I was playing with Perl and Oracle a couple of weeks ago and was pulling my hair out trying to build dynamic SQL (I know, I know.... SQL Injection is an issue) through SQL*Plus with Perl. i wanted to create dynamic strings, pass them to a standard Perl function thatw ould accept the SQL, add in SQL*plus commands like, "set pages 0" and then run the SQL and collect the results into a hash for dealing with. I played for ever and could not get it working and as is usual with these things the answer to the problem came to me in the middle of the night. I was using a here document and passing it a back tick command - i.e. the shell was executing it. I realised that its DOS!!! or rather the modern (if you can call it modern) equivelant. DOS has no idea about "here documents". I gave up trying to get DOS to work as its not in the same league as Linux when it comes to simple scripts like this, so i did it on Linux instead.
Out of interest I did a quick search on google and found an excellent page on Yong Huang's site titled http://www.stormloader.com/yonghuang/computer/OracleAndPerl.html - (broken link) Oracle and Perl. This is a superb page that explains the ins and outs of piping to and from SQL*plus using two way communication. It also gives a simple Perl DBI example and also a simple one way pipe first. The two way communication example is exactly what I needed for DOS. I didn't try it as I had done what I needed on Linux anyway but this is a great page and well worth a visit. As usual Yong provides great information.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
Information Week on the mod_plsql 0-day bug
Researcher Details New Oracle Zero-Day Bug - By Gregg Keizer
"A longtime critic of Oracle says the bug can be exploited by an attacker to grab complete control of an Oracle database server via a compromised Web server."
"A longtime critic of Oracle says the bug can be exploited by an attacker to grab complete control of an Oracle database server via a compromised Web server."
Gartner: Oracle no longer a bastion of security
http://news.com.com/Gartner+Oracle+no+longer+a+bastion+of+security/2100-7355_3-6030733.html - (broken link) Gartner: Oracle no longer a bastion of security - By Munir Kotadia
"Analyst group Gartner has warned administrators to be "more aggressive" when protecting their Oracle applications because, according to Gartner, they are not getting enough help from the database giant"
"Analyst group Gartner has warned administrators to be "more aggressive" when protecting their Oracle applications because, according to Gartner, they are not getting enough help from the database giant"
An argument rages in the ePress between Oracle and Litchfield
http://www.networkworld.com/news/2006/012706-oracle-security.html?page=1 - (broken link) Oracle fires back at security researcher - By Jeremy Kirk
"Oracle and a security researcher are trading heated barbs over a vulnerability in the company's software that has gone unpatched since it was discovered in October.
Oracle is warning its customers not to use a workaround written by David Litchfield for a security vulnerability, saying the suggested workaround could break its software."
This is an excellent article highlighting the current state of Oracle Security.
"Oracle and a security researcher are trading heated barbs over a vulnerability in the company's software that has gone unpatched since it was discovered in October.
Oracle is warning its customers not to use a workaround written by David Litchfield for a security vulnerability, saying the suggested workaround could break its software."
This is an excellent article highlighting the current state of Oracle Security.
Many ways to become a DBA presentation updated
I was speaking at the UKOUG Unix SIG in the Institute of Physics yesterday about Oracle Security. The talk focused on the different types of threats an Oracle database may come under, where to find information and tools. I also gave some examples of how to exploit Oracle, talked about various tools and demonstrated some of them and then I talked about how you might audit a database for vulnerabilities, some ideas on how to use the audit features of Oracle and also how to secure a database. I felt the talk went quite well and I had changed it quite a bit since last time I gave it. I removed some slides, added new ones to cover recent advances in Oracle security and also changed the text on most of the slides to enhance them. I also prepared almost all of the examples shown in the slides so that I could demonstrate them live.
I have passed the slides to the UKOUG for publishing on their site but the latest updated slides are also available as a presentation titled "Many ways to become DBA"
I have passed the slides to the UKOUG for publishing on their site but the latest updated slides are also available as a presentation titled "Many ways to become DBA"
Details published about the mod_plsql 0-day bug
Alex has produced a detailed analysis of the "SQL injection bug via mod_plsql" on his website. Alex took almost all of the information in his analysis from the mod_plsql log file. It took Alex only a few minutes in modplsql debug mode to work out how to exploit this bug. This is actually very easy to exploit and in fact the biggest clue to how to exploit this is in Davids post to bugtraq. This is an un-fixed bug and quite serious due to it being internet facing. David's suggestions to use mod_rewrite rules are good but as Alex points out this may not work in older versions due to it being legal to use URL's with function names with brackets.
Interesting comments about the David Litchfield bug and the Duncan Harris interview
I saw an interesting post on Andrew Clarke's blog titled "Oracle Patching Malarky" and read it with interest.
Alex has produced a document detailing the changes made by CPU Jan 2006
Alex has produced a detailed document that details all of the schema changes that are made by applying the January Critical Patch Update 2006. This document is called "Database Changes CPU January 2006". This is a report generated by RepScan, Red Database Security's repository scanner. The tool shows the differences in the schema from just before the patch was applied and then after the application. Alex has also detailed in the report comments most packages, how they are vulnerable, which functions and parameters are vulnerable and to what and also how Oracle has fixed the issue.
This makes interesting reading.
This makes interesting reading.
Oracle is advising customers to patch the last CPU very quickly
Oracle Advises Users: Patch Critical Hole—Now! - By Paul F. Roberts
"Oracle is advising its customers to quickly apply a critical database patch the company issued last week. Security experts warn the hole could allow even unsophisticated users to take control of Oracle databases.
The patch, known as DB18, fixes a hole that affects most supported versions of the Oracle database software, including Oracle versions 8, 9 and 10. The hole is "very severe" and allows users to bypass the Oracle database's authentication and become administrative "super users," according to Shlomo Kramer, CEO of Imperva, which discovered the hole. However, Kramer and others say Oracle may be downplaying the seriousness of the threat out of concern that malicious hackers could be tipped off to the severity of the issue."
