Musings on Database Security

Recently, I read a very interesting paper by Alexandr Polyakov talking about how an unprivileged user can get OS access to the database machine by stealing NTLM challenge-response authentication strings.
I really liked the way it was written and the fact that it uses automated metasploit plug-ins that will try to evade detection by using obfuscation techniques.

Since the paper mentioned Hedgehog, I took it as a challenge to protect against such an attack . One obvious solution is to monitor the CREATE INDEX with INDEXTYPE of ctxsys.context. The way Hedgehog monitors transactional information, using evasion techniques like base64, translate, etc. is not effective as we read the command directly from the memory when it’s being parsed.

The rule I’ve created is – “cmdtype = ‘create index’ and statement contains ‘ctxsys.context’”. Now, although this is a somewhat simplistic version of the rule, I believe it will still be effective. One other option is to catch ‘create index’ with accessed objects including ODCI stuff. Next, I’m going to try this with metasploit.

Here is the screenshot of the rule:

Hedgehog CTXSYS rule

Running the clear text version of the attack produces the following:

Alert on ctxsys index

Any other ideas out there?

Anybody using Oracle databases, and anyone who is concerned about vulnerability assessment should be familiar with Repscan – the best scanner for Oracle databases, developed by Alexander Kornbrust’s Red-Database-Security.

The scanner, built upon Alex’s extensive experience in doing thousands of pen tests and database reviews, has some very unique features and tests. At Sentrigo, I always considered Repscan as extremely useful, flexible and easy to use and this is why I’m happy to announce that we’ve integrated it with Hedgehog to provide an even stronger database security solution.

One of the unique features that I like is the fact that everything is available from the command line on Linux, Mac and Windows so you can use your favorite scheduling system to run the tests. I know that most users prefer GUI (which is available as well) but I’m a command line type of guy

You can easily download Repscan from the Sentrigo Website, where you can get the limited trial-version at no-charge. This is a great way to test the waters, and then, move into into the fully-functional product once you’ve tested.

Here are some of the highlights – check it out for yourself, and let me know what you think!

Repscan’s Product Highlights

• Detects insecure PL/SQL-Code
• Shows the patch level of all your databases in one-click
• Finds security problems such as SQL Injections, hardcoded passwords, deprecated functions
• Detects weak or default passwords
• More than 115 Oracle tables checked for password information
• Provides penetration testing reports
• Detects changed database objects including root kits
• Detects altered data (including modifications of privilege and user tables)
• Discovers forensic traces from common security and hacker tools
• Complements and integrates with Sentrigo’s Hedgehog family of database activity monitoring software

I recently had a discussion with our development team about displaying stack traces to the customer.
Looking at this from a support point of view, no doubt that if a customer can tell support exactly what the problem is, it will shorten the investigation and will allow support to pinpoint the issue faster. On the other hand, looking at this from a security point of view (my argument), displaying stack traces can disclose a lot of information about the internal structure and workings of the application and this is something an attacker can use. Also, SQL injection attacks can use errors returned from the database to retrieve information from the database. For SQL injection, in-band attacks are the easiest to exploit and displaying errors allows that. If nothing is displayed to the attacker except a generic message, the attacker is forced to try out-of-band or even blind SQL injections which are harder to use.

Here is an example I got from Guy Lichtman after the discussion while he was browsing MSNBC.com on his mobile.

System.NullReferenceException: Object reference not set to an instance of an object.
at Msnbc.Workbench.Rendering.FrontComponents.MobileVideo.GetVideo(HttpContext context, MobileVideoData mobileVideoData, Boolean isMappedId) in
d:\tfsbuild\techno\integration\Sources\WB\Site\Rendering\Bin-Sources\Msnbc.Workbench.Rendering.FrontComponents\MobileVideo.cs:line 242 at Msnbc.Workbench.Rendering.FrontComponents.MobileVideo.Process(HttpContext context, Object componentData, WorkAreas workArea, String device, Site site, PageParameters pageParams) in
d:\tfsbuild\techno\integration\Sources\WB\Site\Rendering\Bin-Sources\Msnbc.Workbench.Rendering.FrontComponents\MobileVideo.cs:line 155

An attacker can learn from the exception some info regarding file system layout and code package naming conventions. It is then possible to do some Google hacking on the package name and find out even more…

Google hacking

Eventually, we agreed on the following course of action:
1. Generate a public/private key-pair for support
2. Distribute the public key with our software
3. Encrypt the stack trace with the public key before displaying on screen
4. Create a small utility for support to decrypt the stack traces when received from customers

How did you solve this problem?