Wed 7 Dec 2011
Posted by Slavik under OUG, security, SQL injection
No Comments
Well, that was fun. I had a great time at UKOUG at Birmingham. Met friends, enjoyed the parties and gave a SQL Injection security presentation. All in all, I think it went well – no demos crashing, etc.
It’s pretty much the same presentation I gave at in the hacking exposed series so you can download it here with all the scripts and the demo app.
Presentation Attendies
Wed 4 May 2011
Posted by Slavik under Oracle, security, SQL injection
1 Comment
Here is the presentation and demo application I’ve used for the hacking exposed webinar I did on April 14th. The download file includes an eclipse project and instructions under the “etc” folder. It also includes a few scripts I used for blind SQL injection and worm infection.
Tell me what you think…
Tue 22 Mar 2011
Posted by Slavik under Cloud, security
No Comments
A blog entry I’ve written is published here.
Wed 6 Oct 2010
Posted by Slavik under security, technical tips
[3] Comments
As you can see from my previous posts, I hate it when a site has a revealing error message displayed directly to the customer. This time, I got the following when trying to pay my PGE bill:
No backend server available for connection: timed out after 10 seconds or idempotent set to OFF.
Hmmm… What can we learn from this? Let’s hear your opinions.
Wed 1 Sep 2010
Posted by Slavik under Oracle, Passwords, security
1 Comment
So, we all know that Oracle used to be non-case sensitive when it came to user names and passwords. We also know that since 11g this is not the case and Oracle, by default, is case sensitive.
The one thing I wanted to point out is that even if you are using sec_case_sensitive_logon=false and ignore the case of passwords for backward compatibility, Oracle will still compute the spare4 field (hash) just in case you will turn the parameter to true.
This means that when you choose passwords, you should actually choose a mixed-case password even if it does not matter right now because if an attacker will get access to your hashes, mixing the case will make them harder to break. One has to remember that calculating the hash is much faster than the older algorithm (the password field) so an attacker will probably try the spare4 field first.
How many of you are actually using a mixed case password for Oracle accounts?
Thu 15 Jul 2010
Posted by Slavik under security
No Comments
Next week I’ll be doing a really fun webcast, as a guest speaker for McAfee’s ‘Hacking Exposed Live’ series. The series takes a look at current and evolving hacks and what you can do to protect your environment. The topic is officially: ‘Understanding Threat Vectors for Database Breaches’, and I’ll be showing some sample attacks based on ways a rogue insider might try to breach various levels of data security, assuming they had physical access to the network and/or servers.
Please join us if you can:
Thu, Jul 22, 2010 @ 11:00am PDT (click here to register)
Wed 31 Mar 2010
Posted by Slavik under monitoring, Oracle, patching, security
No Comments
Paul Wright published an interesting post about how you can find traces of Java privilege escalation attacks in the database. Great stuff!
Of course, Hedgehog already protects against these published attacks as Paul showed earlier here. Hedgehog comes with build-in vPatch protections that cover the DBMS_JVM_EXP_PERMS and DBMS_JAVA attacks.
