Pete Finnigan's Oracle Security Weblog

I have just seen Ed's next post in this series of issues / problems encountered if you do not run the full upgrade scripts and catpatch.sql. This time he talks about missing a COMPRESSION column in DBA_TABLES.

This was as Ed points out an exciting feature that allows faster full table scans by eliminating redundant column data. This feature was missing from 9.2.0.1 dictionary views but fixed in 9.2.0.3 only if catpatch.sql is run. Read Edwards comments on the dangers of not running catpatch.sql.

I have been looking at buffer overflow techniques for research for the SANS Securing Oracle track that I am writing. I wil talk about a couple of papers i found later as I want to finish reading them first but I also noticed a post to the vuln-dev mailing list hosted at Security Focus in the last couple of days.

An original poster asked for books or links related to secure programming that describe how buffer overflows, race conditions and others can cause security vulnerabilities in programs.

Dave McKinney of Security Focus has collated together a very good list of books and a few links about secure programming, hacking, exploitation etc. This is an excellent resource for those who want to know how programs get exploited. Buffer overflows seem to be very popular in alert 68 for instance. If you are interested in security then you should understand what are the techniques used by hackers and how they actually work.

I have just updated the tools page on my site to include a link to the excellent Linux floppy distribution that I talked about yesterday in the free section.

I just wanted to let people know that I had updated this page. I do add stuff to this page quite regularly but do not usually say so here. If you are interested in Oracle security tools, free, commercial or written by me then check out this page from time to time or check the whats new page which I usually update when I make changes to the main parts of the site.

I noticed that yesterday on Edward Stanglers weblog that he had made a useful post about the dollar tables, the DBA views and the X$ tables, basically how the data dictionary is broken down. This is a good post giving an overview of these views and tables. It is worth remembering that in Oracle security terms general users should never have access to any of these tables or views. They contain configuration details that can be used to abuse your database. None of these sources of information therefore should be available to normal users. Ed makes a good point that $ tables and X$ tables should not be accessed directly; the information should only be obtained via the official views. What I would add is that you need to be aware of what users can access these tables and views.

Again Ed's post is here.

This mornings newsletter from DBA Village included in the news item section an entry http://www.dba-village.com/dba/village/dvp_links.LinkDetail?LinkIdA=1254 - (broken link) Oracle Security Checks. This looked like a subject that would interest me so I went to have a look.

If you go to the link yourself you will need a free registration on the DBA Village web site first before you can access it. The link actually referenced the policy pages on Application Security Inc's website. The poster said there are 1000 links there with Oracle security checks on them. This is not actually true as you will see, I added a note to the tip on DBA Village as some of these policy pages are for other products made available by Application Security Inc, such as their Domino tool or SQL Server tool. Some are for Oracle of course.

The poster also noted that there is no index page for all the checks/policies. I did a quick surf myself and did not find one. That doesn't mean there is not one :). Also there are holes in the sequence as i did a couple of random checks. The pages listed are of the form https://www.appsecinc.com/Policy/PolicyCheck1.html - (broken link) https://www.appsecinc.com/Policy/PolicyCheck1.html to https://www.appsecinc.com/Policy/PolicyCheck1000.html - (broken link) https://www.appsecinc.com/Policy/PolicyCheck1000.html according to the poster. I also did a quick search on google and found a similar page https://www.appsecinc.com/Policy/PolicyCheck2525.html.

Despite the fact that these pages are not indexed this is a great resource for Oracle security information.

I was looking for a rescue disk for Linux that included a root file system on the net for a contact of mine to try and rescue a Linux server running their Oracle database. I don't know the full details of the problem yet but I found http://www.toms.net/rb/ - (broken link) an interesting site that includes an image to build Linux on a floppy that also includes a root file system. I thought it might be useful for readers of this weblog.

It is always better to prepare for the worse before it happens and to have all the tools ready to hand. A Linux boot disk with a live file system on it could also be useful for forensics work where you do not want to disturb the original operating system.

This particular disk seems very useful. The http://www.toms.net/rb/tomsrtbt.FAQ - (broken link) FAQ states that tomsrtbt is:

"The most GNU/Linux on one floppy disk"

And that it can be used for:

"rescue recovery panic & emergencies
tools to keep in your shirt pockets
whenever you can't use a hard drive"

The goals for this floppy disk Linux were to get as much useful stuff onto one disk as possible and to be able to build and maintain itself under itself and that recovery and rescue functions get priority.

This is a useful tool that anyone running Oracle on Linux should consider. It can be found http://www.toms.net/rb/ - (broken link) here.

I just realised I didn't add a link to Edwards new weblog post, so here it is.

I just found that Edward has posted an update to his weblog on the post he made the other day about the number of databases that have been upgraded and do not seem to have run catpatch.sql. Edwards update talks about a clarification. He tells us that the list of things he gave us fixed by running catpatch.sql after an upgrade was misleading. Edward goes on to tell us that the series is going to be about running all of the upgrade scripts after an upgrade.

Let's wait for the rest of this series from Edward.

I just saw this post on comp.databases.oracle.server this evening that refers to the fact that Oracle have now started to ship patch sets for other platforms. Patch 3948480 was originally available for Only Windows. The poster tells us that it is now also available for hpux64 and Sun 32/64 bits.

I have just completed reading Frank Nimphius's paper http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf - (broken link) J2EE Security in Oracle ADF Web Applications which gives an excellent overview of applying J2EE security to web applications written using Oracle Application Developer Framework (Oracle ADF). It covers general J2EE security for web applications, securing struts applications developed in Oracle ADF, deploying struts applications to OC4J and Oracle application server and deploying J2EE secured applications to 10g AS and OC4J. The paper talks about how J2EE security can be used with J2EE web applications and Jakarta struts to protect page content and access to individual pages. This is a great paper and again its http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf - (broken link) here.

I Just noticed on http://www.orablogs.com - (broken link) orablogs that Edward Stangler had made a useful post about running catpatch.sql or rather the number of databases he has seen where this script has no0t been run. This should usually be run after applying patches, Edward talks about 9.2.0.5 upgrades that h has seen. He also promises a few more blogs on this subject and more details as to why not running this script is an issue.

I will watch out for these entries myself as they sound interesting. This should be a good subject as a lot o0f people out there are applying the patch from alert 68 still and also are looking at adding the 9.2.0.6 patch set (and re-applying alert 68).

Thanks Edward for this great reminder.

I just saw this evening that James has made his book available free when browsing to find his site to find his dbtop tool. dbtop is a Java tool that is similar in concept to the Unix top utility except that it finds the top Oracle database sessions instead. Anyway back to the story. I noticed a newsgroup posting that said James excellent book "Scaling Oracle8i: Building Highly Scalable OLTP System Architectures" is now available from his website as either a pdf or a HTML version. The pdf can be downloaded, copied distributed and even hosted on your own site. The HTML cannot be copied or hosted anywhere except James site and he has indicated that it will be updated from time to time. The pdf is available here and the HTML version here. It is released under the creative commons license.

The book is excellent and the 8i in the title should not be thought of as a concern as the book dates very well and most of the content is still very valid. It gives details of how to implement and design scalable and reliable OLTP Oracle systems. It talks about hardware, I/O, internals, benchmarking, monitoring, even a TCL based tool called dbaman that allows easy database programming to be done. The source code is included. It talks about Unix kernels, the Oracle virtual operating system interface.

