Entries tagged with “oracle_database_security”.

Recently, I read a very interesting paper by Alexandr Polyakov talking about how an unprivileged user can get OS access to the database machine by stealing NTLM challenge-response authentication strings.
I really liked the way it was written and the fact that it uses automated metasploit plug-ins that will try to evade detection by using obfuscation techniques.

Since the paper mentioned Hedgehog, I took it as a challenge to protect against such an attack :-). One obvious solution is to monitor the CREATE INDEX with INDEXTYPE of ctxsys.context. The way Hedgehog monitors transactional information, using evasion techniques like base64, translate, etc. is not effective as we read the command directly from the memory when it’s being parsed.

The rule I’ve created is – “cmdtype = ‘create index’ and statement contains ‘ctxsys.context'”. Now, although this is a somewhat simplistic version of the rule, I believe it will still be effective. One other option is to catch ‘create index’ with accessed objects including ODCI stuff. Next, I’m going to try this with metasploit.

Here is the screenshot of the rule:

Hedgehog CTXSYS rule

Hedgehog CTXSYS rule

Running the clear text version of the attack produces the following:

Alert on ctxsys index

Alert on ctxsys index

Any other ideas out there?

Just a short announcement this time – Sentrigo is hosting a live webinar/webcast with Pete Finnigan where he’ll share his wisdom on Oracle database security, show some attack vectors and how one can detect and prevent them, as well as other good stuff.

Those of you who’ve ever attended one of Pete’s masterclasses at an OUG or security conference know that they are well worth attending, and those of you who haven’t – you’re now given the chance to attend from the comfort of your own computer…

It takes place on Friday, March 28th. You need to register in advance – here.