Sun 7 Mar 2010
Posted by Slavik under Oracle, security
[4] Comments
As you can see here, the Python code handles a specific case of Oracle TNS layer requesting a RESEND of the last packet. I’ve noticed that no matter what client I’m trying to connect with, Oracle is always requesting a RESEND after the initial CONNECT request as you can see here (removed various ACK packets, etc.):
1. Using SQL*Plus
Packet number 13: From: 127.0.0.1 To: 127.0.0.1 Protocol: TCP Src port: 63055 Dst port: 1521 Packet Type: Connect Version: 01 3a SDU/TDU: 8192 / 32512 SERVICE_NAME: db11200 SID: <N/A> HOST: slavik-laptop PROGRAM: sqlplus USER: slavik Payload (216 bytes): 00000 00 d8 00 00 01 00 00 00 01 3a 01 2c 0c 41 20 00 .........:.,.A . 00016 7f ff 7f 08 00 00 01 00 00 9e 00 3a 00 00 08 00 ...........:.... 00032 41 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AA.............. 00048 00 00 00 00 00 00 00 00 00 00 28 44 45 53 43 52 ..........(DESCR 00064 49 50 54 49 4f 4e 3d 28 43 4f 4e 4e 45 43 54 5f IPTION=(CONNECT_ 00080 44 41 54 41 3d 28 53 45 52 56 49 43 45 5f 4e 41 DATA=(SERVICE_NA 00096 4d 45 3d 64 62 31 31 32 30 30 29 28 43 49 44 3d ME=db11200)(CID= 00112 28 50 52 4f 47 52 41 4d 3d 73 71 6c 70 6c 75 73 (PROGRAM=sqlplus 00128 29 28 48 4f 53 54 3d 73 6c 61 76 69 6b 2d 6c 61 )(HOST=slavik-la 00144 70 74 6f 70 29 28 55 53 45 52 3d 73 6c 61 76 69 ptop)(USER=slavi 00160 6b 29 29 29 28 41 44 44 52 45 53 53 3d 28 50 52 k)))(ADDRESS=(PR 00176 4f 54 4f 43 4f 4c 3d 54 43 50 29 28 48 4f 53 54 OTOCOL=TCP)(HOST 00192 3d 31 32 37 2e 30 2e 30 2e 31 29 28 50 4f 52 54 =127.0.0.1)(PORT 00208 3d 31 35 32 31 29 29 29 =1521))) Packet number 15: From: 127.0.0.1 To: 127.0.0.1 Protocol: TCP Src port: 1521 Dst port: 63055 Packet Type: Resend Payload (8 bytes): 00000 00 08 00 00 0b 00 00 00 ........ Packet number 17: From: 127.0.0.1 To: 127.0.0.1 Protocol: TCP Src port: 63055 Dst port: 1521 Packet Type: Connect Version: 01 3a SDU/TDU: 8192 / 32512 SERVICE_NAME: db11200 SID: <N/A> HOST: slavik-laptop PROGRAM: sqlplus USER: slavik Payload (216 bytes): 00000 00 d8 00 00 01 00 00 00 01 3a 01 2c 0c 41 20 00 .........:.,.A . 00016 7f ff 7f 08 00 00 01 00 00 9e 00 3a 00 00 08 00 ...........:.... 00032 41 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AA.............. 00048 00 00 00 00 00 00 00 00 00 00 28 44 45 53 43 52 ..........(DESCR 00064 49 50 54 49 4f 4e 3d 28 43 4f 4e 4e 45 43 54 5f IPTION=(CONNECT_ 00080 44 41 54 41 3d 28 53 45 52 56 49 43 45 5f 4e 41 DATA=(SERVICE_NA 00096 4d 45 3d 64 62 31 31 32 30 30 29 28 43 49 44 3d ME=db11200)(CID= 00112 28 50 52 4f 47 52 41 4d 3d 73 71 6c 70 6c 75 73 (PROGRAM=sqlplus 00128 29 28 48 4f 53 54 3d 73 6c 61 76 69 6b 2d 6c 61 )(HOST=slavik-la 00144 70 74 6f 70 29 28 55 53 45 52 3d 73 6c 61 76 69 ptop)(USER=slavi 00160 6b 29 29 29 28 41 44 44 52 45 53 53 3d 28 50 52 k)))(ADDRESS=(PR 00176 4f 54 4f 43 4f 4c 3d 54 43 50 29 28 48 4f 53 54 OTOCOL=TCP)(HOST 00192 3d 31 32 37 2e 30 2e 30 2e 31 29 28 50 4f 52 54 =127.0.0.1)(PORT 00208 3d 31 35 32 31 29 29 29 =1521))) Packet number 19: From: 127.0.0.1 To: 127.0.0.1 Protocol: TCP Src port: 1521 Dst port: 63055 Packet Type: Accept Accepted: Yes Payload (32 bytes): 00000 00 20 00 00 02 00 00 00 01 3a 0c 41 20 00 7f ff . .......:.A ... 00016 01 00 00 00 00 20 41 41 00 00 00 00 00 00 00 00 ..... AA........
