Oracle


During the weekend, I stumbled across an interesting project named pysql. The project aims to replace SQL*Plus with a sane shell written in Python with history, tab completion and many extensions. Being a veteran of using SQL*Plus, I know that some of the above can be actually achieved on Linux/Unix environments with SQL*Plus using a handy utility called rlwrap but I was still curios.

The installation is a breeze (as long as you already have Python and cx_Oracle installed correctly). Just unzip into a directory and run pysql.sh. First impression – this is really cool stuff. Out of the box you get coloring, correct terminal handling, help, implemented macros and even visual graphs. The only problem I had was the lack of any documentation (that I could find) about how to use it all. Source code browsing is good and all but I would have preferred an easy how-to document.

Oh, and I stumbled across a bug (that Sébastien Renard told me is already fixed in the next version) that would not allow me to connect “/ as sysdba”. I did a small fix in pysqlshell.py that allowed me to easily fix the issue (just replace these 2 functions):

def __connect(self, connectString, mode=""):
    """Calls the PysqlDb class to connect to Oracle"""
    sid = None
    count=connectString.count("@")
    if count==1:
        (connectString, sid)=connectString.split("@")
    elif count > 1:
        raise PysqlException(_("Invalid connection string"))
    count=connectString.count("/")
    if count==0:
        user=connectString
        try:
            passwd=getpass()
        except (Exception):
            raise PysqlException(_("Invalid connection string"))
    elif count == 1:
        (user, passwd)=connectString.split("/")
    else:
        raise PysqlException(_("Invalid connection string"))
    if sid==None:
        connectString = user + "/" + passwd
    else:
        connectString = user + "/" + passwd + "@" + sid
    self.db=PysqlDb(connectString, mode)
    self.__setPrompt()

def __setPrompt(self, blank=False, multiline=False, finishedQuery=False):
    """Sets the prompt according to the connexion state
    @param blank: if true, no prompt is issue (default is False)
    @param finishedQuery: if true mark prompt with a * to notify a query is finished
    @type blank: bool
    @type finishedQuery: bool"""
    #TODO: do not update title for every line
    codec=self.conf.getCodec()
    if blank or not self.showPrompt:
        prompt=""
    elif multiline:
        prompt="> "
    else:
        if self.db is None:
            prompt=self.notConnectedPrompt
            # Update the title (without color else it is a huge mess)
            setTitle(_("Pysql - Not connected"), codec)
        else:
            sid = self.db.getDSN() if self.db.getDSN() != "None" else os.environ["ORACLE_SID"]
            userName = self.db.getUsername() if self.db.getUsername() != "" else "/"
            prompt=userName+"@"+sid+" "
            if finishedQuery:
                prompt+="* "
            setTitle("Pysql - %s" % prompt, codec)
    self.prompt=prompt.encode(codec, "replace")

This project is definitely on my “keep-an-eye-on” list.
Is anybody else using this?

Paul Wright published an interesting post about how you can find traces of Java privilege escalation attacks in the database. Great stuff!

Of course, Hedgehog already protects against these published attacks as Paul showed earlier here. Hedgehog comes with build-in vPatch protections that cover the DBMS_JVM_EXP_PERMS and DBMS_JAVA attacks.

Tanel published a great post a while ago talking about Oracle’s sql_id and hash values in Oracle 10g+. I wanted to be able to compute sql_id and hash values directly from SQL statements for our Hedgehog product. I did a few tests and could not match the MD5 value generated from the SQL statement to the MD5 value Oracle is calculating in X$KGLOB.KGLNAHSV. After a short discussion with Tanel, it turned out that Oracle is appending a NULL (‘\0’) value to the statement and then calculates the MD5.

Here is a test and some code in Python:

SYS> select 'Slavik' from dual;
'SLAVI
------
Slavik
SYS> select kglnahsv, kglnahsh from x$kglob where kglnaobj =
'select ''Slavik'' from dual';
KGLNAHSV                KGLNAHSH
--------------------------------- ----------
7a483e90555ab4ad24e190abe3e7775d  3823597405
7a483e90555ab4ad24e190abe3e7775d  3823597405

SYS> select sql_id, hash_value, old_hash_value from v$sql where sql_text =
'select ''Slavik'' from dual';

SQL_ID        HASH_VALUE OLD_HASH_VALUE
------------- ---------- --------------
29schpgjyfxux 3823597405     3501236764

So, first, let's check that our MD5 matches:
>>> import hashlib
>>> import math
>>> import struct
>>> stmt = "select 'Slavik' from dual"
>>> d = hashlib.md5(stmt + '\x00').digest()
>>> struct.unpack('IIII', d)[3]
3823597405
>>> h = ''
>>> for i in struct.unpack('IIII', d):
 h += hex(i)[2:]
>>> h
'7a483e90555ab4ad24e190abe3e7775d'

Good, all seem to match!