I have a paper copy of this book that I found in Foyles in Charing Cross road in London a couple of years back. I have read it back then and it gives a fantastic insight into the workings of Oracle and how to build big performant systems. I like books like this, Jonathans is good also as they give you a good understanding of how Oracle really works. I like Oracle security as you know but I also like internals and undocumented trivia and info but I also like to know how oracle works. You cannot hope to secure Oracle properly unless you understand it properly! - This is why I wanted to talk about this book here, there are not many good books that let you understand how to build Oracle systems properly and this is one of them. If you want to secure Oracle, then you need to understand its use and how to build systems properly. Security often gets in the way of usability and performance, that’s why it’s good to also understand Oracle if you are going to secure it.

There has been some confusion as to whether the new 9.2.0.6 patch set includes the fixes for the now infamous alert #68. This has caused some traffic on the Oracle-l mailing list recently. Let me summarise some of these posts and also analyse the results.

The first post I came across was in a thread entitled Patch 9.2.0.6 and Alert #68 where Jared tries to clarify the situation. He suggests that 9.2.0.6 does indeed include fixes for alert 68, although one metalink document is unsure about this Doc ID 283899.1 then Doc ID 283897.1 does state that alert 68 is included in the 9.2.0.6 patch set. Then Mike said that he concurred but he had noticed that a note on metalink said that some alert #68 fixes are e.g. mod_plsql is not included. More on this in a later comment.

In another thread entitled Patchset 9.2.0.6 The poster asks where is the 9.2.0.6 patch set for other platforms apart from the Windows release. An interesting side note to this is Pete Sharman's reply which tells us that Oracle development is still moving to Linux so all future development will be on Linux and there should be no porting need for this platform.

A third thread on the same subject entitled 9.2.6 patch release installed starts by saying that the patch set had been installed but the poster was now running alert #68, back to the original plot.....

Then Jared comes up with the goods and tells us that only the database portions of security alert 68 are included in patch set 9.2.0.6, the HTTP server patches are not included. This is according to this metalink note. Alex confirms that the database portions are installed but the OUI doesn't indicate that alert 68 is installed. Another poster expresses his confusion at all of this patch 9.2.0.6 and alert 68 goings on. Basically he said he was told to apply p3835964 after 9.2.0.6 (p3948480). Not clear at all.

The watch words seem to be clarity and consistency!! - Maybe the Alert 68 FAQ should be updated to answer the doubts about 9.2.0.6 and alert 68.

I just found one of Marks recent posts on his blog entitled "A Couple Of Alternative Event 10046 Resource Profilers". Mark is talking about a couple of trace profiling tools. The first is Andy Rivenes's http://home.comcast.net/~arivenes/utilities_resource.htm - (broken link) resource profiler, the second is SimpleProfiler by Niall Litchfield and needs HTML DB to run. There is of course the Hotsos profiler as well and also a good Trace file repository from Miracle AS in Denmark called Miracle tracefile repository. There are probably many more similar tools available.

I have also written a paper detailing many ways that can be used to set trace either for the current session or for another session running in the database. It also shows how to set extended trace either for binds or waits or both.

OK, so what has this got to do with Oracle security? Quite a bit actually. I often highlight to customers the dangers of allowing users access to set trace for their own session or others. Worse still is allowing these users access to trace files or even via autotrace in SQL*Plus. Actually being able to see the trace will reveal a lot of information about the structure of an application and even in some cases critical information about security settings or passwords in some versions or password hash values in others that could be cracked using one of the tools listed on my tools page. So we know the dangers of allowing users to set trace or to access trace data but these tools simply summarise details from the trace files without revealing structure. In some cases this sort of information could be used by a malicious person still to plan a Denial Of Service attack. Some of the tools mentioned above, such as Niall's and the Miracle AS tool allows trace files to be accessed remotely via a web interface. This implies that trace files are one step closer to a remote user or even an in-house user who does not have access to tools such as SQL*Plus.

There have been many posts to newsgroups about simple PL/SQL code that can be used to load trace files into the database so that they can be viewed remotely. This is a great practice for admin staff and for tuning and monitoring but you should consider the security aspects of allowing internals data and structure to be exposed externally.

I came across Colin’s post today on his web log. You may remember Colin’s posts about WS-Security recently. Colin’s post today is called http://www.orablogs.com/cmaxwell/archives/000681.html - (broken link) Reducing the scope for encryption and gives a detailed explanation on how to not encrypt the entire contents of the SOAP body, as Colin says the default behaviour is encrypt and decrypt the entire contents of the body using the JDeveloper facilities. Colin gives a great example of how to save server and client resources by only encrypting a credit card field in a step through example. As usual Colin’s posts are well worth reading for anyone interested in JDeveloper and Oracle security.

I saw the short note in http://www.orablogs.com/sergio/archives/000677.html - (broken link) Sergio's weblog about the using VPD (Virtual Private Database) with HTMLDB. VPD can of course be used with any method that accesses the data in the database. This is its strength as it protects access to the data at source.

The blog entry Sergio refers to a new technical note http://www.oracle.com/technology/pub/notes/technote_htmldb_vpd.html - (broken link) Using Virtual Private Database in an Oracle HTML DB Application written by Scott Spendolini, Sergio Leunissen, and David Knox (the author of the recent 10g security book published with Oracle press).

This is quite a good paper that looks at how VPD, FGA, RLS - what else can Oracle think of to call it :) :), can be used with an HTMLDB application. I have written a two part paper myself about Row Level Security and how to use it and protect its use.

This article about VPD and HTML DB is a very good concise article that goes through the basics of how to set up VPD with a simple example that then goes on to show how it can be tested in SQL*Plus. The authors then create a sample application in HTML DB and a test user and show that the VPD policies still work from either SQL*Plus or from HTML DB. The key is the use of a function called V that tests the HTML DB user against a value in session memory for the logged in user from HTML DB.

A very good article, again it is http://www.oracle.com/technology/pub/notes/technote_htmldb_vpd.html - (broken link) here.

I came across a very interesting post on the oracle-l list the other day entitled "how to check fine-grained access control is on?". The poster asked how to check if Row Level Security is enabled in the enterprise edition of Oracle. He knew about setting an event in the standard edition to enable this feature so assumed it’s the same in enterprise edition.

Of course you only get Row Level Security (or Virtual Private Database (VPD)) in the enterprise edition not in the standard edition. The poster suggested that Row Level Security can be enabled by setting event 28131 in the init.ora as follows:

event="28131 trace name context forever"

I love internals information like this and hard to find knowledge so I was immediately drawn to this post. So a feature that is only available in the enterprise edition can be turned on in the standard edition. This is interesting. This maybe means that all features can be enabled in the standard edition or conversely features can or could be disabled in the enterprise edition - I have not tested this latter thought - maybe I will if i get chance - This could be a very useful security tool to disable features that are a security risk because of known bugs that cannot be patched.

I should also point out that you should not enable features in the standard edition that are not part of the license agreement.

It would be a good exercise to find out what other features can be enabled or disabled in this way. If you are not familiar with the way Row Level Security works or would like some extra information particularly on extracting the predicates from the database either via SQL or using various events and trace then take a look at the two part paper I wrote some time back on Row Level Security.

So to recap the poster suggested that Row Level Security can be enabled in the standard edition by adding the following lines to your init.ora file.

For 8i and lower add

event="28119 trace name context forever"

For 9i and higher add

event="28131 trace name context forever"

Why does this work? - There is a paper that I found entitled "Migration of Oracle 9i Application server portal (release 1) across databases" that mentions these two events 28131 and 28119 but does not explain why they are used.