This is a discussion of the recent CPU January 2006 and in particular the DB18 bug. This is the one discovered by Imperva whereby arbitary SQL can be sent to the server and executed as SYS. This means any authenticated user can escalate to a DBA.
This bug is easy to exploit. I have an example exploit that I created easilly.
"Oracle is advising its customers to quickly apply a critical database patch the company issued last week. Security experts warn the hole could allow even unsophisticated users to take control of Oracle databases.
The patch, known as DB18, fixes a hole that affects most supported versions of the Oracle database software, including Oracle versions 8, 9 and 10. The hole is "very severe" and allows users to bypass the Oracle database's authentication and become administrative "super users," according to Shlomo Kramer, CEO of Imperva, which discovered the hole. However, Kramer and others say Oracle may be downplaying the seriousness of the threat out of concern that malicious hackers could be tipped off to the severity of the issue."
This is a discussion of the recent CPU January 2006 and in particular the DB18 bug. This is the one discovered by Imperva whereby arbitary SQL can be sent to the server and executed as SYS. This means any authenticated user can escalate to a DBA.
This bug is easy to exploit. I have an example exploit that I created easilly.
David Litchfield has released a workaround for an unpatched Oracle security bug
At 6.25pm today David Litchfield has posted a workaround for an un-patched critical flaw in the Oracle PL/SQL gateway. This is a component in iAS, OAS and the Oracle HTTP server. The bug allows an attacker to bypass the PLSQLExclusion list that stops access to critical packages and procedures. The post to the bugtraq mailing list is titled "Workaround for unpatched Oracle PLSQL Gateway flaw" and it gives details of mod_rewrite rules that can be added to the httpd.conf file. mod_rewrite is available on the platforms. The rules check for a trailing right hand bracket which is a signature of the attack.
I was aware of this issue as I had seen the NISCC post previously. Anyone who has the Oracle HTTP server enabled needs to apply this workaound immediatley.
I was aware of this issue as I had seen the NISCC post previously. Anyone who has the Oracle HTTP server enabled needs to apply this workaound immediatley.
Speaking engagements tomorrow and in April
Two short announcements. I am speaking tomorrow, January 26 2006 at the UKOUG UNIX SIG Meeting in London at the Institute of Physics, 76 Portland Place about Oracle security of course. If anyone who reads this blog is there tomorrow then please come and say hello. Thanks to David Kurtz for the invite to this one.
I have also been asked to speak at the PSOUG Oracle day on April 14th in Bellevue Washington, again about Oracle Security, it will be a different presentation of course. Thanks to Daniel Morgan for inviting me over to that one.
I have also been asked to speak at the PSOUG Oracle day on April 14th in Bellevue Washington, again about Oracle Security, it will be a different presentation of course. Thanks to Daniel Morgan for inviting me over to that one.
Harder-to-Detect Oracle Rootkit on the Way
Harder-to-Detect Oracle Rootkit on the Way - by Paul F. Roberts
"A security expert working on a new version of an Oracle database rootkit says the programs are easy to create and could soon be as common as those that target operating systems like Windows."
"A security expert working on a new version of an Oracle database rootkit says the programs are easy to create and could soon be as common as those that target operating systems like Windows."
Oracle have re-released the Linux Jan 2006 CPU patch for 10.2.0.1
Oracle has sent out an email to all customers who have downloaded the Critical Patch Update january 2006 for Linux for 10.2.0.1. This is becomming a recurrant theme of all CPU releases since they have started. The jist of the issue is that not all fixes for security vulnerabilities were not included when they should have been. Hence Oracle have re-released the patch with all the fixes this time intact. Here is the complete email from Oracle customer support
"Dear Oracle Customer,
You are receiving this email because our records indicated you downloaded
the Critical Patch Update January 2006 (CPUJan2006) patch for Oracle
Database 10.2.0.1 (Patch 4751931)for Linux x86 before it was re-uploaded on
January 20, 2006.
These patches were re-uploaded because some files did not include all of the
changes required to fix the security vulnerabilities being addressed in the
January 2006 Critical Patch Update. No functional problems will be
encountered by applying an earlier version of these patches, but some
security vulnerabilities will not be completely fixed. Even if you have
successfully applied an earlier version of these patches, you should still
re-download and re-apply the latest version of the patches, dated
20-JAN-2006.
Please accept our apologies for any inconvenience you may have experienced,
and we thank you for your patience and cooperation in securing your Oracle
server products.
Regards,
Oracle Global Product Security
P.S. Please use MetaLink, https://metalink.oracle.com, to submit a Service
Request If you require further assistance. Please do not reply to this
email."
More details can be found at here if you have a metalink account. You should have if you are downloading and applying patches.
"Dear Oracle Customer,
You are receiving this email because our records indicated you downloaded
the Critical Patch Update January 2006 (CPUJan2006) patch for Oracle
Database 10.2.0.1 (Patch 4751931)for Linux x86 before it was re-uploaded on
January 20, 2006.
These patches were re-uploaded because some files did not include all of the
changes required to fix the security vulnerabilities being addressed in the
January 2006 Critical Patch Update. No functional problems will be
encountered by applying an earlier version of these patches, but some
security vulnerabilities will not be completely fixed. Even if you have
successfully applied an earlier version of these patches, you should still
re-download and re-apply the latest version of the patches, dated
20-JAN-2006.
Please accept our apologies for any inconvenience you may have experienced,
and we thank you for your patience and cooperation in securing your Oracle
server products.
Regards,
Oracle Global Product Security
P.S. Please use MetaLink, https://metalink.oracle.com, to submit a Service
Request If you require further assistance. Please do not reply to this
email."
More details can be found at here if you have a metalink account. You should have if you are downloading and applying patches.
Oracle security joke - a template for journalists
Alex sent me over a link today from the OSVDB Blog. The post is called http://www.osvdb.org/blog/?p=86 - (broken link) For journalists covering Oracle.. and it presents a great template for talking about Oracle security vulnerabilities or patches or releases or disclosures. Its very funny, have a read!