Now, let's create some utility functions:
def sqlid_2_hash(sqlid):
  sum = 0
  i = 1
  alphabet = '0123456789abcdfghjkmnpqrstuvwxyz'
  for ch in sqlid:
    sum += alphabet.index(ch) * (32**(len(sqlid) - i))
    i += 1
  return sum % (2 ** 32)

def stmt_2_sqlid(stmt):
  h = hashlib.md5(stmt + '\x00').digest()
  (d1,d2,msb,lsb) = struct.unpack('IIII', h)
  sqln = msb * (2 ** 32) + lsb
  stop = math.log(sqln, math.e) / math.log(32, math.e) + 1
  sqlid = ''
  alphabet = '0123456789abcdfghjkmnpqrstuvwxyz'
  for i in range(0, stop):
    sqlid = alphabet[(sqln / (32 ** i)) % 32] + sqlid
  return sqlid

def stmt_2_hash(stmt):
  return struct.unpack('IIII', hashlib.md5(stmt + '\x00').digest())[3]

Let's try them...
>>> stmt_2_hash(stmt)
3823597405
>>> stmt_2_sqlid(stmt)
'29schpgjyfxux'
>>> sqlid_2_hash(stmt_2_sqlid(stmt))
3823597405

Well, it all works. Now, to the real programming…

As you can see here, the Python code handles a specific case of Oracle TNS layer requesting a RESEND of the last packet. I’ve noticed that no matter what client I’m trying to connect with, Oracle is always requesting a RESEND after the initial CONNECT request as you can see here (removed various ACK packets, etc.):

1. Using SQL*Plus

Packet number 13:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 63055
 Dst port: 1521
Packet Type: Connect
 Version: 01 3a
 SDU/TDU: 8192 / 32512
SERVICE_NAME: db11200
 SID: <N/A>
 HOST: slavik-laptop
 PROGRAM: sqlplus
 USER: slavik
 Payload (216 bytes):
00000   00 d8 00 00 01 00 00 00  01 3a 01 2c 0c 41 20 00    .........:.,.A .
00016   7f ff 7f 08 00 00 01 00  00 9e 00 3a 00 00 08 00    ...........:....
00032   41 41 00 00 00 00 00 00  00 00 00 00 00 00 00 00    AA..............
00048   00 00 00 00 00 00 00 00  00 00 28 44 45 53 43 52    ..........(DESCR
00064   49 50 54 49 4f 4e 3d 28  43 4f 4e 4e 45 43 54 5f    IPTION=(CONNECT_
00080   44 41 54 41 3d 28 53 45  52 56 49 43 45 5f 4e 41    DATA=(SERVICE_NA
00096   4d 45 3d 64 62 31 31 32  30 30 29 28 43 49 44 3d    ME=db11200)(CID=
00112   28 50 52 4f 47 52 41 4d  3d 73 71 6c 70 6c 75 73    (PROGRAM=sqlplus
00128   29 28 48 4f 53 54 3d 73  6c 61 76 69 6b 2d 6c 61    )(HOST=slavik-la
00144   70 74 6f 70 29 28 55 53  45 52 3d 73 6c 61 76 69    ptop)(USER=slavi
00160   6b 29 29 29 28 41 44 44  52 45 53 53 3d 28 50 52    k)))(ADDRESS=(PR
00176   4f 54 4f 43 4f 4c 3d 54  43 50 29 28 48 4f 53 54    OTOCOL=TCP)(HOST
00192   3d 31 32 37 2e 30 2e 30  2e 31 29 28 50 4f 52 54    =127.0.0.1)(PORT
00208   3d 31 35 32 31 29 29 29                             =1521)))

Packet number 15:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 1521
 Dst port: 63055
Packet Type: Resend
 Payload (8 bytes):
00000   00 08 00 00 0b 00 00 00                             ........