I searched on google and found a post on de.comp.datenbanken.misc that explains that these two events can be used to get around ORA-00439 errors. Basically these events can be used to enable Row Level Security in the standard edition when the call to DBMS_RLS.ADD_POLICY fails. This is when Portal is used with the standard edition with which it has been certified. It can be necessary to recreate the VPD policies on tables for Portal in a standard edition database and setting the events 28131 or 28119 depending on version will allow this. The events should be removed after use though. Quite interestingly in this post on de.comp.datenbanken.misc also shows the generic for of the ORA-00439 error as well as the specific error in this case:

ORA-00439: feature not enabled: %s
ORA-00439: feature not enabled: Fine-grained access control

This would also lead us to believe that other features can be enabled or disabled.

I also found two documents on Metalink Doc ID 219911.1 and Doc ID 173512.1 that explain again about the use of 28131 to enable Row Level Security in the Standard Edition.

From an audit angle it is worth adding a check for these events being set in a standard edition database, as they should not be set. This can be done with the DBMS_SYSTEM.READ_EV database procedure.

I just found two more news items talking about the new quarterly patch schedule. The first is on Network World Fusion and is written by Ellen Messmer. http://asia.cnet.com/news/software/0,39037051,39201900,00.htm - (broken link) The second is by Dinesh C. Sharma and is on CNETAsia News. Both cover similar ground to previous news items.

I was at Franks site yesterday when i made my blog entry about his http://www.orablogs.com/fnimphius/archives/000666.html - (broken link) ADF UIX: Displaying the authenticated username using EL and I left the page open in IE since then and this morning as I was going to close it - and clear up the usual array of open windows I have I read down and found two more entries that looked interesting and worth a look.

The first is entitled http://www.orablogs.com/fnimphius/archives/000663.html - (broken link) ADF JClient: JAAS authentication using ADF Business Components. This entry is talking about the fact that Frank is in the process of writing a paper about JAAS authentication and authorization ADF Business Components. He has given a preview here about the authentication part of this paper. This is an excellent preview and worth reading.

The second entry in Franks weblog is entitled http://www.orablogs.com/fnimphius/archives/000662.html - (broken link) ADF JClient: How to create a signed ADF Client ear file for Java web start deployment with external keystore. This is again an excellent short article covering the issue of how to use an external keystore when using a self sign certificate to sign the ADF JClient libraries when creating an EAR file. Frank goes through the details of how to modify the build files to achieve this goal. Again this is an excellent short article well worth reading.

I just got an email this evening from sealert_us - the Oracle security alerts team in the states - that tells me an email was sent out to all customers on 17 November to tell them about the new quarterly patch schedule. It goes on to say I may not have received this email so it's attached at the end.

The original email included at the end of the email sent to me is mostly the content that has been quoted in the various news reports I have mention here this last week or so. Obviously I knew already about this announcement but I would be interested to know which customers like me who have just received an email have only found out about the new schedule tonight, not everyone reads the Internet news or weblogs of course to have known about the new schedule already.

It is interesting to know if some groups of customers are only just finding out about this big event.

First thanks to Rich Holland who emailed me yesterday to give me some updates to the default password list for the SAP accounts listed. he has corrected me on the schema owner for SAP, it should be listed as SAPR3 for older versions of SAP and also for newer versions it is actually SAP{schema name}. Also he has made me aware that the SAP user listed is an application account as is DDIC. There is also a SAP* account in the application.

I have thought about it and decided to leave the SAP application users in the list even though they should never exist as Oracle database users. The reasoning is that these usernames have been around on various lists for a few years and there is a chance that someone could have created them in the database.

So I have updated the list to correctly identify these users as application users in the descriptions. I have also added a new page to discuss the issues with SAP default users when in an Oracle context.

This has all meant changes to all the list files accessed from the default password list page and also to the check tool to include updated MS Excel spreadsheet and data install scripts. I have added a change history list to the default password list main page.

I just found http://www.orablogs.com/fnimphius/archives/000666.html - (broken link)Franks post on orablogs.com. This is an excellent short article about how to display or know the J2EE authenticated application user. This can be very useful in cases where content should only be displayed per authenicated user. This builds on http://www.orablogs.com/fnimphius/archives/000649.html - (broken link) Franks previous post that showed how to use the isUserInRole() method of the HTTP servlet request object. This new post shows how to do the same thing but this time using the getRemoteUser() method of the HTTP servlet request object.

I just came across a great post on the Amis blog written by Leon van Tegelen called Quick and easy SSL in OC4J Standalone. This is a great short article showing how simple it is to create a certificate with SUN's keytool and configure OC4J to use it. Leon goes on to show step-by-step instructions on how to use keytool and how to configure the OC4J configuration files.

I talked about two new books on Oracle security in relation to the auditing area some time ago in this blog. I gave some brief comments on these books based on the information on the http://www.isaca.org/ - (broken link) Information Systems Audit and Control Association web site. I ordered the books at the time I talked about finding out about them. Well today they have finally arrived in the mail.

I have only had time to skim through each of them. They appear to be pretty well written and quite detailed technically, particularly in the case of the database book. The book is aimed at auditors so should provide a really good angle on the subject of Oracle security auditing. That sounds silly as the purpose of an Oracle security check can be called an audit. Generally though I think of an Oracle security audit as being done by a techie like myself rather than a formal audit firm like one of the big companies such as Delloitte and articles and books tend to be written more from the technical angle rather than the process one. Of course the nature of such an audit will always be technical. I think what I am saying is that other books tend towards the techie end of the DBA and system administrator so I am looking forwards to reading from the point of view of the formal auditor. I am of course very familiar with the subject but I am looking forward to seeing if there are any new things I can learn, especially on the Oracle applications auditing which I know much less well than the database end.

It goes without saying that I will update you all when i have read these books.

I just found two more news stories about the new Oracle security quarterly patch schedule announced late lat week. The first is a report by John Leyden of http://www.theregister.co.uk (broken link) - The Register a respected UK based security news site. The short article makes interesting reading. John makes a good point:

"Oracle ought to consider the impact of having an unfixed security bug across its customer base for months on end"

That is a by product of not patching for security issues regularly enough. Whilst its hard work for customers to patch regularly there is also a risk rightly pointed out here if a serious bug becomes known just after a patch release. Customers could wait months for a fix. John goes on to say:

"Oracle's public pronouncement doesn't give much room for manoeuvre but we hope database giant has the good sense to issue an emergency fix in circumstances where a security flaw is been actively exploited"

As I said interesting points.

The second news item I found is on vnunet makes interesting comments about the timing of the patches. The writer points out that the dates chosen never fall awkwardly for Oracle in terms of financial results so that they will never have to explain security issues at sensitive times. This article also makes the point about the risks involved in waiting for security patches for known security bugs.

I just found a link to this tool oraDep this morning in the DBA Village weekly newsletter. This tool is able to analyse the dependencies between objects in the database such as stored procedures, tables, views etc. It can do this at the source code level and the tool has many screens with differing views of the relationships. It can also produce HTML reports that can also show highlighted fragments of source code where the relationships exist. The tool also supports Oracle Forms source code.

This looks like a very useful tool but what has it got to do with Oracle security? - Quite a lot actually. When we conduct a security audit we often need to analyse the relationships between certain objects. To be also able to easily see how these objects are used in the source code even in Forms is extremely useful. If for instance we know that a certain table is critical we could use a tool like this to find out how that table is used and analyse if any issues can occur such as SQL Injection.

The tool - http://www.sam-trest.siteburg.com/ - (broken link ) OraDep - Oracle Objects dependencies analysing is worth a look. I have updated my tools page to add a link to this tool.