2. Using JDBC Type 4
Packet number 4: From: 127.0.0.1 To: 127.0.0.1 Protocol: TCP Src port: 49699 Dst port: 1521 Packet Type: Connect Version: 01 36 SDU/TDU: 8192 / 32512 SERVICE_NAME: <N/A> SID: db11200 HOST: __jdbc__ PROGRAM: JDBC Thin Client USER: slavik Payload (211 bytes): 00000 00 d3 00 00 01 00 00 00 01 36 01 2c 0e 41 20 00 .........6.,.A . 00016 7f ff 4f 98 00 00 00 01 00 99 00 3a 00 00 00 00 ..O........:.... 00032 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00048 00 00 00 00 00 00 00 00 00 00 28 44 45 53 43 52 ..........(DESCR 00064 49 50 54 49 4f 4e 3d 28 43 4f 4e 4e 45 43 54 5f IPTION=(CONNECT_ 00080 44 41 54 41 3d 28 53 49 44 3d 64 62 31 31 32 30 DATA=(SID=db1120 00096 30 29 28 43 49 44 3d 28 50 52 4f 47 52 41 4d 3d 0)(CID=(PROGRAM= 00112 4a 44 42 43 20 54 68 69 6e 20 43 6c 69 65 6e 74 JDBC Thin Client 00128 29 28 48 4f 53 54 3d 5f 5f 6a 64 62 63 5f 5f 29 )(HOST=__jdbc__) 00144 28 55 53 45 52 3d 73 6c 61 76 69 6b 29 29 29 28 (USER=slavik)))( 00160 41 44 44 52 45 53 53 3d 28 50 52 4f 54 4f 43 4f ADDRESS=(PROTOCO 00176 4c 3d 74 63 70 29 28 48 4f 53 54 3d 6c 6f 63 61 L=tcp)(HOST=loca 00192 6c 68 6f 73 74 29 28 50 4f 52 54 3d 31 35 32 31 lhost)(PORT=1521 00208 29 29 29 ))) Packet number 6: From: 127.0.0.1 To: 127.0.0.1 Protocol: TCP Src port: 1521 Dst port: 49699 Packet Type: Resend Payload (8 bytes): 00000 00 08 00 00 0b 00 00 00 ........ Packet number 8: From: 127.0.0.1 To: 127.0.0.1 Protocol: TCP Src port: 49699 Dst port: 1521 Packet Type: Connect Version: 01 36 SDU/TDU: 8192 / 32512 SERVICE_NAME: <N/A> SID: db11200 HOST: __jdbc__ PROGRAM: JDBC Thin Client USER: slavik Payload (211 bytes): 00000 00 d3 00 00 01 00 00 00 01 36 01 2c 0e 41 20 00 .........6.,.A . 00016 7f ff 4f 98 00 00 00 01 00 99 00 3a 00 00 00 00 ..O........:.... 00032 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00048 00 00 00 00 00 00 00 00 00 00 28 44 45 53 43 52 ..........(DESCR 00064 49 50 54 49 4f 4e 3d 28 43 4f 4e 4e 45 43 54 5f IPTION=(CONNECT_ 00080 44 41 54 41 3d 28 53 49 44 3d 64 62 31 31 32 30 DATA=(SID=db1120 00096 30 29 28 43 49 44 3d 28 50 52 4f 47 52 41 4d 3d 0)(CID=(PROGRAM= 00112 4a 44 42 43 20 54 68 69 6e 20 43 6c 69 65 6e 74 JDBC Thin Client 00128 29 28 48 4f 53 54 3d 5f 5f 6a 64 62 63 5f 5f 29 )(HOST=__jdbc__) 00144 28 55 53 45 52 3d 73 6c 61 76 69 6b 29 29 29 28 (USER=slavik)))( 00160 41 44 44 52 45 53 53 3d 28 50 52 4f 54 4f 43 4f ADDRESS=(PROTOCO 00176 4c 3d 74 63 70 29 28 48 4f 53 54 3d 6c 6f 63 61 L=tcp)(HOST=loca 00192 6c 68 6f 73 74 29 28 50 4f 52 54 3d 31 35 32 31 lhost)(PORT=1521 00208 29 29 29 ))) Packet number 10: From: 127.0.0.1 To: 127.0.0.1 Protocol: TCP Src port: 1521 Dst port: 49699 Packet Type: Accept Accepted: Yes Payload (32 bytes): 00000 00 20 00 00 02 00 00 00 01 36 0e 41 20 00 7f ff . .......6.A ... 00016 01 00 00 00 00 20 41 01 00 00 00 00 00 00 00 00 ..... A.........