Packet number 17:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 63055
 Dst port: 1521
Packet Type: Connect
 Version: 01 3a
 SDU/TDU: 8192 / 32512
SERVICE_NAME: db11200
 SID: <N/A>
 HOST: slavik-laptop
 PROGRAM: sqlplus
 USER: slavik
 Payload (216 bytes):
00000   00 d8 00 00 01 00 00 00  01 3a 01 2c 0c 41 20 00    .........:.,.A .
00016   7f ff 7f 08 00 00 01 00  00 9e 00 3a 00 00 08 00    ...........:....
00032   41 41 00 00 00 00 00 00  00 00 00 00 00 00 00 00    AA..............
00048   00 00 00 00 00 00 00 00  00 00 28 44 45 53 43 52    ..........(DESCR
00064   49 50 54 49 4f 4e 3d 28  43 4f 4e 4e 45 43 54 5f    IPTION=(CONNECT_
00080   44 41 54 41 3d 28 53 45  52 56 49 43 45 5f 4e 41    DATA=(SERVICE_NA
00096   4d 45 3d 64 62 31 31 32  30 30 29 28 43 49 44 3d    ME=db11200)(CID=
00112   28 50 52 4f 47 52 41 4d  3d 73 71 6c 70 6c 75 73    (PROGRAM=sqlplus
00128   29 28 48 4f 53 54 3d 73  6c 61 76 69 6b 2d 6c 61    )(HOST=slavik-la
00144   70 74 6f 70 29 28 55 53  45 52 3d 73 6c 61 76 69    ptop)(USER=slavi
00160   6b 29 29 29 28 41 44 44  52 45 53 53 3d 28 50 52    k)))(ADDRESS=(PR
00176   4f 54 4f 43 4f 4c 3d 54  43 50 29 28 48 4f 53 54    OTOCOL=TCP)(HOST
00192   3d 31 32 37 2e 30 2e 30  2e 31 29 28 50 4f 52 54    =127.0.0.1)(PORT
00208   3d 31 35 32 31 29 29 29                             =1521)))

Packet number 19:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 1521
 Dst port: 63055
Packet Type: Accept
 Accepted: Yes
 Payload (32 bytes):
00000   00 20 00 00 02 00 00 00  01 3a 0c 41 20 00 7f ff    . .......:.A ...
00016   01 00 00 00 00 20 41 41  00 00 00 00 00 00 00 00    ..... AA........

2. Using JDBC Type 4

Packet number 4:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 49699
 Dst port: 1521
Packet Type: Connect
 Version: 01 36
 SDU/TDU: 8192 / 32512
SERVICE_NAME: <N/A>
 SID: db11200
 HOST: __jdbc__
 PROGRAM: JDBC Thin Client
 USER: slavik
 Payload (211 bytes):
00000   00 d3 00 00 01 00 00 00  01 36 01 2c 0e 41 20 00    .........6.,.A .
00016   7f ff 4f 98 00 00 00 01  00 99 00 3a 00 00 00 00    ..O........:....
00032   01 01 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00048   00 00 00 00 00 00 00 00  00 00 28 44 45 53 43 52    ..........(DESCR
00064   49 50 54 49 4f 4e 3d 28  43 4f 4e 4e 45 43 54 5f    IPTION=(CONNECT_
00080   44 41 54 41 3d 28 53 49  44 3d 64 62 31 31 32 30    DATA=(SID=db1120
00096   30 29 28 43 49 44 3d 28  50 52 4f 47 52 41 4d 3d    0)(CID=(PROGRAM=
00112   4a 44 42 43 20 54 68 69  6e 20 43 6c 69 65 6e 74    JDBC Thin Client
00128   29 28 48 4f 53 54 3d 5f  5f 6a 64 62 63 5f 5f 29    )(HOST=__jdbc__)
00144   28 55 53 45 52 3d 73 6c  61 76 69 6b 29 29 29 28    (USER=slavik)))(
00160   41 44 44 52 45 53 53 3d  28 50 52 4f 54 4f 43 4f    ADDRESS=(PROTOCO
00176   4c 3d 74 63 70 29 28 48  4f 53 54 3d 6c 6f 63 61    L=tcp)(HOST=loca
00192   6c 68 6f 73 74 29 28 50  4f 52 54 3d 31 35 32 31    lhost)(PORT=1521
00208   29 29 29                                            )))

Packet number 6:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 1521
 Dst port: 49699
Packet Type: Resend
 Payload (8 bytes):
00000   00 08 00 00 0b 00 00 00                             ........