Doug has some great comments on canned application security
Any vendors out there listening and interested in security? - if so take a blog along to Doug Burns site and read http://oracledoug.blogspot.com/2006/01/application-security.html - (broken link) Application Security
Oracle's patch application program OPatch is causing acess problems after applying interim patches
Oracle has today issued an email to customers to inform them that the tool OPatch.pl has an issue with file system privileges on Linux and Unix platforms. This is causing non-dba's to be denied access to the database after application of an interim patch using OPatch. The Oracle email is included in full below:
"From: Oracle Global Product Support [mailto:st-gspuser_us@ORACLE.COM]
Sent: Wednesday, January 25, 2006 3:54 PM
To: Oracle Global Product Support
Subject: Critical Problem with OPatch 1.0.0.0.54 and 10.2.0.1.1
Dear Oracle Customer,
You are receiving this email because our records indicated you downloaded OPatch 1.0.0.0.54 and 10.2.0.1.1 before OPatch 1.0.0.0.55 and 10.2.0.1.2 were available.
A change of behavior in OPatch versions 1.0.0.0.54 and 10.2.0.1.1 was causing file permissions under Oracle_Home to be changed incorrectly when applying an interim patch. As a result, a non-DBA user would not be able to connect to any database from the patched server. This issue affected Unix and Linux platforms only. The behavior is corrected in OPatch versions 1.0.0.0.55 and 10.2.0.1.2 that are available on MetaLink via Patches 2617419 and 4898608 respectively.
If you have experienced this problem after applying an interim patch using OPatch versions 1.0.0.0.54 or 10.2.0.1.1, reapplying the interim patch using versions 1.0.0.0.55 and 10.2.0.1.2 will correct the problem. If the interim patch that you applied was Critical Patch Update January 2006 and reapplying the patch is not feasible, please be aware that a script is being developed to correct the file permission so re-installation would not be necessary. The availability of this script will be announced shortly in the Oracle Critical Patch Update January 2006 Pre-Installation Note for Oracle Database (Note 343384.1) and the Pre-Installation Notes for other products.
Please accept our apologies for any inconvenience you may have experienced, and we thank you for your patience and cooperation in keeping your Oracle products up-to-date.
Regards,
Oracle Global Product Support
P.S. Please do not reply to this email as this email account is not monitored. If you require further assistance, please use MetaLink, https://metalink.oracle.com, to submit a Service Request. "
If you have either of these versions of OPatch then please download the new versions. Also note that if you used these versions to apply the January 2006 CPU then you will either need to fix the permissions yourself (not recommended as its unlikely to be supported) or wait for Oracle to supply a script to fix the issue. I guess this issue could be causing problems for some customers?
"From: Oracle Global Product Support [mailto:st-gspuser_us@ORACLE.COM]
Sent: Wednesday, January 25, 2006 3:54 PM
To: Oracle Global Product Support
Subject: Critical Problem with OPatch 1.0.0.0.54 and 10.2.0.1.1
Dear Oracle Customer,
You are receiving this email because our records indicated you downloaded OPatch 1.0.0.0.54 and 10.2.0.1.1 before OPatch 1.0.0.0.55 and 10.2.0.1.2 were available.
A change of behavior in OPatch versions 1.0.0.0.54 and 10.2.0.1.1 was causing file permissions under Oracle_Home to be changed incorrectly when applying an interim patch. As a result, a non-DBA user would not be able to connect to any database from the patched server. This issue affected Unix and Linux platforms only. The behavior is corrected in OPatch versions 1.0.0.0.55 and 10.2.0.1.2 that are available on MetaLink via Patches 2617419 and 4898608 respectively.
If you have experienced this problem after applying an interim patch using OPatch versions 1.0.0.0.54 or 10.2.0.1.1, reapplying the interim patch using versions 1.0.0.0.55 and 10.2.0.1.2 will correct the problem. If the interim patch that you applied was Critical Patch Update January 2006 and reapplying the patch is not feasible, please be aware that a script is being developed to correct the file permission so re-installation would not be necessary. The availability of this script will be announced shortly in the Oracle Critical Patch Update January 2006 Pre-Installation Note for Oracle Database (Note 343384.1) and the Pre-Installation Notes for other products.
Please accept our apologies for any inconvenience you may have experienced, and we thank you for your patience and cooperation in keeping your Oracle products up-to-date.
Regards,
Oracle Global Product Support
P.S. Please do not reply to this email as this email account is not monitored. If you require further assistance, please use MetaLink, https://metalink.oracle.com, to submit a Service Request. "
If you have either of these versions of OPatch then please download the new versions. Also note that if you used these versions to apply the January 2006 CPU then you will either need to fix the permissions yourself (not recommended as its unlikely to be supported) or wait for Oracle to supply a script to fix the issue. I guess this issue could be causing problems for some customers?
Duncan Harris speaks on Oracle Security
Sidebar: Oracle Exec Says Users Are Getting Enough Flaw Info - by Jaikumar Vijayan
"JANUARY 23, 2006 (COMPUTERWORLD) - As senior director of security assurance at Oracle, Duncan Harris is in charge of its vulnerability remediation processes. He also manages a team of "ethical hackers" at Oracle's Redding, England, software lab who work to find flaws in the vendor's products. Following Oracle's latest quarterly patch release last week, Harris spoke with Computerworld about the company's patching policies and its relationship with the IT security community."
"JANUARY 23, 2006 (COMPUTERWORLD) - As senior director of security assurance at Oracle, Duncan Harris is in charge of its vulnerability remediation processes. He also manages a team of "ethical hackers" at Oracle's Redding, England, software lab who work to find flaws in the vendor's products. Following Oracle's latest quarterly patch release last week, Harris spoke with Computerworld about the company's patching policies and its relationship with the IT security community."