3. Using an OCI with 10g client
Packet number 4: From: 127.0.0.1 To: 127.0.0.1 Protocol: TCP Src port: 40196 Dst port: 1521 Packet Type: Connect Version: 01 39 SDU/TDU: 2048 / 32512 SERVICE_NAME: db11200 SID: <N/A> HOST: slavik-laptop PROGRAM: ocitest USER: slavik Payload (216 bytes): 00000 00 d8 00 00 01 00 00 00 01 39 01 2c 0c 01 08 00 .........9.,.... 00016 7f ff 7f 08 00 00 01 00 00 9e 00 3a 00 00 02 00 ...........:.... 00032 41 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AA.............. 00048 00 00 00 00 00 00 00 00 00 00 28 44 45 53 43 52 ..........(DESCR 00064 49 50 54 49 4f 4e 3d 28 43 4f 4e 4e 45 43 54 5f IPTION=(CONNECT_ 00080 44 41 54 41 3d 28 53 45 52 56 49 43 45 5f 4e 41 DATA=(SERVICE_NA 00096 4d 45 3d 64 62 31 31 32 30 30 29 28 43 49 44 3d ME=db11200)(CID= 00112 28 50 52 4f 47 52 41 4d 3d 6f 63 69 74 65 73 74 (PROGRAM=ocitest 00128 29 28 48 4f 53 54 3d 73 6c 61 76 69 6b 2d 6c 61 )(HOST=slavik-la 00144 70 74 6f 70 29 28 55 53 45 52 3d 73 6c 61 76 69 ptop)(USER=slavi 00160 6b 29 29 29 28 41 44 44 52 45 53 53 3d 28 50 52 k)))(ADDRESS=(PR 00176 4f 54 4f 43 4f 4c 3d 54 43 50 29 28 48 4f 53 54 OTOCOL=TCP)(HOST 00192 3d 31 32 37 2e 30 2e 30 2e 31 29 28 50 4f 52 54 =127.0.0.1)(PORT 00208 3d 31 35 32 31 29 29 29 =1521))) Packet number 6: From: 127.0.0.1 To: 127.0.0.1 Protocol: TCP Src port: 1521 Dst port: 40196 Packet Type: Resend Payload (8 bytes): 00000 00 08 00 00 0b 00 00 00 ........ Packet number 8: From: 127.0.0.1 To: 127.0.0.1 Protocol: TCP Src port: 40196 Dst port: 1521 Packet Type: Connect Version: 01 39 SDU/TDU: 2048 / 32512 SERVICE_NAME: db11200 SID: <N/A> HOST: slavik-laptop PROGRAM: ocitest USER: slavik Payload (216 bytes): 00000 00 d8 00 00 01 00 00 00 01 39 01 2c 0c 01 08 00 .........9.,.... 00016 7f ff 7f 08 00 00 01 00 00 9e 00 3a 00 00 02 00 ...........:.... 00032 41 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AA.............. 00048 00 00 00 00 00 00 00 00 00 00 28 44 45 53 43 52 ..........(DESCR 00064 49 50 54 49 4f 4e 3d 28 43 4f 4e 4e 45 43 54 5f IPTION=(CONNECT_ 00080 44 41 54 41 3d 28 53 45 52 56 49 43 45 5f 4e 41 DATA=(SERVICE_NA 00096 4d 45 3d 64 62 31 31 32 30 30 29 28 43 49 44 3d ME=db11200)(CID= 00112 28 50 52 4f 47 52 41 4d 3d 6f 63 69 74 65 73 74 (PROGRAM=ocitest 00128 29 28 48 4f 53 54 3d 73 6c 61 76 69 6b 2d 6c 61 )(HOST=slavik-la 00144 70 74 6f 70 29 28 55 53 45 52 3d 73 6c 61 76 69 ptop)(USER=slavi 00160 6b 29 29 29 28 41 44 44 52 45 53 53 3d 28 50 52 k)))(ADDRESS=(PR 00176 4f 54 4f 43 4f 4c 3d 54 43 50 29 28 48 4f 53 54 OTOCOL=TCP)(HOST 00192 3d 31 32 37 2e 30 2e 30 2e 31 29 28 50 4f 52 54 =127.0.0.1)(PORT 00208 3d 31 35 32 31 29 29 29 =1521))) Packet number 10: From: 127.0.0.1 To: 127.0.0.1 Protocol: TCP Src port: 1521 Dst port: 40196 Packet Type: Accept Accepted: Yes Payload (32 bytes): 00000 00 20 00 00 02 00 00 00 01 39 0c 01 08 00 7f ff . .......9...... 00016 01 00 00 00 00 20 41 41 00 00 00 00 00 00 00 00 ..... AA........