Packet number 8:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 49699
 Dst port: 1521
Packet Type: Connect
 Version: 01 36
 SDU/TDU: 8192 / 32512
SERVICE_NAME: <N/A>
 SID: db11200
 HOST: __jdbc__
 PROGRAM: JDBC Thin Client
 USER: slavik
 Payload (211 bytes):
00000   00 d3 00 00 01 00 00 00  01 36 01 2c 0e 41 20 00    .........6.,.A .
00016   7f ff 4f 98 00 00 00 01  00 99 00 3a 00 00 00 00    ..O........:....
00032   01 01 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
00048   00 00 00 00 00 00 00 00  00 00 28 44 45 53 43 52    ..........(DESCR
00064   49 50 54 49 4f 4e 3d 28  43 4f 4e 4e 45 43 54 5f    IPTION=(CONNECT_
00080   44 41 54 41 3d 28 53 49  44 3d 64 62 31 31 32 30    DATA=(SID=db1120
00096   30 29 28 43 49 44 3d 28  50 52 4f 47 52 41 4d 3d    0)(CID=(PROGRAM=
00112   4a 44 42 43 20 54 68 69  6e 20 43 6c 69 65 6e 74    JDBC Thin Client
00128   29 28 48 4f 53 54 3d 5f  5f 6a 64 62 63 5f 5f 29    )(HOST=__jdbc__)
00144   28 55 53 45 52 3d 73 6c  61 76 69 6b 29 29 29 28    (USER=slavik)))(
00160   41 44 44 52 45 53 53 3d  28 50 52 4f 54 4f 43 4f    ADDRESS=(PROTOCO
00176   4c 3d 74 63 70 29 28 48  4f 53 54 3d 6c 6f 63 61    L=tcp)(HOST=loca
00192   6c 68 6f 73 74 29 28 50  4f 52 54 3d 31 35 32 31    lhost)(PORT=1521
00208   29 29 29                                            )))

Packet number 10:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 1521
 Dst port: 49699
Packet Type: Accept
 Accepted: Yes
 Payload (32 bytes):
00000   00 20 00 00 02 00 00 00  01 36 0e 41 20 00 7f ff    . .......6.A ...
00016   01 00 00 00 00 20 41 01  00 00 00 00 00 00 00 00    ..... A.........

3. Using an OCI with 10g client

Packet number 4:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 40196
 Dst port: 1521
Packet Type: Connect
 Version: 01 39
 SDU/TDU: 2048 / 32512
SERVICE_NAME: db11200
 SID: <N/A>
 HOST: slavik-laptop
 PROGRAM: ocitest
 USER: slavik
 Payload (216 bytes):
00000   00 d8 00 00 01 00 00 00  01 39 01 2c 0c 01 08 00    .........9.,....
00016   7f ff 7f 08 00 00 01 00  00 9e 00 3a 00 00 02 00    ...........:....
00032   41 41 00 00 00 00 00 00  00 00 00 00 00 00 00 00    AA..............
00048   00 00 00 00 00 00 00 00  00 00 28 44 45 53 43 52    ..........(DESCR
00064   49 50 54 49 4f 4e 3d 28  43 4f 4e 4e 45 43 54 5f    IPTION=(CONNECT_
00080   44 41 54 41 3d 28 53 45  52 56 49 43 45 5f 4e 41    DATA=(SERVICE_NA
00096   4d 45 3d 64 62 31 31 32  30 30 29 28 43 49 44 3d    ME=db11200)(CID=
00112   28 50 52 4f 47 52 41 4d  3d 6f 63 69 74 65 73 74    (PROGRAM=ocitest
00128   29 28 48 4f 53 54 3d 73  6c 61 76 69 6b 2d 6c 61    )(HOST=slavik-la
00144   70 74 6f 70 29 28 55 53  45 52 3d 73 6c 61 76 69    ptop)(USER=slavi
00160   6b 29 29 29 28 41 44 44  52 45 53 53 3d 28 50 52    k)))(ADDRESS=(PR
00176   4f 54 4f 43 4f 4c 3d 54  43 50 29 28 48 4f 53 54    OTOCOL=TCP)(HOST
00192   3d 31 32 37 2e 30 2e 30  2e 31 29 28 50 4f 52 54    =127.0.0.1)(PORT
00208   3d 31 35 32 31 29 29 29                             =1521)))

Packet number 6:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 1521
 Dst port: 40196
Packet Type: Resend
 Payload (8 bytes):
00000   00 08 00 00 0b 00 00 00                             ........