Alex has produced a detailed analysis of the Jan 2006 CPU
Alex has created a great analysis of the January 2006 Critical Patch Update (CPU Jan 2006). This page is titled "Details Oracle Critical Patch Update January 2006 - V1.06". This paper details all of the packages and functions/procedures that are vulnerable and all parameters where relevant. This section includes a lot of detailed information. The next section includes a mapping of security vulnerabilities in Oracle features and components. Then there is a section mapping oracle vulnerability numbers with vulnerability types and affected versions. Alex also details the very simple password checker also released with this patch that is intended to be used to check for the default users that are mentioned in the recent Oracle worm. A much better default password checker is available on this site that checks for a much larger list of accounts.
Alex has advised me that this is a living document and will be updated as new information becomes available.
Alex has advised me that this is a living document and will be updated as new information becomes available.
The CPU Jan 2006 patch for HP/UX Application Server is empty
The HP/UX patch for the Jan 2006 CPU for the Application server looks like it has some issues. The zip for the patch p4863758_9041_HP64.zip contains just one text file that says "This is dummy patch for testing CPF data.". What is that about!
Alex has added advisories for 23 security bugs fixed in 10g Release1
Alex has added three more advisories to his web site for bugs that have also been fixed in 10g Release 1. It seems that some of these bugs are not included in Oracles advisory for CPU January 2006. Another good point worth noting is that these advisories are not just for single bugs. This is quite normal in a fix listed on Oracles advisory and fixed in a CPU. One package may be listed with one bug reference but in fact there may have been multiple vulnerabilities fixed and not listed. So whilst it seems some 80 or so bugs are fixed in CPU january 2006 in fact many more could have been fixed. We simply do not know unless the reporters of the bugs reveal it to us as Alex has done in this case via his website. The bugs are:
"SQL Injection in package SYS.KUPV$FT_INT" - This advisory lists 16 SQL Injection bugs in 13 functions or procedures contained in this package. Alex has detailed each function or procedure and listed which function or procedure parameters are vulnerable to SQL Injection. He also informs us in his advisory that Oracle have fixed the bugs by now using bind variables instead (I assume) of using concatenated strings in SQL statements.
"SQL Injection in package SYS.KUPV$FT" - This advisory lists 3 SQL Injection bugs in three different functions and procedures in this package. Again the actual function or procedure parameters that are vulnerable to SQL Injection are identified. This time Alex tells us that Oracle has fixed these bugs by using the new package DBMS_ASSERT.
"SQL Injection in package SYS.DBMS_METADATA_UTIL" - In this advisory 4 SQL injection bugs are fixed in 4 different functions or procedures. Again the parameters that are vulnerable to SQL Injection are identified and again these bugs have been fixed by using the new package DBMS_ASSERT.
There is a lot of information in these three new advisories that cover a further 23 SQL injection bugs. In fact it could be argued that the number of bugs is in fact higher as for instance in the last advisory listed 2 parameters are vulnerable in each function. Whilst Alex has stopped short of giving out exploit code there is enough information here to simply write exploits for non patched databases.
Again I urge everyone to patch as soon as possible, if you don'y you are vulnerable to a hige amount of bugs that are now public.
"SQL Injection in package SYS.KUPV$FT_INT" - This advisory lists 16 SQL Injection bugs in 13 functions or procedures contained in this package. Alex has detailed each function or procedure and listed which function or procedure parameters are vulnerable to SQL Injection. He also informs us in his advisory that Oracle have fixed the bugs by now using bind variables instead (I assume) of using concatenated strings in SQL statements.
"SQL Injection in package SYS.KUPV$FT" - This advisory lists 3 SQL Injection bugs in three different functions and procedures in this package. Again the actual function or procedure parameters that are vulnerable to SQL Injection are identified. This time Alex tells us that Oracle has fixed these bugs by using the new package DBMS_ASSERT.
"SQL Injection in package SYS.DBMS_METADATA_UTIL" - In this advisory 4 SQL injection bugs are fixed in 4 different functions or procedures. Again the parameters that are vulnerable to SQL Injection are identified and again these bugs have been fixed by using the new package DBMS_ASSERT.
There is a lot of information in these three new advisories that cover a further 23 SQL injection bugs. In fact it could be argued that the number of bugs is in fact higher as for instance in the last advisory listed 2 parameters are vulnerable in each function. Whilst Alex has stopped short of giving out exploit code there is enough information here to simply write exploits for non patched databases.
Again I urge everyone to patch as soon as possible, if you don'y you are vulnerable to a hige amount of bugs that are now public.
Steven Feuerstein has started a weblog
I saw tonight in Eddie's post that Steven Feuerstein has started a weblog called FeuerThoughts. I have always been a fan of PL/SQL and always been a fan of Steven's writings and his coding style. I will keep an eye on his blog mostly because I like to code in PL/SQL as well as in C and hopefully one day he will give us some great PL/SQL security insights.
Bug DBC02 in CPU Jan 2006 found by Joxean Koret identified
Alex sent me an email to say that he had managed to identify the bug reported and fixed in Critical Patch Update January 2006 identified as DBC02. The bug is detailed along with bugs in 9 other binaries in Oracle 10g version 10.1.0.3.0. The post is titled "Various Buffer Overflows in Oracle 10g Tools" and is dated one year ago.
This is an interesting find as it details how this bug could be exploited. Remember this information has been in the public domain for around one year and the patch has been available for two days. These quarterly patches from Oracle are starting to include many fixes for security bugs. Clearly a lot of the bugs fixed have been known either completely publically or at least amongst smaller groups. This is a clear sign for every customer to patch as quickly as possible!
This is an interesting find as it details how this bug could be exploited. Remember this information has been in the public domain for around one year and the patch has been available for two days. These quarterly patches from Oracle are starting to include many fixes for security bugs. Clearly a lot of the bugs fixed have been known either completely publically or at least amongst smaller groups. This is a clear sign for every customer to patch as quickly as possible!