This is using an Oracle server 11gR2 (11.2.0.1) 64bit.
So, my question is – why? Is this a clumsy attempt to thwart discovery tools? Some sort of a defense mechanism?
I would appreciate any insights here. I’m sure that there are knowledgeable people out there who know the answer.
Fri 26 Feb 2010
Posted by Slavik under Oracle, security
[2] Comments
As promised, here is a small Python script to allow you to enumerate and find Oracle SIDs.
Of course, the usual caveats apply – if it breaks something, I’m not responsible 
Use at your own risk. I’m using the sidlist.txt file from David’s OAK but there are plenty of available resources with common SID lists.
Update: Alex graciously let me know that he was the one that originally created the SID list and also granted me permission to use his latest version with the script.
Here are some usage details:
slavik@slavik-laptop:~/Oracle/Security/osid-enum$ ./osid-guess.py Usage: osid-guess.py [options]
osid-guess.py: error: You must provide the host of the listener
slavik@slavik-laptop:~/Oracle/Security/osid-enum$ ./osid-guess.py -h
Usage: osid-guess.py [options] Try to find the Oracle SID iterating a list of potential SIDs from a file or from stdin Options: --version show program's version number and exit -h, --help show this help message and exit Target options: Specify the location of the listener -t HOST, --host=HOST The host running the listener -p PORT, --port=PORT The port of the listener [1521] -s SIDLIST, --sidlist=SIDLIST The filename containing the sids to try [stdin if missing] End user details: Specify end user details to send to the listener -u USER, --user=USER The user to provide to the listener [SCOTT] -a PROGRAM, --program=PROGRAM The program name to provide to the listner [sqlplus] -m MACHINE, --machine=MACHINE The name of the machine to provide to the listener [localhost]
General options: General options to control verbose output, etc. -q, --quiet don't print status messages to stdout [output progress to stdout by default] slavik@slavik-laptop:~/Oracle/Security/osid-enum$ ./osid-guess.py -t localhost Receiving service names from stdout Opening connection to localhost:1521 test Trying SERVICE_NAME - test Trying SID - test aaa Trying SERVICE_NAME - aaa Trying SID - aaa db11200 Trying SERVICE_NAME - db11200 Listener supports service db11200 Trying SID - db11200 Listener supports sid db11200 On *nix, you need to press Ctrl-D between names slavik@slavik-laptop:~/Oracle/Security/osid-enum$ ./osid-guess.py -t localhost -s sid.txt -q Listener supports service DB11200 Listener supports sid DB11200
So, that’s it. A very simple utility that does not have any pre-requisites (except Python, of course).
I’d love to hear some feedback…
Mon 22 Feb 2010
Posted by Slavik under Oracle, security, SQL*Plus
No Comments
Sumit Siddarth (Sid) has published an excellent whitepaper talking about hacking Oracle from the web. It shows many types and techniques of SQL injection and how to use an SQL injection vulnerability as a jumping point to extract data, take control of the database and even escape the database to the OS.
Security folks and DBAs out there, this is a must read!