It is not clear if this tool is commercial or not so I have added it to the commercial tools section for now. There is no license or pricing details but it does say that a trial version is available that is restricted. This would indicate that it will be commercial.

I should also say that I have not tried it yet, it just caught my eye as a useful tool for an Oracle security audit. I have also not analysed the market sector this program operates in to see what if any competition there is.

I was surfing the other day and found a post on Frank Nimphius' web log. He writes about Oracle and also about security in J2EE with an Oracle slant. So I check out his site from time to time. I found this post entitled http://www.orablogs.com/fnimphius/archives/000649.html - (broken link) J2EE security: Dynamically show/hide UIX components based on an isUserInRole() J2EE security evaluation. This is an interesting post from Frank.

The post starts by referencing a new paper that he has recently written called http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf - (broken link) J2EE Security in Oracle ADF Web Applications. This is a 54 page paper and focuses on applying J2EE security to web applications built with the Oracle Application Developer Framework (Oracle ADF) and Apache struts. I have not read it yet, i will do tonight I hope but from skimming it after downloading it looks very interesting.

Franks blog entry is about how dynamically show / hide UIX components based on the users J2EE security role membership. Frank says that he shows how to do this in his paper for JavaServer pages using the struts request tag library. This is not possible for UIX pages. Frank goes on to explain how to do this with an example that uses Expression Language and an indirect way of accessing isUserInRole().

I just found yet another take on the new quarterly patch schedule, this time on computer world. This time written by Jaikumar Vijayan. The article is quite good, it concludes with a quote from Mary Ann Davidson the Oracle security chief, the author of the item said:

"Davidson, however, defended Oracle's stance and said the company had released the information necessary for administrators to install the patch. The goal is to try and provide enough information to users without giving hackers a "road map" for taking advantage of flaws, she said"

This for me is the key issue, customers need to know enough to asses the risk, especially with older versions of Oracle for which there are no patches available but there are plenty of production systems running them. I agree with Mary Ann's sentiment here but I do not believe Oracle go far enough. The details of the bugs fixed are very sparse and the information we get is mainly from the people who found the issues when they release their advisories. The problem is only Oracle know exactly what was fixed including bugs they themselves found and will never make public. Customers need what Mary Ann alludes to but I think Oracle need to go a bit further with the information that is available for the bugs. I also wholeheartedly agree with Mary Ann that it is important to not create a road map for hackers but customers do need more to properly assess risk.

I have just come across another news item on eweek - Oracle shifts to a quarterly patch schedule - about the new quarterly patch schedule announced from Oracle. This one was written by Brian Fonseca two days ago and covers more on the now familiar subject.

I posted a link some time back in an entry in this blog to a short article by Don Burleson on his web site. This was about a web site called oraSecure that is selling Oracle security training digital video disks.

Don has just emailed me about a news article on eweek written by Lisa Vaas about the same guy and his web sites. If you are interested in purchasing Oracle training and Oracle security training in particular then you should read this article. This is a long article and in three parts. The first is Alleged Oracle Scammer: I Am Not a Crook, the second is called The OraKnowledge reincarnation and the third is Doing business under an assumed name.

I have just been surfing news sites and found three more sites that have articles about the new quarterly patch schedule announced by Oracle yesterday. The first is on Yahoo news and is a Tech Web article Oracle Moves To Quarterly Security-Patch Cycle. The second is on computer weekly dot com and is called Oracle to deliver quarterly security patches. The final article is on idg.com and is written by Joris Evers and is called Oracle to deliver security patches on quarterly basis.

Enjoy!

I had a comment posted to the blog entry I made yesterday about information disclosure. This entry yesterday was prompted by Duncan's post about someone trying to hack the groundside.com web site. The comment posted to my entry by Mr Ed asked if a post he found on Tom Kytes AskTom web site was an example of the sort of disclosure customers of Oracle or indeed any company using computer systems and applications should avoid giving out on public forums. The post he sited is Apache under Oracle. This post seems innocuous but it displays some data that should not be posted to a public web site. My answer to Mr Ed's comment is repeated here:

"I have just looked at the page you reference on Tom Kytes site. Its an interesting page and includes two comments from Tom in terms of information leakage, The first being that the configuration is taken from an internal server using mod_gzip and mod_plsql - also further down in the example there is an entry from a log file that shows an IP address and a URL. A quick check on www.whois.sc shows that this is probably an external IP Address as it is allocated to Oracle.

So yes, this is a leakage of information that should not really have occurred. A server has been identified; the software running on it is identified as are some configuration details."

This is a good example of public information - on Tom’s website - that leaks information that probably should not have been leaked.

Everyone who posts on newsgroups, mailing lists, weblogs and even company websites or forums that are exposed to the Internet should be very careful about what they write. Companies should actually create a business policy that lays down the rules and this should be given to all staff to understand and digest. Set penalties for users who disregard the policy. If an information item gets onto the Internet then it’s very hard to eradicate it. Posts get archived and copied all over the place.

It can be possible to also to regulate the information outflow but impossible to prevent all information outflow of this nature. Companies can regulate access to certain forums, sites, even emails but that won't stop use of anonymous emails and web surfing or even posting from home.

That said companies should take the time to create a simple policy that defines the type of data that should not be leaked and should educate staff and enforce the policy. It is important to make staff aware of why this is a good idea, often if people understand the risks it becomes second nature to not divulge information that should not be divulged.

Internet news have issued an interesting report about the new Oracle quarterly patch schedule. This is a good article discussing most of the salient points of the last three months since the release of the first patch of the so called monthly patch schedule. The news item talked about the news release yesterday and also Mary Ann Davidsons proposed conference call to field questions about the announcement. Michael had also spoken to the two Gartner analysts who produced the critical report about Oracles security releases a week or so ago. Michael also reiterates the issues of lack of details about the vulnerabilities fixed in the patches and how this is affecting customers and especially customers with older un-supported versions of Oracle. Again the article is here.

I have just made a small change to the default password checker scripts after a good point was made by Ian on the http://www.lazydba.com (broken link) - LazyDba mailing list. He suggested that the user used for the checks, ORAPROBE, should be creatable with a password from the full character set, e.g. it should be possible to create the password encased in quotes. Without this passwords are limited to the ASCII characters, digits and "#_$" characters. So I have added quotes to the create scripts so you can and should create more secure passwords that include characters not in the standard set used for non quoted passwords. This makes it much harder to crack the passwords.

You could have simply passed a password with quote characters, e.g. "p3ss%%w*d" when promoted to in the old script but that meant you needed to remember to do this. Adding quotes in the install scripts makes it easier.

I should point out that the user ORAPROBE is also included in the default_password_list anyway with a password of ORAPROBE.

I have also updated the tools page to include links to the tool.

I was surfing the http://www.orablogs.com - (broken link) orablogs website the other day and found an http://www.groundside.com/blog/content/DuncanMills/?permalink=9E7B0901D4A16DD6F20CD381B6038F4D.txt - (broken link) entry in Duncan Mills weblog that looked interesting. he writes an Oracle weblog and I noticed a security related post so my interest was piqued. The post is not directly related to Oracle security itself but was in part related. Duncan reported some hacker attempt to get into his site by trying to exploit ssh. The reason that they did this is because of a previous posting to his blog - http://www.groundside.com/blog/content/DuncanMills/J2EE+Development/?permalink=40D11947868C663FA798839E3F72E3D7.txt - (broken link) One thing leads to another that talked about his project to create a JSF based blog application. The final paragraph of this entry talked about how he had set up ssh to access the groundside.com site for people who were going to help in the project. He also announced that he had work to do in tightening the security.