Red Database Security has released 5 Oracle security bug advisories
Alex has this evening added 5 new security advisories to his website for the bugs that he has found that have been fixed in the latest January 2006 Critical Patch Update (CPU). These include two bugs in the latest new encryption technology in 10gR2, Transparemt Database Encryption where the wallet password is stored un-encrypted in the SGA. This is reminscant of how i found clear text passwords in the SGA, described in a post titled "Oracle 8 - revealing clear text passwords from the SGA" posted almost five years ago. Alex's advisories are as follows:
"Event 10053 logs TDE wallet password in cleartext" - This advisory gives a detailed example of how setting event 10053 can be used to reveal the wallet password. This event is normally used to reveal how the Cost Based Optimizer evaluated the execution path for a query. Wolfgang Breitling famously describes how this works in his well known paper "A Look Under the Hood of CBO The 10053 Event"
"Transparent Data Encryption stores key unencrypted in the SGA" - This advisory goes through a detailed example of how the dumpsga utility can be used to dump a clear text wallet password from the SGA.
"Read parts of any XML-file via customize parameter in Oracle Reports" - This advisory shows how the customize parameter of Oracle reports can be used to read the contents of any XML file on the server.
"Read parts of any file via desformat in Oracle Reports" - This advisory shows how the DESFORMAT parameter can be used without Oracle Reports to read parts of any file.
"Overwrite any file via desname in Oracle Reports" - This advisory shows how the DESNAME parameter can be used to overwrite any file using Oracle Reports. Alex also details comprehensive workaounds for this issue.
"Event 10053 logs TDE wallet password in cleartext" - This advisory gives a detailed example of how setting event 10053 can be used to reveal the wallet password. This event is normally used to reveal how the Cost Based Optimizer evaluated the execution path for a query. Wolfgang Breitling famously describes how this works in his well known paper "A Look Under the Hood of CBO The 10053 Event"
"Transparent Data Encryption stores key unencrypted in the SGA" - This advisory goes through a detailed example of how the dumpsga utility can be used to dump a clear text wallet password from the SGA.
"Read parts of any XML-file via customize parameter in Oracle Reports" - This advisory shows how the customize parameter of Oracle reports can be used to read the contents of any XML file on the server.
"Read parts of any file via desformat in Oracle Reports" - This advisory shows how the DESFORMAT parameter can be used without Oracle Reports to read parts of any file.
"Overwrite any file via desname in Oracle Reports" - This advisory shows how the DESNAME parameter can be used to overwrite any file using Oracle Reports. Alex also details comprehensive workaounds for this issue.
Imperva discovers a critical access control bypass in login bug
Imperva has released an advisory for a bug that they have found in the TNS protocol that allows a user with no more than CREATE SESSION privileges to execute any SQL statement in the context of the SYS user. Imperva's advisory is titled "Security Advisory: Oracle DBMS – Critical Access Control Bypass in Login Bug". This is a very interesting advisory that details how the O3Login process can be used to execute any SQL command. During the login process the first request (message code 0x73) contains only the username, the second request (message code 0x76) contains the username and an encrypted password. It also contains name-value pairs intended to set up session attributes. One of these is AUTH_ALTER_SESSION intended to set up language and locale. It can however be used to create a user and create DBA privileges for that account.
This is a very interesting bug described in this alert.
This is a very interesting bug described in this alert.
January 2006 Critical Patch Update Oracle security patch is released
The latest in the series of quarterly patch updates has been released. The advisory is titled "Oracle Critical Patch Update - January 2006" and is available from the Oracle security alerts page. As is now usual there are three categories of products affected. The first are the base product releases that are still covered by error correction support or extended error correction support. The second category are products and components bundled with the first category, the third category are products that are no longer supported as base installs but are bundled in some cases with products from category one.
A new addition with this advisory is that Oracle has provided a new tool to check default account passwords. This is available from Metalink only as patch 4926128. This is the tool announced recently to combat the potential threat of the voyager worm. Of course a much better, in terms of the number of default accounts checked, default password checker is available from this site.
The advisory also this time includes three fixes for client only installs. These are issues DBC02, DBC01 and JN01.
There are a number of new names for researchers credited in the credit section, this can only be taken as an indication that more and more people are becoming interested in Oracle security. This can only be a good thing in the long term.
There are 29 database related bugs fixed in this release. Quite a few relate to package procedures and commands in the database, so whilst the exploit is not obvious the package or command that is vulnerable is obvious.
There are then 3 client bugs, 3 HTTP server and 3 Oracle Workflow cartridge bugs.
There are then 17 Oracle application server related bugs listed, some of which are duplicate from the first section. There are then 20 Oracle Collabortaion server bugs again including 5 from previous sections. There are 27 Oracle Applications (E-Business Suite) bugs again including 8 listed in previous sections and finally there is one PeopleSoft bug and one JD Edwards bug fixed.
This seems like a good mixed bag of fixes, quite a lot in total and this time it seems possible to isolate the areas affected in more cases due to the more explicit naming of some packages, programs and commands.
As always apply the patches as soon as possible!
A new addition with this advisory is that Oracle has provided a new tool to check default account passwords. This is available from Metalink only as patch 4926128. This is the tool announced recently to combat the potential threat of the voyager worm. Of course a much better, in terms of the number of default accounts checked, default password checker is available from this site.
The advisory also this time includes three fixes for client only installs. These are issues DBC02, DBC01 and JN01.
There are a number of new names for researchers credited in the credit section, this can only be taken as an indication that more and more people are becoming interested in Oracle security. This can only be a good thing in the long term.
There are 29 database related bugs fixed in this release. Quite a few relate to package procedures and commands in the database, so whilst the exploit is not obvious the package or command that is vulnerable is obvious.
There are then 3 client bugs, 3 HTTP server and 3 Oracle Workflow cartridge bugs.
There are then 17 Oracle application server related bugs listed, some of which are duplicate from the first section. There are then 20 Oracle Collabortaion server bugs again including 5 from previous sections. There are 27 Oracle Applications (E-Business Suite) bugs again including 8 listed in previous sections and finally there is one PeopleSoft bug and one JD Edwards bug fixed.
This seems like a good mixed bag of fixes, quite a lot in total and this time it seems possible to isolate the areas affected in more cases due to the more explicit naming of some packages, programs and commands.
As always apply the patches as soon as possible!
