Fri 26 Feb 2010

Enumerate Oracle SIDs

Posted by Slavik under Oracle, security
[2] Comments

As promised, here is a small Python script to allow you to enumerate and find Oracle SIDs.

Of course, the usual caveats apply – if it breaks something, I’m not responsible :-) Use at your own risk. I’m using the sidlist.txt file from David’s OAK but there are plenty of available resources with common SID lists.

Update: Alex graciously let me know that he was the one that originally created the SID list and also granted me permission to use his latest version with the script.

Here are some usage details:

slavik@slavik-laptop:~/Oracle/Security/osid-enum$ ./osid-guess.py
Usage: osid-guess.py [options]

osid-guess.py: error: You must provide the host of the listener
slavik@slavik-laptop:~/Oracle/Security/osid-enum$ ./osid-guess.py -h
Usage: osid-guess.py [options]
Try to find the Oracle SID iterating a list of potential SIDs from a file or from stdin
Options:
 --version             show program's version number and exit
 -h, --help            show this help message and exit

 Target options: Specify the location of the listener
 -t HOST, --host=HOST                The host running the listener
 -p PORT, --port=PORT                The port of the listener [1521]
 -s SIDLIST, --sidlist=SIDLIST       The filename containing the sids to try [stdin if missing]

 End user details: Specify end user details to send to the listener
 -u USER, --user=USER The user to provide to the listener [SCOTT]
 -a PROGRAM, --program=PROGRAM       The program name to provide to the listner [sqlplus]
 -m MACHINE, --machine=MACHINE       The name of the machine to provide to the listener [localhost]
 General options: General options to control verbose output, etc.
 -q, --quiet                         don't print status messages to stdout [output progress to stdout by default]

slavik@slavik-laptop:~/Oracle/Security/osid-enum$ ./osid-guess.py -t
localhost
Receiving service names from stdout
Opening connection to localhost:1521
test
Trying SERVICE_NAME - test
Trying SID - test
aaa
Trying SERVICE_NAME - aaa
Trying SID - aaa
db11200
Trying SERVICE_NAME - db11200
Listener supports service db11200
Trying SID - db11200
Listener supports sid db11200

On *nix, you need to press Ctrl-D between names

slavik@slavik-laptop:~/Oracle/Security/osid-enum$ ./osid-guess.py -t
localhost -s sid.txt -q
Listener supports service DB11200
Listener supports sid DB11200

So, that’s it. A very simple utility that does not have any pre-requisites (except Python, of course).

I’d love to hear some feedback…

Tags: ,

 

Mon 22 Feb 2010

Exploiting Oracle from the web whitepaper

Posted by Slavik under Oracle, SQL*Plus, security
No Comments

Sumit Siddarth (Sid) has published an excellent whitepaper talking about hacking Oracle from the web. It shows many types and techniques of SQL injection and how to use an SQL injection vulnerability as a jumping point to extract data, take control of the database and even escape the database to the OS.

Security folks and DBAs out there, this is a must read!

Tags: , ,

 

Fri 19 Feb 2010

RMOUG presentation

Posted by Slavik under OUG, Oracle, security
[2] Comments

I had a great time at RMOUG this year. Did one of my usual presentation about attack vectors on the database and how to defend against them. I think the presentation was well received and the attendees loved the demos – I mostly just demonstrate instead of going through slides.

One of my favorite demos is what I call “from nothing to DBA in 5 simple steps”.
Basically, I start with finding databases (using tools like nmap), guessing the SID, enumerating the usernames, attacking the password and then running one of the privilege escalation attacks. Of course, there are many other options, including attacking the listener instead or sniffing the network but I find that this demo usually sets the right mood for the rest of the presentation.

In some of my next posts, I’m going to publish some of the scripts I wrote for the above demo starting with a nice little script to enumerate and guess Oracle service names.

A picture of people arriving before the presentation (click to see the full picture)…

People arriving to the presentation

People arriving to my presentation

Tags: , ,

 

Mon 15 Feb 2010

A nice blog post about SQL Injection

Posted by Slavik under Oracle, SQL injection
No Comments

A really well written blog post from Mike Smithers about the need to validate data from all sources – also coming from the database.

Good one…

Tags: ,

 

Sat 6 Feb 2010

Salesforce errors

Posted by Slavik under security, technical tips
[2] Comments

As part of my continued crusade to get rid of all database errors returned from the application to the user, one of our developers sent me the following error message coming from Salesforce.com:

SF error

SF Error

SF Error

So, what can we learn from the error?