This whole blog entry reminded me of some work I did on the new SANS 6 day hands on "Securing Oracle Track" that I have been writing for SANS. I covered information leakage in one of the modules, indeed i briefly mentioned the same in the book Oracle security step by step - A survival guide for securing Oracle. I did some research into this issue when writing about it for SANS. Quite frankly it is amazing in Oracle database and server terms and application terms what information some companies will leak to the Internet, either in newsgroups, mailing lists or even on corporate websites.

I have seen all manner of information, such as network configurations, usernames, passwords even, IP Addresses, applications used, third party and in-house, job specifications, even security policies and guidelines (very useful for a hacker to know the password policies!). I have even seen the source code for the authentication recently for a web based application that will interact with an Oracle database posted to a newsgroup where one of the developers wanted to ask a question.

This is a key lesson that companies need to learn. If you post details of IP Addresses, usernames, passwords and applications structure and even source code to the Internet or post your policies and working practices to publicly accessible web sites you should not be surprised if you get attacked.

Companies need to educate employees on these issues, its important.

I think in Duncan's case it’s a lot less worrying as it’s a public project anyway and he doesn't have live production data that can be lost to worry about. Also the main point is he understands the issue.

I just found http://www.orablogs.com/cmaxwell/archives/000656.html - (broken link) Colin's latest security related post in his weblog. This is a good short article where Colin is checking out the competition in relation to their WS-Security offerings. Colin explores JWSDP 1.5 to see how it offers its functionality for creating secure web services. Colin is comparing with JDev of course.

Sun's Java offerings can also be used in conjunction with Oracle of course. Colin then moves onto quite a wide array of examples that are provided and discusses each in brief. He then sets up and runs a couple of examples just to see if they work!. Finally he lets us know that each of the WS-Security examples provided by Sun will be available as one-click solutions for user of the new version of JDeveloper so that you will not need to know the details and complexities of WS-Security configurations. As usual this is quite an informative post by Colin.

I made an entry in my weblog on 6th November discussing a thread on the ORACLE-L list where Jared Still had pointed out a tip in the latest edition of exploring Oracle whereby the tip author suggested setting the remote_os_authent initialisation parameter to true. Jared recognised that this is not good advice and i reiterated this in my blog posting.

Jonathan Rabson who is the editor of Exploring Oracle has responded to my post as a comment in my blog. I felt as this original post was a few weeks ago and as this is an important issue it is worth promoting his comments to a blog entry to bring it to everyone who read the first posts attention. Thanks to Jonathan for posting this detailed response here.

Here is his post:
more..

I have just logged into Metalink to read a headline news item published yesterday that finally announces Oracles new critical patch schedule. The patches will be released on a quarterly schedule and will occur on Jan 18, April 12, July 12 and October 18 next year. Following years to be announced I suppose. The patches will include fixes for significant security vulnerabilities found and include fixes that are pre-requisites for these patches. The note written by Mary Ann Davidson who is the Chief Security Officer for Oracle also says that the patches will include fixes that customers will likely want to apply. Hopefully this will mean that more information will be included to assist companies in assessing risk in relation to these patches.

If critical security issues are found and fixed between the schedules dates that one off patches and security alerts will be released through Metalink.

There is a FAQ available on metalink that describes the process in more details.

Stephen Kost of Integrigy Inc has said to me that he felt had thought this through to some degree and that a choice of Tuesdays for the release date makes sense and that a quarterly release schedule is similar to the add hoc few months between previous releases anyway. Stephen also said that he felt the choice to release one big patch for all products like with alert 68 is not good. A separation of releases per product would be clearer for all concerned and the separation of risk would be easier to do.

I agree with Stephen entirely that Tuesday is a good choice, well its better that Monday or Friday for instance. A quarterly schedule is also a good choice, I even suggested as much in a previous blog entry. It is better, much better than monthly on man power grounds alone. If customers had to patch monthly, most likely a good percentage would not do it.

The two key issues I feel that Oracle need to improve on are the issues of one big patch of all products with no separation - this could be improved and secondly the issue of lack of detailed information so that customers can make informed risk decisions. Related to this is the issue of lack of information on older releases such as version 7.x and 8.0.x. Oracles advice is always to upgrade but this is often very impractical for customers with a lot of older releases faced with a patch to add quickly. Customers using third party applications that need to keep older versions cannot simply upgrade or transfer to another customer’s database.

This announcement is a very good step forward and I am glad that it looks like Mary Ann and her team have at least put some thought into it.

I just found two more news stories about the Gartner report that I wrote about earlier. The first is on TechWeb - It doesn't have an author indicated. It goes into detail about the main thrust of the Gartner analysts report that Oracle have been taken to task for not telling its customers which versions and which products are most vulnerable and also that DBA's and administrators do not have enough information to decide what to patch and which databases are most vulnerable.

I can concur this sentiment as I have had a number of companies ask me how to decide whether their Oracle 7 and 8.0 databases are vulnerable or not and what can be done about it as upgrading is often not realistic. One key message being given on TechWeb and in the original Gartner report is that customers should put pressure on Oracle for more information.

The second article also about the Garnter analysts report is on vnunet. This report covers similar ground and advises that customers review the Alert 68 FAQ regularly, apply the patches, upgrade if possible and set up deep packet inspection if possible or even intrusion detection systems.

Both papers emphasise the issues raised by the Gartner analysts.

I just found the following news item published by Garnter and written by Neil MacDonald and Rich Mogull who say

"On 9 November 2004, in a conversation with Gartner, Oracle declined to provide more detailed information about vulnerabilities its security patch 68 is meant to fix. (This is Oracle's standard policy.) Oracle first issued the security patch on 31 August 2004, and reissued the warning on 14 October after proof of concept exploit code began circulating on the Internet. The patch affects Oracle Database Server, Oracle Application Server and Oracle Enterprise Manager. Oracle gives these patches its most serious "Severity 1" rating."

The complete article can be read here. The article discusses in some detail the issues and also gives a good list of recommendations to Oracles customers in relation to this patch. The authors also take issue at the fact that Oracle refuses to disclose if customers are vulnerable or not by not recognising the difference between releasing exploits and telling customers the implications of not being protected against a particular exploit.

I came across this post to the ORACLE-L list this morning. This poster describes his nightmare of installing hundreds of patches for Alert 68. He also says that he and his colleagues have now started to think about hacking and what can cause database disruptions:

"after the NIGHTMARE we had over here with applying patches for security alert
#68 (hundreds of them) we started
thinking more about 'hacking' and what else could cause database service
disruptions.
One of the things I am still worried about are to GRANTS to public after a
database creation (9.2.0.6)."

This is good from one point of view in that customers of Oracle are now taking security seriously and not just thinking about applying patches but also thinking about how else their data might be in danger. This is good. He goes on to show a simple test of how he disrupted the database with a login that just has CREATE SESSION privileges.

This issue and many more are due to the fact that Oracle ship their software so that when its installed each user inherits a large amount of access privileges to features and functions owned by SYS and other users that have had access to them granted to PUBLIC. I talked about the PUBLIC user group recently in this blog.

I believe that Oracle should seriously look at reducing the privileges granted to PUBLIC in future releases of their database software or at least provide an option / mechanism in the installation process that allows the removal of a large part of the PUBLIC privileges if the customer so chooses but does so so that the rest of the software doesn't break - I know that is the hard part!

I have just added a page to my site that lists 596 default Oracle users and their passwords. The list is available as HTML, CSV, SQL insert statements to load the data into a table, MS Excel spreadsheet and Open Office spreadsheet. The list can be used to audit your database for existing default accounts and to check that their passwords are not still the default values.