Interview with Oracle's security chief
Oracle Security Chief: Put Bugs in the Hands of Developers - eWeek interview with Mary Ann Davidson - by Lisa Vaas:
"Q&A: While some charge that Oracle puts the fox in charge of the hen house by giving developers too much say, Oracle views it as part and parcel of an educational effort. Oracle security chief Mary Ann Davidson discusses this and other security goings-on."
This is a really interesting article by Lisa talking to Mary Ann.
"Q&A: While some charge that Oracle puts the fox in charge of the hen house by giving developers too much say, Oracle views it as part and parcel of an educational effort. Oracle security chief Mary Ann Davidson discusses this and other security goings-on."
This is a really interesting article by Lisa talking to Mary Ann.
Lewis has an interesting post on Easy Connect
I came across easy connect some time back. This is a new alternative to using a tnsnames.ora file to connect to a database. This is a simplified syntax that allows you to specify the syntax as part of the connect string to SQL*Plus for instance. Lewis has covered the new syntax very well with some good examples in a post titled http://blogs.ittoolbox.com/oracle/guide/archives/007295.asp?rss=1 - (broken link) Forget About TNS: Connect To Oracle Using Easy Connect
Oracle is finally listening to customers about fix times and security patch quality
eWeek : "Oracle's Patch Dilemma: Balancing Customers, Code and Researchers" - by Lisa Vaas
"News Analysis: An eWEEK tour of Oracle's security practices reveals the database maker's stance on researchers' findings as well as how seriously Oracle is taking customers' complaints as it battles to reduce patch time while improving quality.
Brace yourself: Another quarterly CPU (Critical Patch Update) is due out from Oracle Corp. on Jan. 17."
This is a very enlightening three page article by Lisa Vaas of eWeek. It starts by saying that the latest swathe of bugs reported to Oracle by Alex instead of being 252 actual bugs is in fact around 10. I don't know who is right on that score. The key really is that some bugs are true bugs and i guess some are not, the exact figures probably will never be clarified. To do so would mean Alex trying to write exploits for all of them and I guess he doesn't have time for that. The method he used was pretty basic to say the least to find these bugs so i guess its bound to have false positives.
The article goes on to discuss in detail the issues of patch quality, patch fix times and also interviews some of the key players inside Oracle. This is a great article and gives some good insight into the processes and issues of Oracle security patches.
This looks, on the face of it like Oracle are finally turning the corner on fixing security bugs quicker and with better quality. I commend Mary Ann for allowing her people to talk to the press about the inner workings of the fix process and for trying to put some confidence back for customers.
"News Analysis: An eWEEK tour of Oracle's security practices reveals the database maker's stance on researchers' findings as well as how seriously Oracle is taking customers' complaints as it battles to reduce patch time while improving quality.
Brace yourself: Another quarterly CPU (Critical Patch Update) is due out from Oracle Corp. on Jan. 17."
This is a very enlightening three page article by Lisa Vaas of eWeek. It starts by saying that the latest swathe of bugs reported to Oracle by Alex instead of being 252 actual bugs is in fact around 10. I don't know who is right on that score. The key really is that some bugs are true bugs and i guess some are not, the exact figures probably will never be clarified. To do so would mean Alex trying to write exploits for all of them and I guess he doesn't have time for that. The method he used was pretty basic to say the least to find these bugs so i guess its bound to have false positives.
The article goes on to discuss in detail the issues of patch quality, patch fix times and also interviews some of the key players inside Oracle. This is a great article and gives some good insight into the processes and issues of Oracle security patches.
This looks, on the face of it like Oracle are finally turning the corner on fixing security bugs quicker and with better quality. I commend Mary Ann for allowing her people to talk to the press about the inner workings of the fix process and for trying to put some confidence back for customers.
Doug has posted an intersting note about executing of SQL script from URL's
I saw Dougs post tonight titled http://oracledoug.blogspot.com/2006/01/something-else-i-didnt-know.html - (broken link) Something Else I Didn't Know that talks about the fact that SQL scripts can be executed not just from scripts on the file system but also from URL's. I was aware of this feature and the fact that it is not well known. This feature is a security risk as it means that cross site scripting could be possible against a database using SQL. It could also be possible to use dns spoofing to trick an existing set up that uses SQL*Plus with URL located files to execute other files. I can also conceive of ways that a hacker could get access to SQL*Plus on the server remotely and get it to run an external script located on his own site. This is in cases where the database is behind a firewall and not normally accessible to users who wish to run SQL*Plus.
Think carefully about using this feature and its implications.
Think carefully about using this feature and its implications.
Dump
A quick note to say that I saw Eddie's post titled "Cool SQL function: DUMP" and it is well worth a quick read. This is an excellent short article that covers the intricacies of the Oracle DUMP command that can be used in SQL. Eddie gives some great examples of how you might dump data as hex, decimal, char etc. nice examples.
Oracle have released an email warning customers about the latest worm
Oracle have sent out an email to all customers of its products warning about the latest variant of the Voyager Worm and in it they make security suggestions as well as providing a link to a free tool to check the default users passwords that are used in the worm. YOu can of course use a much better default password checking tool. The Oracle email is included here in full:
Dear Oracle customer,
Oracle Global Product Security has investigated potentially malicious code that was posted on the Internet on December 29, 2005. It is based on the Voyager code that was posted on the Internet on October 31, 2005, and is designed to target Oracle databases. The new code attempts to take advantage of the same default usernames and passwords for Oracle databases that October¿s code uses, and like October¿s Voyager code, this new code is incomplete, preventing the code from spreading to other machines. Unlike October¿s Voyager code, which did not contain a malicious payload, this new code attempts to stop remote Oracle listeners on machines that have not been properly secured in accordance with the instructions sent to all customers on November 4th, 2005 in response to the Voyager code¿s publication.
Customers who have properly secured their Oracle databases in accordance with the instructions sent in November, or who follow good security lockdown practices of their Oracle listener and database servers, are not vulnerable to this new variant of the Voyager code.