Packet number 8:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 40196
 Dst port: 1521
Packet Type: Connect
 Version: 01 39
 SDU/TDU: 2048 / 32512
SERVICE_NAME: db11200
 SID: <N/A>
 HOST: slavik-laptop
 PROGRAM: ocitest
 USER: slavik
 Payload (216 bytes):
00000   00 d8 00 00 01 00 00 00  01 39 01 2c 0c 01 08 00    .........9.,....
00016   7f ff 7f 08 00 00 01 00  00 9e 00 3a 00 00 02 00    ...........:....
00032   41 41 00 00 00 00 00 00  00 00 00 00 00 00 00 00    AA..............
00048   00 00 00 00 00 00 00 00  00 00 28 44 45 53 43 52    ..........(DESCR
00064   49 50 54 49 4f 4e 3d 28  43 4f 4e 4e 45 43 54 5f    IPTION=(CONNECT_
00080   44 41 54 41 3d 28 53 45  52 56 49 43 45 5f 4e 41    DATA=(SERVICE_NA
00096   4d 45 3d 64 62 31 31 32  30 30 29 28 43 49 44 3d    ME=db11200)(CID=
00112   28 50 52 4f 47 52 41 4d  3d 6f 63 69 74 65 73 74    (PROGRAM=ocitest
00128   29 28 48 4f 53 54 3d 73  6c 61 76 69 6b 2d 6c 61    )(HOST=slavik-la
00144   70 74 6f 70 29 28 55 53  45 52 3d 73 6c 61 76 69    ptop)(USER=slavi
00160   6b 29 29 29 28 41 44 44  52 45 53 53 3d 28 50 52    k)))(ADDRESS=(PR
00176   4f 54 4f 43 4f 4c 3d 54  43 50 29 28 48 4f 53 54    OTOCOL=TCP)(HOST
00192   3d 31 32 37 2e 30 2e 30  2e 31 29 28 50 4f 52 54    =127.0.0.1)(PORT
00208   3d 31 35 32 31 29 29 29                             =1521)))

Packet number 10:
 From: 127.0.0.1
 To: 127.0.0.1
 Protocol: TCP
 Src port: 1521
 Dst port: 40196
Packet Type: Accept
 Accepted: Yes
 Payload (32 bytes):
00000   00 20 00 00 02 00 00 00  01 39 0c 01 08 00 7f ff    . .......9......
00016   01 00 00 00 00 20 41 41  00 00 00 00 00 00 00 00    ..... AA........

This is using an Oracle server 11gR2 (11.2.0.1) 64bit.

So, my question is – why? Is this a clumsy attempt to thwart discovery tools? Some sort of a defense mechanism?

I would appreciate any insights here. I’m sure that there are knowledgeable people out there who know the answer.

As promised, here is a small Python script to allow you to enumerate and find Oracle SIDs.

Of course, the usual caveats apply – if it breaks something, I’m not responsible 🙂 Use at your own risk. I’m using the sidlist.txt file from David’s OAK but there are plenty of available resources with common SID lists.

Update: Alex graciously let me know that he was the one that originally created the SID list and also granted me permission to use his latest version with the script.

Here are some usage details:

slavik@slavik-laptop:~/Oracle/Security/osid-enum$ ./osid-guess.py
Usage: osid-guess.py [options]
osid-guess.py: error: You must provide the host of the listener
slavik@slavik-laptop:~/Oracle/Security/osid-enum$ ./osid-guess.py -h
Usage: osid-guess.py [options]
Try to find the Oracle SID iterating a list of potential SIDs from a file or from stdin
Options:
 --version             show program's version number and exit
 -h, --help            show this help message and exit

 Target options: Specify the location of the listener
 -t HOST, --host=HOST                The host running the listener
 -p PORT, --port=PORT                The port of the listener [1521]
 -s SIDLIST, --sidlist=SIDLIST       The filename containing the sids to try [stdin if missing]

 End user details: Specify end user details to send to the listener
 -u USER, --user=USER The user to provide to the listener [SCOTT]
 -a PROGRAM, --program=PROGRAM       The program name to provide to the listner [sqlplus]
 -m MACHINE, --machine=MACHINE       The name of the machine to provide to the listener [localhost]
 General options: General options to control verbose output, etc.
 -q, --quiet                         don't print status messages to stdout [output progress to stdout by default]

slavik@slavik-laptop:~/Oracle/Security/osid-enum$ ./osid-guess.py -t
localhost
Receiving service names from stdout
Opening connection to localhost:1521
test
Trying SERVICE_NAME - test
Trying SID - test
aaa
Trying SERVICE_NAME - aaa
Trying SID - aaa
db11200
Trying SERVICE_NAME - db11200
Listener supports service db11200
Trying SID - db11200
Listener supports sid db11200

On *nix, you need to press Ctrl-D between names

slavik@slavik-laptop:~/Oracle/Security/osid-enum$ ./osid-guess.py -t
localhost -s sid.txt -q
Listener supports service DB11200
Listener supports sid DB11200

So, that’s it. A very simple utility that does not have any pre-requisites (except Python, of course).