I have also updated the default password check script archive that I talked about recently and released on my web site to include the much bigger list of default users. I also fixed the table definition so that invalid passwords that have been set can be stored and checked. This is done when a password is set by the ALTER USER {BLAH} IDENTIFIED BY VALUES 'INVALID_PASSWORD' syntax. In this case there can never be a valid password but we can still test the hash value stored to see if it’s the default value. I have also updated the check script zip file to include a new spreadsheet that has been updated as above and also I include a new SQL data insert script to allow the check tool to be used to test the complete list of default accounts against your databases. The list also includes where it’s available a description of what the default accounts are used for.

I have actually created the list in an Oracle database so that it can be easily updated. I have also created some simple PL/SQL scripts that will re-create the SQL, CSV, HTML and spreadsheets with a little manual cleaning up afterwards. I plan to move the table to mysql and use perl to generate the files so that the whole thing can live on my site. I also plan to be able to update and add new default users and hashes via a web interface and possibly add searching of the list to make it easier for people to find details on default user accounts.

Again the list is available here and the check scripts here.

I just found http://www.orablogs.com/fnimphius/archives/000638.html - (broken link) an entry by Frank in his excellent web log that is security related if not directly Oracle related. Frank is recommending a visit to Bruce's site to review his tools, writings and weblog. Bruce has a very clear writing style and speaks a lot of sense when it comes to applications security which in our case includes Oracle security. Check out http://www.orablogs.com/fnimphius/archives/000638.html - (broken link) Frank's log entry.

I just found an interesting entry in Colin Maxwell's new Oracle based web log. This is a good weblog so far in its short life to keep an eye on for interesting Oracle security related topics. Today I found an entry about using keytool to create your own keystores to provide x509 certificates to authenticate your own web services or to provide for public/private keys for encryption.

Colin discusses how to use the JDK tool keytool to create your own "self certified" key pairs and certificates. He goes on to discuss the other features of the tool including examples of how to generate key pairs and also how to show the contents of the keystore.

Quite an interesting short paper for those who want to explore self certificates for use with Oracle.

I managed to get a few hours this evening to work on a new default password list that I have been working on for a few weeks now. Marcel-Jan let me have his default password checking script some weeks ago and I posted that to my site last week and if you have downloaded it you will have seen that it included a spreadsheet of about 470 default passwords for the Oracle database. I also have been collecting default Oracle passwords for over a year now from various sources on the net. My plan was to collate Marcel-Jan's list with mine and publish it on my site.

This is what I have been working on this evening. I now have the complete list of default users and passwords installed in an Oracle database table (its about 20% larger than Marcel’s list, about 600 default users and their passwords) and have written some simple PL/SQL to extract comma separated lists, SQL insert statements for Marcel-Jan's tool, a HTML table for my site and MS Excel and Open Office spreadsheets. The plan is to convert this to mysql and create Perl to do the extracts so that it can all be maintained from the site.

So sometime tomorrow I will post up the new default password list page and the various types of list and I will also post an update to Marcel-Jan's tool with a bigger data file, new spreadsheet and a small fix to the DDL. I will update you tomorrow on progress and release of all of this.

I had a conversation with someone on email over a few days last week about exploits that could be demonstrated against version 7 and 8 databases still in production that could not be patched for alert 68. What they wanted to do was demonstrate whether these versions are still affected by the alert but cannot be patched. The conversation was about revealing knowledge of exploits that could then be used to demonstrate whether there is an issue. This conversation got me thinking later about the Oracle exploits that are public - e.g. exploit code can be found somewhere on the net. There are a number of locations on the net that include exploit code for Oracle software such as the Packet Storm website. Some of the commercial scanners such as Application Security Inc's AppDetective and NGS Softwares Squirel include implicit knowledge of some exploits if not as such divulging the actual exploit to the public. Free tools such as Nessus also include checks for Oracle security issues. With Nessus you can examine the code and see that in a lot of cases a check to see if the software is exploitable is done simply by checking versions. What about when someone wants to be sure about whether their installation is vulnerable? - The only way sometimes is t use real exploits.

So it got me thinking about adding some links to known Public Oracle exploit code on my site. Then another thought crossed my mind - To do so would involve adding a new menu item again and that would mean me power editing all the existing pages. So i started to think about whether I could use blog software as a content management system for the whole of my web site. I am using http://www.noahgrey.com/greysoft/ - (broken link) greymatter now for this web log and as its template based i should be able to use it to generate pages for my existing site so making it easier to extend the structure of the static part of the site and also to add content. So i have spent a couple of hours reading about greymatter templates in more detail this evening - It makes a change from surfing for Oracle info. :)....

Anyway now I am considering whether it’s worth learning more about greymatter templates and converting the whole site or indeed using another blog software such as Movable Type. It is really down to whether it’s a better use of my time to bite the bullet and learn the templates or to simple power edit. I will add an exploits page to my site in the next few days to link to the publicly known exploits that I known about. I think this could be useful for those interested in Oracle security.

I just came across an interesting thread on ORACLE-L discussing the versions of DBMS_SUPPORT that are available in the database. The thread has not made it to the archives yet on freelists.org but should appear soon?

The thread asks the question about the version of this useful package. The poster demonstrated the confusion with this, i.e.

SQL> select sys.dbms_support.package_version from dual;

PACKAGE_VERSION
------------------------------------------------------------------------
DBMS_SUPPORT Version 1.0 (17-Aug-1998) - Requires Oracle 7.2 - 8.0.5

SQL>

The version of Oracle is:-

SQL> select * from v$version;

BANNER
------------------------------------------------------------
Personal Oracle9i Release 9.2.0.1.0 - Production
PL/SQL Release 9.2.0.1.0 - Production
CORE 9.2.0.1.0 Production
TNS for 32-bit Windows: Version 9.2.0.1.0 - Production
NLSRTL Version 9.2.0.1.0 - Production

SQL>

Hmmm, a slight issue? The version function says that this package should only be used between versions 7.2 and 8.0.5. What’s the score? The thread goes on to ask if there is a newer version of this package and what it might include such as showing the name of a trace file. Jared goes on to agree about the versions and Paul suggests that the package was not even shipped with version 8iR3.

So what is the issue with this package? This is an un-documented package apart from numerous metalink notes that mention it. The package should not be installed by default and should only be installed if you are instructed to do so by Oracle support. Many DBA's install it anyway.

So what is the security angle? Well if a package is not even shipped with one version (I think this was recorded as a mistake though rather than deliberate). A package that is not supported and is undocumented then it should not normally be there and in use. What can we use the package for besides reporting its version? - It can be used to get your own SID and also to turn on trace, either with extended trace or not. I include how to use this package in my paper all about all of the ways to turn on trace. To some using trace is a must but to a security person being able to set trace and also to set trace for another session is a security risk. Trace can be used to extract all sorts of application structure and also to steal critical data from the database and configurations. Therefore any method of setting trace should be restricted.

I would recommend using my script who_can_access.sql to see which users and roles can access this package. Let's see for a default install of this package:

who_can_access: Release 1.0.1.0.0 - Production on Sat Nov 13 19:49:29 2004
Copyright (c) 2004 PeteFinnigan.com Limited. All rights reserved.

NAME OF OBJECT TO CHECK [USER_OBJECTS]: DBMS_SUPPORT
OWNER OF THE OBJECT TO CHECK [USER]: SYS
OUTPUT METHOD Screen/File [S]: S
FILE NAME FOR OUTPUT [priv.lst]:
OUTPUT DIRECTORY [DIRECTORY or file (/tmp)]:

Checking object => SYS.DBMS_SUPPORT
====================================================================



PL/SQL procedure successfully completed.


