David Litchfield's Weblog

Home
Archives
NGSSoftware
DatabaseSecurity.com


Greymatter Forums

July 2010
SMTWTFS
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31

Valid XHTML 1.0!

Powered By Greymatter

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.1
Thursday, July 1st

Checking logons in Oracle in the absence of auditing


So, it turns out SQL*Plus under 10g Release 1 executes "SELECT NULL FROM DUAL FOR UPDATE NOWAIT" when the user logs in and this creates a transaction which is in turn logged in the redologs which we can use to get logon times. What's more, a record of this transaction can also be found in the X$KTUQQRY in-memory table which we can query: SELECT DISTINCT LOGON_USER, COMMIT_TIMESTAMP FROM X$KTUQQRY. This will nicely show us who logged onto the system and when which, in the absence of auditing being enabled, is very useful during forensic investigations. Will need to investigate other versions of the Oracle client.
David on 07.01.10 @ 01:34 PM GMT [link]


Friday, February 26th

It's been a while...


It's been a while since I wrote my last blog entry. Actually, it's been a really long while. In the interim, I've since sold NGSSoftware and after staying on for 16 months have now resigned and am taking a wee break, but planning my next venture - V3rity. All will be revealed. Soon.
David on 02.26.10 @ 03:34 PM GMT [link]


Friday, July 18th

Lateral SQL Injection Revisited - No Special Privs Required


At the end of April 2008 I published a paper about a new class of flaw in Oracle entitled "Lateral SQL Injection".

The paper can be found here: http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf

Essentially the paper details a way in which the attacker can manipulate the environment to trick an Oracle database into using arbitrary SQL in DATE functions and data.

A number of people at the time dismissed it as irrelevant because the attacker required the ALTER SESSIOn privilege. Well, as it turns out, you don't need the ALTER SESSION privilege at all. Here's why: there are certain ALTER SESSION statements that can be executed even though the user doesn't have the ALTER SESSION privilege. The statements that can be executed without the privilege include those that relate to National Language Support. Thus a user without ALTER SESSION privileges can change the date format and so employ a lateral SQL injection attack. The script below shows this in action. We connect to a fully patched 11g server and confirm we only have CREATE SESSION privileges - i.e. the minimum we need to connect to the server - everyone gets this privilege. We then issue an ALTER SESSION statement to try set SQL_TRACE to true. As expected this fails with an insufficient privileges error. But then we issues an ALTER SESSION to set the NLS_DATE_FORMAT and this succeeds. Lastly we call the SYSDATE function to confirm it took.


C:\>sqlplus /nolog

SQL*Plus: Release 11.1.0.6.0 - Production on Fri Jul 18 14:47:17 2008

Copyright (c) 1982, 2007, Oracle. All rights reserved.

SQL> connect testuser1/testuser1
Connected.
SQL> select * from session_privs;

PRIVILEGE
----------------------------------------
CREATE SESSION

SQL> alter session set sql_trace = true;
alter session set sql_trace = true
*
ERROR at line 1:
ORA-01031: insufficient privileges


SQL> alter session set nls_date_format='"'' and myfunc()=1--"';

Session altered.

SQL> select sysdate from dual;

SYSDATE
------------------
' and myfunc()=1--

SQL>

Thus we can see that no special privileges are required to effect a lateral SQL injection attack.
David on 07.18.08 @ 07:05 AM GMT [link]


Tuesday, July 15th

Oracle have released a Critical Patch Update


Oracle has released a critical patch update. This update fixes a number of serious issues including a Oracle Application Server PLSQL injection flaw I found in October 2007.

This flaw will serve as an excellent example for my upcoming Hacking Oracle PLSQL training course at Blackhat in Vegas this August.
David on 07.15.08 @ 01:38 PM GMT [link]


Tuesday, April 29th

Look before you leap...


So after publishing my paper the other day I've received a number of mails and comments from people who clearly don't quite "get it". Let me correct some of the more common comments and misconceptions.

1) You have to be highly privileged to do this.
No, you don't - in a multistage attack you can get what you need. To effect an attack, as described in the paper, you need to acquire the ALTER SESSION privilege. You can get this by exploiting another flaw such as DB04 in the April 2008 Critical Patch Update. This is a injection flaw into a ALTER SESSION statement. Furthermore, prior to Oracle 10gR2 the CONNECT role had the ALTER SESSION privilege.

2) You need direct access to the database to effect this attack
No, you don't. The attack described in the paper can be launched via the web through Oracle Application Server for example. Again, it's a multistage attack, but easily doable. Just use any one of the 5 bypass techniques I've published over the past few years and if the app server is patched against all those then look for an initial inject point in the custome app and use any of the facilitator methods I've described in the past.

3) This is simply second order SQL injection.
No, it's not, but it is similar. Second order SQL injection is where you load up a table with your attack SQL. At some later point this SQL is selected as data from the table and embedded in a dynamic query. The attack described in my paper doesn't deal with stored data. It manipulates the way the date and time is treated.

4) This paper is pointless as you should be using bind variables for dynamic queries, anyway.
Many developers only use bind variables when dealing with varchar data and input as they are known to be dangerous. They won't use bind variables when it comes to DATE or NUMBER data types. The whole point of the paper is to prove that DATA and NUMBER data types can be dangerous and that bind variables should be used.

5) This paper is mostly academic
No, it's not. This presents a potential threat to PL/SQL applications. Developers should take heed. Suggesting otherwise is irresponsible.
David on 04.29.08 @ 12:22 AM GMT [link]


Thursday, April 24th

A New Class of Vulnerability in Oracle: Lateral SQL Injection


I've just released some research that demonstrates a new class of vulnerability in Oracle and how it can be exploited by an attacker. You can grab the paper from here: http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf
David on 04.24.08 @ 09:44 AM GMT [link]


Tuesday, April 22nd

Citius, Altius, Fortius!


Tonight, NGSSoftware won the Best Security Company category of the SC Magazine 2008 European Awards. Woohoo! Thanks to all the guys at NGS - it was thoroughly a team triumph smile
David on 04.22.08 @ 06:35 PM GMT [link]