  • SF uses Java as a backend
  • SF uses Oracle as the database
  • The application is programmed using stored program units – in this case package sLead with procedure update_leads
  • Checks are performed at the PL/SQL level and custom exceptions are being thrown – ORA-20096
  • The Java application uses bind variables to call into the PL/SQL layer – good for them!
  • My guess is that the username/schema for this particular SF account is SNEEZY and it contains Oracle types with the names CUSER and SLEAD

All in all, I’d say that SF did a good, secure job in implementing the application (bind variables, etc.) but missed the “never return DB errors to the customer” part.

So, what will it take to educate developers not to display errors? Thoughts?

Tags: ,

 

Wed 3 Feb 2010

David Lichtfield in the Oracle cross-hairs (again…)

Posted by Slavik under MS SQL Server, Oracle, security
[2] Comments

Yesterday at Black Hat, David released information on his latest find, a pretty serious batch of vulnerabilities in Oracle 11g which allows any user to escalate privileges to gain complete access & control of the database.

What’s interesting here is not so much that there is yet another vulnerability  (for those of you who are running Hedgehog and getting vPatch updates, you are already protected!), but more how this demonstrates the very tricky relationship that often exists between ethical security researchers and the database vendors.

David has been contributing to the Oracle DB security research community for many years, and certainly has the process down pretty well for notifying Oracle and giving them time to make the fix before going public.  But, this time around, things didn’t go as planned.  After notifying Oracle in November, he apparently wasn’t satisfied with their response, and decided it was best to announce the vulnerability now.  The good news is he also provided recommendations on how to protect systems from being exploited.

We know how he feels.  In 6 out of the last 7 Oracle CPUs, one or more Sentrigo employees has been credited for contributions.  Pretty impressive for our size, and a testament to the work of our Red Team.  In all of those cases, we’ve been pretty satisfied with the pace of Oracle fixes, and have simply built protection into our products from our day-zero discovery and waited for Oracle to release a patch.

But, for those of you who have been reading this blog for a while, you’ll recall the incident last September, when after a year of prodding Microsoft to fix a flaw in SQL Server, we too reached a point of frustration and announced it.  Also, with a fix of course.  But, the decision to do this is not an easy one.  The very vendors you are hoping to have an excellent working relationship with, are not likely to be happy.  In this case, Microsoft tried to argue that it was not very serious… but as security researchers we simply didn’t agree (nor did most of the public based on comments we received).  I’m sure David felt the same way about this recent vulnerability.  You can’t simply leave it there for other (less ethical) people to find and exploit.

So, we’ll see how this one plays out… I’m guessing Oracle will eventually provide a patch.  But, it does raise the question of what the white hats of the world are supposed to do, when a vendor simply doesn’t get it.  I’d be interested in your thoughts…

Tags: , , ,

 

Fri 29 Jan 2010

Scanning random IPs for Oracle Listener

Posted by Slavik under Oracle, security
No Comments

Dennis wrote an interesting blog entry about an experiment he conducted.

He found that out of roughly every 69,000 randomly scanned IP addresses, there is one open Oracle TNS Listener. That’s interesting because we all know that there are numerous attacks on (even fully patched) listeners that do not require any authentication.

Looking at the listener versions, you can see that many of the versions are not even getting patches from Oracle any more. This is like leaving your door wide open and putting up a big sign inviting hackers to come in, especially in light of many working exploits out there.

I didn’t try it, but I’d bet that many of these listeners do not even require a password. Come on people, at least keep your database behind a firewall!

Tags: ,

 

Wed 13 Jan 2010

Oracle January 2010 CPU

Posted by Slavik under Oracle, patching, security
No Comments

Ah, time flies when you’re having fun. It seams that only yesterday we worked on the October CPU and now Oracle released the January CPU.

This time, Oracle acknowledged 24 security fixes, 9 of them in the database layer. This number is a bit lower than the average but as in the previous CPU, you have a vulnerability that can be exploited remotely without authentication to take control of the machine (on Windows) or the Oracle account (on *nix).

Analyzing the CPU provides an interesting story. As always, Oracle talks about x vulnerabilities but actually patches y (which is much bigger than x). In this CPU, we’ve already analyzed more than 15 different vulnerabilities and we’re still counting!

Based on the severity of some of the vulnerabilities, if you have one of the supported versions you know you need to patch!
It’s also important to understand that if you have any 9i, 10gR1, 10gR2 or 11gR1 you’re vulnerable. Oracle just provides CPUs to the latest patch-sets.

I’m happy to see three Sentrigo researchers were credited in this CPU (including myself!). Go Red Team!

Of course, Sentrigo customers are already protected against many of the vulnerabilities using our own vPatches and we will release updated vPatches to cover the others.

