binary Exploits Database Network Protocols Resources, Conclusion, and Wrap Up. Overview of BlackHat 2007.

Download Presentation

Aaron Newman CTO/Founder Application Security, Inc.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Most Recent Advances: A Review of DC BlackHat 2007 Aaron NewmanCTO/Founder Application Security, Inc.

  2. Agenda • Overview of BlackHat 2007 • Cursor Snarfing • Cursor Injection • Local Binary Exploits • Database Network Protocols • Resources, Conclusion, and Wrap Up

  3. Overview of BlackHat 2007

  4. Presentations on Hacking Oracle • Three independent researchers • Presenting details on new vulnerabilities • Presenting new classes, or methods, or attacks • Each presentation entirely different focus • PL/SQL attacks • Network Protocol attacks • Binary level attacks • Outstanding vulnerabilities • All three listed security vulnerabilities • Waiting for security fixes from Oracle • Unknown when to expect specific fixes

  5. Cursor Snarfing

  6. How does it work? • Using the DBMS_SQL package • You PARSE a SQL statement • BIND variable • EXECUTE the cursor • FETCH_ROWS • Then CLOSE the cursor • A CURSORS has a HANDLE • Handles work until cursor or session is closed

  7. How to exploit? • Find a function or stored procedure • That is using DBMS_SQL • Cause an exception to occur • Which leaves the cursor dangling • Rebind your new value to the CURSOR • EXECUTE the cursor under higher privileges • Where does this occur • In your home-grown PL/SQL • In the built-in SQL from Oracle

  8. Solutions • Check your own code • Anytime you use DBMS_SQL • Check exceptions and close the CURSORS EXCEPTION WHEN OTHERS THEN IF DBMS_SQL.IS_OPEN(CURSOR) THEN DBMS_SQL.CLOSE_CURSOR(CURSOR); END IF; • Risk Level • Medium

  9. Demo:White-paper

  10. Cursor Injection

  11. How does it work? • Leverages PL/SQL Injection vulnerabilities • Allows you to inject arbitrary SQL • Into a PL/SQL Injection vulnerability • Escalates Medium or Low Risk vulnerabilities • Makes them High Risk or Critical

  12. Understanding PL/SQL Vulnerabilities • Problem with dynamic SQL • EXECUTE IMMEDIATE • DBMS_SQL • Danger allowing the user to pass parameters that are used in the parsed SQL statement

  13. Dynamic SQL Example CREATE PROCEDURE BAD_CODING_EXAMPLE ( NEW_PASSWORD VARCHAR2 ) AS TEST VARCHAR2; BEGIN -- DO SOME WORK HERE EXECUTE IMMEDIATE 'UPDATE ' || TABLE_NAME || ' SET ' || COLUMN_NAME || ' = ''' || NEW_PASSWORD || '''‘ WHERE USERNAME= = ''' || CURRENT_USER_NAME || '''; END BAD_CODING_EXAMPLE;

  14. Valid input • SQL Created UPDATE APPLICATION_USERS SET PASSWORD = ‘testabc’ WHERE USERNAME = ‘aaron’ • Input • EXEC BAD_CODING_EXAMPLE( ‘testabc’ );

  15. Hacker input • Input • EXEC BAD_CODING_EXAMPLE( ‘testabc’’, ADMIN=1, FULL_NAME=‘’TEST’ ); • SQL Created • UPDATE APPLICATION_USERS SET PASSWORD = ‘testabc‘, ADMIN=1, FULL_NAME=‘TEST’ WHERE USERNAME = ‘aaron’

  16. How to exploit? • Find a function or stored procedure • That is vulnerable to PL/SQL Injection • Review any of the latest CPUs • Use anonymous PL/SQL blocks • Declare CURSOR and PARSE a SQL statement • Use the CURSOR handle in the PL/SQL Injection • CURSOR runs under elevated privileges

  17. Hacker input • Input • EXEC BAD_CODING_EXAMPLE( ‘testabc’’ || CHR(DBMS_SQL.EXECUTE(4))’ ); • SQL Created • UPDATE APPLICATION_USERS SET PASSWORD = ‘testabc‘ || CHR(DBMS_SQL.EXECUTE(4)) WHERE USERNAME = ‘aaron’

  18. Why? • Argument between researchers and Oracle • Over severity of vulnerabilities • Oracle classifies vulnerabilities as low risk • Researchers say they should be high risk • Researcher finds way to prove Oracle wrong • Need for CREATE FUNCTION privilege • Not anymore • You just need CREATE SESSION

  19. Examples • Check your own code! • SDO_DROP_USER_BEFORE • DDL Trigger when a table is dropped • Yet unnamed vulnerable procedures being fixed • Risk Level • High if you have PL/SQL injection

  20. Demo:White-paper

  21. Local Binary Exploits

  22. How does it work? • Debugging the Oracle Process • Looking for vulnerabilities • Inside the Oracle process • Scan for named pipes and other handles • That are not granted appropriate permissions • Non-privileged user on the operating system • Gains control over the Oracle process

  23. How to exploit? • Attach to the operating system • Using Remote Desktop • Using Citrix • Using Terminal Server • Or directly through the console • Relies on valid access or discovering a non-privileged account • How to exploit • Find the security hole on your own database server • Write an exploit • Run it on the target database

  24. Zero-day exploits • Means that you are given zero days to fix the problem • No fix available • Oracle might be working on a fix • Need to find work arounds to mitigate the risk • Restricting access to components • Disabling components • Firewalling the database from everything • Another quoted example of “unnameable” vulnerabilities • That are in the process of being fixed • Purchase the Ultimate 0day Exploits Pack • Risk Level • Medium to Low

  25. Demo:White paper

  26. Database Network Protocols

  27. How does it work? • Sniffing the Oracle traffic • Looking for vulnerabilities • At the network traffic level • Attacks from reverse engineering proprietary protocol • History of database drivers • Almost always high level risk

  28. How to exploit? • Find a proxy client • Redirect Oracle client drivers to local proxy • Local proxy replaces desired details • Local Proxy then forwards to Oracle Server • How to exploit • Tamper with message structure • Change the expected field size • Change the expected order of messages

  29. Why? • Multiple companies have learned SQL*Net • Required knowledge to provide an IDS/IPS for Oracle • In the course of researching SQL*Net • Simple to manipulate fields to cause “side effects” • Very old code in the network drivers • Backwards compatibility

  30. Examples • By watching Oracle authentication protocol packets • You can determine the difference between • An invalid username and an invalid password • Even subtle differences can be leveraged • Time to respond • Type of response • Another quoted example of “unnameable” vulnerabilities • That are in the process of being fixed • Risk Level • High

  31. Demo:Proxy ALTER_SESSION

  32. Resources, Conclusion, and Questions

  33. How Do You Address These Vulnerabilities? • Stay Patched • Stay on top of all the security alerts and bulletins • Defense in Depth • Multiple Levels of Security • Regularly perform audits and penetration tests on your database • Encryption of data-in-motion / data-at-rest / data-in-use • Monitor database activity log files • Implement database intrusion detection and auditing • Especially if you can’t stay patched!

  34. Questions? Thank you • Questions on • Vulnerabilities • Locking down the database anewman@appsecinc.com

More Related