Oracle considers adherence to industry standard security practices the best way for customers to protect their database systems. A MetaLink note is available that outlines the minimum essential steps customers should take to mitigate future attempted attacks against their Oracle databases. Please note that Oracle will also update this MetaLink note if new information becomes available, and will not send additional email for minor changes to the Voyager code or this note.
Oracle has also released a tool to assist customers in verifying the lockdown status of the seven default database accounts used in the Voyager code posted on the Internet on October 31st and December 29th, 2005. This is available via patch # 4926128. This tool does not replace the essential security guidelines outlined in the security checklist and the MetaLink note referenced in this email, nor does it replace the importance of verifying the status of all default database accounts.
Customers who already follow industry standard security best practices, including those who have hardened or locked down their database systems, may still benefit from reviewing the MetaLink note.
The MetaLink Doc ID is 340009.1:
http://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=340009.1
Additional references:
http://www.oracle.com/technology/deploy/security/db_security/index.html
http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf
Sincerely,
Oracle Global Product Security
PLEASE DO NOT REPLY TO THIS E-MAIL. This address is not monitored.
Dear Oracle customer,
Oracle Global Product Security has investigated potentially malicious code that was posted on the Internet on December 29, 2005. It is based on the Voyager code that was posted on the Internet on October 31, 2005, and is designed to target Oracle databases. The new code attempts to take advantage of the same default usernames and passwords for Oracle databases that October¿s code uses, and like October¿s Voyager code, this new code is incomplete, preventing the code from spreading to other machines. Unlike October¿s Voyager code, which did not contain a malicious payload, this new code attempts to stop remote Oracle listeners on machines that have not been properly secured in accordance with the instructions sent to all customers on November 4th, 2005 in response to the Voyager code¿s publication.
Customers who have properly secured their Oracle databases in accordance with the instructions sent in November, or who follow good security lockdown practices of their Oracle listener and database servers, are not vulnerable to this new variant of the Voyager code.
Oracle considers adherence to industry standard security practices the best way for customers to protect their database systems. A MetaLink note is available that outlines the minimum essential steps customers should take to mitigate future attempted attacks against their Oracle databases. Please note that Oracle will also update this MetaLink note if new information becomes available, and will not send additional email for minor changes to the Voyager code or this note.
Oracle has also released a tool to assist customers in verifying the lockdown status of the seven default database accounts used in the Voyager code posted on the Internet on October 31st and December 29th, 2005. This is available via patch # 4926128. This tool does not replace the essential security guidelines outlined in the security checklist and the MetaLink note referenced in this email, nor does it replace the importance of verifying the status of all default database accounts.
Customers who already follow industry standard security best practices, including those who have hardened or locked down their database systems, may still benefit from reviewing the MetaLink note.
The MetaLink Doc ID is 340009.1:
http://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=340009.1
Additional references:
http://www.oracle.com/technology/deploy/security/db_security/index.html
http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf
Sincerely,
Oracle Global Product Security
PLEASE DO NOT REPLY TO THIS E-MAIL. This address is not monitored.
Howard has some good advice on protecting against worms
I have just seen Howards post to his blog about the recent full disclosure by an annonymous poster of updates to the voyager worm. The post is titled "Defcon 1". The post starts by saying that "eminent experts have published crippled worms". This part I do not agree with as the worm was published by someone anonymously, if Howard meant by that phrase that the "expert" was known. We do not know who published it - well at least I don't know. Indeed there was a thread on my Oracle Security forum were some of the members had done some basic research to try and identify the author based on some key phrases in his code.
Anyway, Howards post gives some excellent advice on what basic steps should be taken to protect against this worm.
Anyway, Howards post gives some excellent advice on what basic steps should be taken to protect against this worm.
Justin talks about a new series of papers on Oracle security by Arup
I saw Justin's post today to his blog titled http://www.orablogs.com/otn/archives/001597.html - (broken link) Default Passwords are Evil and could not agree more. The latest Oracle worm takes advantage of the fact that Oracle has so many default users with known default passwords. These are a major problem for all Oracle databases, there are just so many to miss.
Justin lets us know that Arup is going to write a series of papers on how to secure Oracle to be published soon on OTN. This should be a great series. I have been a fan of Arups writing since he wrote the HIPAA book. I also read hos 10gR2 new features series of papers and also I just bought his recent new PL/SQL for the DBA book which includes some excellent sections on Oracle security.
In the meantime anyone wanting to check if they have any vulnerable default users with known default passwords should head over to my Oracle Default Password List and then my tool for checking - Oracle Default Password Auditing Tool.
I am really looking forwards to Arups papers.
Justin lets us know that Arup is going to write a series of papers on how to secure Oracle to be published soon on OTN. This should be a great series. I have been a fan of Arups writing since he wrote the HIPAA book. I also read hos 10gR2 new features series of papers and also I just bought his recent new PL/SQL for the DBA book which includes some excellent sections on Oracle security.
In the meantime anyone wanting to check if they have any vulnerable default users with known default passwords should head over to my Oracle Default Password List and then my tool for checking - Oracle Default Password Auditing Tool.
I am really looking forwards to Arups papers.
Oracle database worm mutates
http://news.com.com/2061-10789_3-6022470.html - (broken link) Oracle database worm mutates : - Joris Evers writes:
"A new, more malicious version of a worm that targets Oracle database software has surfaced. The worm source code was sent out on a popular security mailing list just before the new year, security experts have said."
This is a good short write up about the worm and not just because it mentions me.
"A new, more malicious version of a worm that targets Oracle database software has surfaced. The worm source code was sent out on a popular security mailing list just before the new year, security experts have said."
This is a good short write up about the worm and not just because it mentions me.
Oracle 'Worm' Exploit Gets Ominous Tweak
Oracle 'Worm' Exploit Gets Ominous Tweak - by Ryan Naraine of eWeek.com writes:
"Exploit code for a malicious worm capable of wreaking havoc through Oracle databases has been tweaked and published, prompting a new round of warnings that an actual attack is inevitable."