For updates please visit /tools.htm

SQL>

As you can see the default is that no users can access this package, keep it this way. If any user has been granted access to this package revoke it, if its installed then remove it, unless Oracle support ask you to use it.

I was killing half an hour this afternoon whilst I waited to meet with a potential client in Manchester so I dropped into Waterstones and was browsing the computer books as usual. I found an excellent little book whilst there called "Hack Notes - Network Security - Portable Reference" by Mike Horton and Clinton Mugge that I have since found is part of a series of "hack books". There are others in the series that cover Unix and Linux, Windows and web security. These are based on the hacking exposed series of books and have a strong Foundstone input (from the authors, reviewers etc).

The book is short, thin but packs a massive punch. It covers everything about security and hacking you would want to know and seems (from skimming it) to do so quite comprehensively. This is difficult to achieve in a short book. There are some good reviews on Amazon.com, here is a quote from one by Anton Chuvakin

"Now, let me disclaim that I am not a big fan of thin books claiming to be "comprehensive". In fact, I was deeply suspicious while getting this "Hacknotes" thing. Was I up for a pleasant surprise!! This book does deliver what it promises. It walks a fine line of being both wide and deep, which I am still amazed about. From risk assessment methodologies to "find / -perm 0400" in just 200 pages is no small feat."

The book looks extremely useful as a hacking exam cram book - no exam needed!. Whilst it doesn't mention Oracle - from my skimming of it, it is certainly a book that a good DBA who is interested in security should consider for getting a good grounding in the security hardening / hacking techniques used.

A very useful book.

I just heard from my good friend Alex Kornbrust who has just returned from from 3 days of attending the German Oracle users conference (DOAG 2004) which had more than 1400 attendees.

Alex told me that there was a question and answer session (10 Nov 2004 for 90 Minutes) with the top management of Oracle Germany.

One question from the Oracle client's was:
What is Oracle's strategy with security patches?

The answer from Günther Stürner, VP database & server technology of Oracle Germany:

"The patchdays will come definitively. The open questions for Oracle itself are still:
When will Oracle start the patchdays and with what rate (biweekly, monthly,
quarterly or any other period of time)"

It still seems that after almost 3 months of a promised monthly patch schedule that Oracle chiefs are still not sure about what the actual schedule will be but Günther Stürner does seem sure that there actually will be a schedule.

I noticed this evening when surfing around that a new Oracle related web log has been started by Colin Maxwell (I found his blog on Brian Duff's excellent orablogs website). I am always on the lookout for new Oracle and security information and Colin has provided this in one of hist posts yesterday entitled http://www.orablogs.com/cmaxwell/archives/000629.html - (broken link) Securing Web Services using JDev and WS-Security.

This is an interesting post for me as I am not a JDeveloper expert so I am happy to learn. Colin discusses some new wizards that are available in JDeveloper 10.1.3. These include wizards to help users specify WS-Security, WS-Reliability and WS-Management. Colin takes us through a step-by-step guide showing how to spot the pitfalls that might occur when using JDevelopers wizards to secure a web service.

Colin starts with creating a simple web service which can be secured; he shows us how to use the example key store first and then fires up the WS-Security wizard and discusses each of the screens and choices in detail. Colin then goes on to show us how to deploy the secured web service to the oc4j server along with the key store. He does this with an EAR deployment file. He deploys the web service and goes on to create a web service client which uses the "create proxy wizard", finally he goes on to test the client after building it and confirms with a packet monitor that the transmission is signed and encrypted.

This is an excellent article, http://www.orablogs.com/cmaxwell/archives/000629.html - (broken link) again it is available here.

Frank has added quite an http://www.orablogs.com/fnimphius/archives/000630.html - (broken link) interesting entry to his web log early this morning. This entry discusses an issue with Forms Builder in 10g. Now when a Forms application is run from within the IDE the URL no longer contains the database username and password. This was a security issue for customers in previous versions. Frank suggests a way for allow the old functionality to be used if customers so wish.

For those of us who are interested in securing Oracle, applications and developer tools then its worth adding the registry variable Frank suggests to our check lists.

I had an interesting conversation with a colleague yesterday morning on email. We were discussing the problem of roles that have CREATE PRIVILEGES granted to them and the fact that they usually get granted to various users in the database.

It reminded me of a recent conversation I had with a client who wanted to protect his databases against any changes and wanted to ensure that user and general application schema accounts could not change the structure of the database. This was easy for general users accounts as we simply audited all of them for granted privileges with my find_all_privs.sql script. Those users found with any SYSTEM PRIVILEGES had those privileges revoked.
more..

I have just added a readme.txt file to the default password check scripts that I released yesterday. Marcel-Jan mailed to let me know that someone suggested to him that a readme.txt file is needed and I also have now received a number of emails suggesting the same from various people who said the instructions on use etc would be better if they were also included in the archive so I have made a readme.txt file and added it to the archive.

The default password checking tool can be found on its own page on my site.

I came across an interesting thread on the ORACLE-L mailing list this morning again related to the new 9.2.0.6 patch set. The first post to the thread by Patrice updates us that the OTN patch page still says the latest patch set is 9.2.0.5 for Win32 but metalink has 9.2.0.6 released on 31 Oct. Patrice also updates us that there are still no 9.2.0.6 patch sets for Linux or tru64.

Paul Drake makes a very interesting comment further down the thread where he says:

“Please be aware, that the patchset 9.2.0.6 for win32 is not in itself
a solution for Oracle Security Alert #68, as described in the FAQ and
patch set matrix notes on Metalink. Other one-off patch sets may also need to be applied.”

Beware!

I have just added a new default password checking tool to my web site. The tool is a set of SQL and PL/SQL scripts written by Marcel-Jan Krijgsman who works for Transfer Solutions based in Holland. The tool is driven by a list of default users. The list is part of the download included in a spreadsheet compiled by Marcel-Jan and Justin Williams. The list includes 474 known Oracle default users and passwords. Unlike other available lists, this list also includes a description of what most of the users are used for and also a severity level based on the privileges associated with the user. The spreadsheet includes usernames, passwords and hashes of course.

This default password list is probably the biggest Oracle default password list available. How does it work? The set of scripts creates a user, a table to hold details of the default users and also then creates a simple package procedure that loops through all of the users in the database and compares them with the default users in the created table. A useful report is printed showing any default users found with known passwords and details of what the user is used for.

The script download can be found here. The page also describes in detail the problem and also each script in the download. The page also describes how it works and shows a sample session.

I just found an interesting entry in the Amis technology corner blog. The writer Lucas Jellema talks about the need to clear out user schema's when conducting workshops rather than just dropping the schema. This is an interesting point as often you may want to keep a schema with the user intact with all its privileges but not need to keep the objects. Training courses, workshops, seminars etc all spring to mind. I this scenario it is convenient to keep the user and all privileges rather than have to re-create them but the data and objects are not valid hence need dropping.

The script given is pretty simple and the writer talks about some of the problems with it, particularly in 10g with the recycle bin. I would also say that although it’s useful to use as no DBA privilege is needed, is keeping a schema and its privileges always correct? - During a training course a schema / user may inherit privileges throughout its use that are not valid for its use at the start. Maybe dropping the user is better after all. Still a useful discussion for me as I am currently just completing a training course on Oracle security and creating and removing schemas for students is part of my task in creating labs.

I have spent quite a lot time over the end of last week and the weekend planning a lot of new pages for my web site www.petefinnigan.com, the main site rather than just the weblog. I wanted to add some new pages for a couple of Oracle security tools that you will hear about very shortly.