I’d love to hear some feedback…

Sumit Siddarth (Sid) has published an excellent whitepaper talking about hacking Oracle from the web. It shows many types and techniques of SQL injection and how to use an SQL injection vulnerability as a jumping point to extract data, take control of the database and even escape the database to the OS.

Security folks and DBAs out there, this is a must read!

I had a great time at RMOUG this year. Did one of my usual presentation about attack vectors on the database and how to defend against them. I think the presentation was well received and the attendees loved the demos – I mostly just demonstrate instead of going through slides.

One of my favorite demos is what I call “from nothing to DBA in 5 simple steps”.
Basically, I start with finding databases (using tools like nmap), guessing the SID, enumerating the usernames, attacking the password and then running one of the privilege escalation attacks. Of course, there are many other options, including attacking the listener instead or sniffing the network but I find that this demo usually sets the right mood for the rest of the presentation.

In some of my next posts, I’m going to publish some of the scripts I wrote for the above demo starting with a nice little script to enumerate and guess Oracle service names.

A picture of people arriving before the presentation (click to see the full picture)…

People arriving to the presentation

People arriving to my presentation

A really well written blog post from Mike Smithers about the need to validate data from all sources – also coming from the database.

Good one…

Yesterday at Black Hat, David released information on his latest find, a pretty serious batch of vulnerabilities in Oracle 11g which allows any user to escalate privileges to gain complete access & control of the database.

What’s interesting here is not so much that there is yet another vulnerability  (for those of you who are running Hedgehog and getting vPatch updates, you are already protected!), but more how this demonstrates the very tricky relationship that often exists between ethical security researchers and the database vendors.

David has been contributing to the Oracle DB security research community for many years, and certainly has the process down pretty well for notifying Oracle and giving them time to make the fix before going public.  But, this time around, things didn’t go as planned.  After notifying Oracle in November, he apparently wasn’t satisfied with their response, and decided it was best to announce the vulnerability now.  The good news is he also provided recommendations on how to protect systems from being exploited.

We know how he feels.  In 6 out of the last 7 Oracle CPUs, one or more Sentrigo employees has been credited for contributions.  Pretty impressive for our size, and a testament to the work of our Red Team.  In all of those cases, we’ve been pretty satisfied with the pace of Oracle fixes, and have simply built protection into our products from our day-zero discovery and waited for Oracle to release a patch.

But, for those of you who have been reading this blog for a while, you’ll recall the incident last September, when after a year of prodding Microsoft to fix a flaw in SQL Server, we too reached a point of frustration and announced it.  Also, with a fix of course.  But, the decision to do this is not an easy one.  The very vendors you are hoping to have an excellent working relationship with, are not likely to be happy.  In this case, Microsoft tried to argue that it was not very serious… but as security researchers we simply didn’t agree (nor did most of the public based on comments we received).  I’m sure David felt the same way about this recent vulnerability.  You can’t simply leave it there for other (less ethical) people to find and exploit.

So, we’ll see how this one plays out… I’m guessing Oracle will eventually provide a patch.  But, it does raise the question of what the white hats of the world are supposed to do, when a vendor simply doesn’t get it.  I’d be interested in your thoughts…

Dennis wrote an interesting blog entry about an experiment he conducted.

He found that out of roughly every 69,000 randomly scanned IP addresses, there is one open Oracle TNS Listener. That’s interesting because we all know that there are numerous attacks on (even fully patched) listeners that do not require any authentication.

Looking at the listener versions, you can see that many of the versions are not even getting patches from Oracle any more. This is like leaving your door wide open and putting up a big sign inviting hackers to come in, especially in light of many working exploits out there.

I didn’t try it, but I’d bet that many of these listeners do not even require a password. Come on people, at least keep your database behind a firewall!

« Previous PageNext Page »