This is an interesting summary of the recent changes to the Oracle worm published on the full disclosure list around two months ago. The recent changes have made the worm more dangerous but it still does not have a replication mechanism. This would not be difficult to do though and it looks ominously like it is only a matter of time before someone releases a version that will replicate..:-(
"Exploit code for a malicious worm capable of wreaking havoc through Oracle databases has been tweaked and published, prompting a new round of warnings that an actual attack is inevitable."
This is an interesting summary of the recent changes to the Oracle worm published on the full disclosure list around two months ago. The recent changes have made the worm more dangerous but it still does not have a replication mechanism. This would not be difficult to do though and it looks ominously like it is only a matter of time before someone releases a version that will replicate..:-(
A tiny digital camera
I just bought a new digital camera last Sunday, a FinePix A345 that was a modest cost and having grappled with detailed instructions last week seems like not a bad camera to take snaps of our son for shipping out to relatives and friends via email. Its 4.1 mega pixels and has an optical zoom and a digital zoom. This evening we went for our weekly shop to the supermarket and whilst in there at the end of one of the isles was a small digital camera from Praktica that says its the smallest digital cameras available, the best thing was it was £9.97. So I bought one and will have a play and see if it is any good. It claims on the package that it is also a web cam. I figured i could drop it in my laptop bag and it would come in handy for recording stuff and just be sat their for the times that i wished i had a camera.
Here is a thumbnail snap of it in its packaging.
Here is a thumbnail snap of it in its packaging.
up front security
Wanted: Up-Front Security - by Larry Greenemeier -
" Companies have made big investments in security, and even though keeping security current isn't as exciting as, say, investing in technologies that generate revenue, it still ranks among businesses' top priorities."
Interesting article that discusses Oracle and security quite a bit
" Companies have made big investments in security, and even though keeping security current isn't as exciting as, say, investing in technologies that generate revenue, it still ranks among businesses' top priorities."
Interesting article that discusses Oracle and security quite a bit
Frappr is mapping Oracle bloggers
I saw Eddie Awad's blog entry "ATTENTION bloggers" and went for a look. I thought it was a great idea to map all the Oracle bloggers on http://www.frappr.com/oraclebloggers - (broken link) frappr.com so i went over there and joined. I need to add a photo I suppose although most people have probably seen my photo on my home page. When i joined yesterday I think there were 4 of 5 already joined. I was surprised when I saw Wilfred's post today titled "See where all the Oracle bloggers are from" where he tells that 19 of us have now registered. Its quite good to see that there are a lot of us Europeans. Nice idea.
Niall has a good post - DBA as User
I saw an interesting post on Niall's blog this evening titled "DBA as User". This is an interesting discussion started on AskTom and continued by Niall in his blog post. The question is should DBA's alter and meddle with data in the database? - this is a controversial one. If the data is corrupted and the business is down then most likely it will happen that the DBA will fix the data. I can understand Tom's view that DBA's should not alter the application data just the same as a DBA should not alter the dictionary. This is a good discussion on AskTom and also in the comments on Niall's blog.
I agree with the no action lobby, the data should not be altered under any circumstances unless it is a last resort. There should be audit and constraints in place. Altering data without detailed knowledge of its structure and schema can cause more issues than are fixed. I can see that last resort cases occur when data has to be fixed but this should be done by consultants who understand the schemas and also the business. Ideally the applications and API's should be used to fix data not DBA's with SQL.
good post!
I agree with the no action lobby, the data should not be altered under any circumstances unless it is a last resort. There should be audit and constraints in place. Altering data without detailed knowledge of its structure and schema can cause more issues than are fixed. I can see that last resort cases occur when data has to be fixed but this should be done by consultants who understand the schemas and also the business. Ideally the applications and API's should be used to fix data not DBA's with SQL.
good post!
The slashdot effect can be a problem for other sites
I have not blogged for a few days as I have been too busy. I did plan to write an entry on the 2nd of January but I was unable to get to my site. I thought it strange as i could ping it and my ISP was not reporting any issues and it went on for at least a couple of hours i gave in and so I emailed them. I got a reply back in the morning, apparently another site on the same server, I am on shared hosting was experiencing a slashdot effect. Apparently when a site gets a plug on there the number of visitors sent to it can break servers. I was an unwanted victim of someone else’s slashdot effect..:-(
I suppose its another reason to think more about dedicated hosting for my site.
I suppose its another reason to think more about dedicated hosting for my site.
January 2006
- Niall has a good post - DBA as User - 01/05/2006 by 01/05/2006
- up front security - 01/06/2006 by 01/06/2006
- A tiny digital camera - 01/07/2006 by 01/07/2006
- Oracle 'Worm' Exploit Gets Ominous Tweak - 01/08/2006 by 01/08/2006
- Justin talks about a new series of papers on Oracle security by Arup - 01/09/2006 by 01/09/2006
- Howard has some good advice on protecting against worms - 01/10/2006 by 01/10/2006
- Doug has posted an intersting note about executing of SQL script from URL's - 01/12/2006 by 01/12/2006
- Oracle is finally listening to customers about fix times and security patch quality - 01/14/2006 by 01/14/2006
- Interview with Oracle's security chief - 01/16/2006 by 01/16/2006
- Red Database Security has released 5 Oracle security bug advisories - 01/17/2006 by 01/17/2006
- Alex has added advisories for 23 security bugs fixed in 10g Release1 - 01/19/2006 by 01/19/2006
- Alex has produced a detailed analysis of the Jan 2006 CPU - 01/22/2006 by 01/22/2006
- Duncan Harris speaks on Oracle Security - 01/24/2006 by 01/24/2006
- Oracle is advising customers to patch the last CPU very quickly - 01/25/2006 by 01/25/2006
- An argument rages in the ePress between Oracle and Litchfield - 01/27/2006 by 01/27/2006
- Gartner: Oracle no longer a bastion of security - 01/30/2006 by 01/30/2006
- How to connect to the database using Perl - with two way communication - 01/31/2006 by 01/31/2006
Archives
Syndication
Powered by gm-rss 2.0.0