In this case, my advice to wait a week to make sure that there are no issues with the patch and then patch as soon as possible since the vulnerabilities are so severe. Patch as soon as possible – but only after ensuring that your applications are not breaking.

If you can’t patch quickly or unable to patch at all due to valid reasons , try virtual patching as a stop-gap solution.

Tags: , , ,

 

Wed 6 Jan 2010

Tapulous MySQL Error and SQL Injection vulnerability

Posted by Slavik under MySQL, SQL injection, privacy, security
No Comments

I’ve talked about displaying errors from the database on the user screen a while ago. In my opinion, this is definitely a big no-no and a security problem just waiting to happen.

As some of you know, I have an iPhone (and I like it a lot, but that’s another story). I’ve installed a nice little game called Tap Tap Revenge from Tapulous, a fairly known company and game in the iPhone scene. Immediately after installation, it required me to register or login.

Here is the error I got  trying to click on a email link trying to reclaim my username (I changed the error a bit):

Warning: mysql_connect() [function.mysql-connect]: Too many connections in /var/www/html/tapservices/v1/lib/tapsql.php on line 49

Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /var/www/html/tapservices/v1/lib/tapsql.php on line 50

Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in /var/www/html/tapservices/v1/lib/tapsql.php on line 94
INSERT INTO tapulous.devices (user_id, device_id, time) VALUES (‘xxxx’, ‘yyyy’, NOW()) ON DUPLICATE KEY UPDATE user_id=’xxxx’, time=NOW()
Too many connections

Hmmm…

Let’s count how many details we can get from the error message:

  • They are using PHP
  • They are using MySQL
  • They probably use Apache on Linux or some other *nix variant
  • We know the directory structure (and also that it’s v1)
  • They have the SQL code separated in a file called tapsql.php
  • The MySQL server is not configured correctly with regards to the number of connections (or the connection pool is not configured correctly)
  • The database for Tapolous data is called tapolous (shocking, I know)
  • The table for the devices is called devices (another shock)
  • I did not post the link I clicked but if we examine the link and the INSERT statement in the error, it’s easy to see that user input is directly concatenated into the query – this one is really shocking – SQL Injection, anyone???

I’m sure that if you think a bit, you can find even more details in the error message but the last one is the most important one. I would have thought that in this day and age everybody is using bind variables. The first try to SQL Inject the link succeeded, of course. This is a popular application (and site) with a lot of registered users (including me) and having our details out there in the database does not inspire confidence.

I, of course, notified Tapulous immediately and received an email saying that the problem was fixed. Otherwise, I would not have written anything.

Oh, and looking at the original link and the SQL command being executed, I believe it’s very easy to write a small script (shell, Python, just choose your favorite) to iterate on all users and associate all the usernames with your own device…

I’d love to hear your thoughts.

Tags: , , ,

 

Mon 4 Jan 2010

Getting closer to a national breach notification law

Posted by Slavik under compliance, privacy, sb1386
1 Comment

In the midst of all the excitement around healthcare reform, the fact that both the house and senate made some progress on their (separate) bills for protecting personal information hasn’t received the attention it deserves.  Sure, I think we’re up to 46 states that now have their own breach notification laws, but simplifying this and raising the bar in some of the states with more lax regulations, is certain to improve the state of database security overall.

So, where does this stand?

The biggest advance was in the house, where the “Data Accountabilty and Trust Act” (aka H.R.2221) passed on December 8th, and has been sent to the senate.  It includes provisions aimed at improving security policies, as well as breach notification requirements.  See:  http://www.scmagazineus.com/national-data-breach-notification-bill-passed-in-us-house/article/159404/

The senate, has 2 of their own bills that made it out of “committee” in November, and await a floor vote.  The “Personal Data Privacy and Security Act of 2009” (looks like they’ll have to update the name) and the “Data Breach Notification Act” address the need to better secure sensitive information and notify individuals in case of a breach, respectively.   See:  http://www.eweek.com/c/a/Security/Senate-Committee-Passes-Data-Breach-Laws-590570/

There is still work to be done in Washington (the senate must pass their bills, then on to reconciliation to get the house and senate versions aligned, and of course they all get to vote again), but even so, I’m optimistic that something will come of this next year.  Maybe I should have put that in my predictions for 2010.  If that’s the case, I think it will bring more focus in virtually every company on the need to better secure databases.  Those that have already taken the step to deploy tools to monitor activity will be in the best position to meet the new requirements with minimal disruption, and for those that have been looking for ways to justify the expense to management, this will make it much easier.

Tags: , ,

 

« Previous PageNext Page »