To do this I needed to edit the menus to accommodate these new pages. As the main site is static this means changing every page (except the blog as that can be changed from greymatter itself) to add the new menus. So rather than do this task many times over the next few months I decided to bite the bullet and add all of the new pages I might need now in one go. I will probably still need to edit the menus again in the future but the new pages will give me loads of scope to delay this for some time. So I sat down at the end of last week and planned all the possible new pages I would like to add.
more..

I was browsing the web this afternoon and found, or rather re-found Tim's two part paper Unravelling the sweater - Oracle Database Security so I sat down and re-read them both.

These are two great papers that explain the basics of how to take preliminary actions in securing your Oracle database. http://www.evdbt.com/UnravelingTheSweater1.pdf - (broken link) The first part talks about the nature of the problem and good old default users and passwords. Tim goes on to talk about the basic levels of privileges available to default users or users created with absolute minimum privileges such as just CREATE SESSION. Tim highlights the age old issue in Oracle that a basic user can see a huge amount of objects and do a huge amount of things in the database. he goes on to talk about guessing passwords and then about a shell script called oraprobe.sh that takes a database TNS connect string and attempts to connect to the database by guessing accounts. If it gets in with a default account it then lists all users and tries again to connect with as them. Tim also talks about strengthening passwords and the password features.

The second part moves away from the database in layer terms and talks about the Oracle SQL*Net, Net*8 or Oracle Net as its known. Tim discusses the basic issues with the listener and TNS and the fact that in general it’s wide open. He goes on to discuss the listener service and listener control utility and how to protect it against hackers by simple configuration techniques. Tim also introduces the second of his excellent Oracle security scripts, tnsprobe.sh. The script can be used to look for Oracle databases. It expects an IP address and then enumerates whether an Oracle listener is active and then if it finds one it lists the database services. It then calls oraprobe.sh for each database found.

This pair of papers and scripts is an excellent introduction to the basics of Oracle security and anyone contemplating the security of their database could do worse then read them and test the scripts.

I noticed this post by Jared Still on the ORACLE-L list this evening which talks about a tip in the latest edition of Exploring Oracle (Nov 2004). It discusses a tip in the tip corner of page 5.

Jared sounds amazed at this tip which suggests setting REMOTE_OS_AUTHENT to TRUE to allow remote connections from a server other than the server Oracle is running on and creating an externally identified user.

I have not seen this edition so have not seen the exact text but like Jared i would suggest that this is a tip that should definitely not be followed. Allowing remote operating system authentication will allow anyone with a server (laptop, PC, whatever) connected to the network on which the database resides to spoof the database connection and gain access to your data without a password.

If you read this tip beware, allowing REMOTE_OS_AUTHENTICATION=TRUE to be set is going against basic Oracle security 101.

Today Patrik Karlsson has released a new tool on his web site cqure.net. Patrik's web site already has some great free security tools including two for Oracle, his Oracle toolkit and his database enumeration tool which can be used to find Oracle databases on your network. This new tool is a great addition to his free tools.

OScanner is an Oracle security assessment framework developed in Java. It has a plug-in based architecture and comes with a couple of plug-ins that already do the following:



This is a very useful tool to start a security audit of an Oracle database with. The start of a sample session is shown here:



I have updated my tools page to add a link to this tool. Patrik has released the tool under a GPL license and hopefully he will release more plug-ins for it or maybe others will submit them, the source and a binary are available from Patriks site. The tool will certainly benefit from additional plug-ins should complete well with tools such as metacortex.

There are links to Patrik’s other tools on my tools page and of course on Patriks site.

I found an interesting short paper this morning about some of the not too well known facts about passwords. The paper http://www.oriolecorp.com/papers/passwords.html - (broken link) Oracle passwords : A few not too well known facts covers things I knew about previously and have written about previously but this paper brings some good facts together in one place.

It shows the undocumented (but everyone knows about it) VALUES version of the ALTER USER statement, it also explains very well why the character set that can be used for passwords is limited and it also gives advice on embedding passwords in files by using control characters in the password.

A good short paper, worth reading.

Jonathan Gennick today announced the O'Reilly has a new ebook written by Howard for sale on its web site. The book is Howards New Features in Oracle 9i (PDF) book. I think that this is an updated and improved version of Howard’s previous paper that was available from his site previously.

Any of Howard’s written work is always excellent and a $5.95 (USD) fee to get the book is extremely fair. I hope that O'Reilly make a habit of releasing books like this example.

So what is in it for us Oracle security enthusiasts? - This ebook includes a chapter on the security enhancements added in 9i. It also includes a chapter on the Log Miner enhancements. This is a very useful tool in the security person’s arsenal as it is great for forensics work. The book is an excellent read even if it’s mostly not about security. As I have said previously here, to keep up with Oracle security also means knowing as much as possible about the rest of Oracle and also about security. To secure Oracle effectively you need to think like a hacker.

This is an interesting link on Don Burleson's web site that relates to Oracle security. The link is here.

I was looking for some information on Oracle Label security (OLS) for a client to read and of course remembered th multi-part paper written by Jim Czuprynski on this subject. I had found links to the first three parts - some parts were multi-pages and had therefore multiple links - some time ago and had added them to my Oracle security white papers section some time ago. I found that I had not added the final and fourth part even though I have read it previously so this morning I have updated the white papers page to include this fourth and final part.

This set of papers is excellent and probably the best resource on the internet about how to design, implement, test, use and maintain Oracle Label Security. Jim has done a masterful job of covering the subject. The paper goes through a complete example implementation and use and testing so that you can install and try the code for yourself.

The final part even covers how to modify and remove OLS as well as how to enable the additional auditing features necessary to track changes to the Oracle Label Security policies. Links to all 4 parts can be found on my white papers section. The papers were published on www.dba_support.com.

This is Jim's synopsis included in the final part:

"Synopsis. Oracle Label Security (OLS) offers a powerful implementation of row-based security that is perfect for restricting user access to specific data, especially in a data mart or data warehousing environment. Previous articles presented a brief overview of how these features work, and how these features can be implemented in any Oracle database. This concluding article wraps up this series with discussion of some advanced OLS features as well as mechanisms for maintaining an existing OLS security policy."

I just noticed today that the 9.2.0.6 path set is out for Win32 but doesn't seem to be out for other platforms yet. There is a note on metalink that describes the known issues fixed in 9.2.0.6 - Note 189908.1 lists the 9.2.0.x patch sets and also links to two further notes. The first of which is 283899.1 which is for known issues and alerts affecting 9.2.0.6. The second is 283897.1 which is the list of fixes in 9.2.0.6.

The only security specific mention in the first document is about a HTTP server patch for 9.2.0.5/6 which is part of alert #68.

The second document lists hundreds of bug fixes but specifically lists alert 68 in the general section (no details). It is also listed again in the security and denial of service section, in advanced / secure network section there is a bug mentioned (3889519) that say’s there are errors with data transfer with SSL when security patch 68 is installed. There is also a bug about importing a wrapped password verification function. There are nine bugs fixed in Oracle label security. There are 6 specific errors fixed in the row level security functionality.

It is important to apply new patch sets as they quite often fix "silent" security bugs. These are security bugs that are not part of a security alert. This could be because these security issues are not reported as such by the finder of the problem.

I discussed the thread Adding some random characters to Oracle password some days ago here about how to secure a third party application. The entry in my web log is here. Just yesterday there has been a further interesting exchange by Howard and others about login triggers and fooling the program and module columns of v$session by renaming the binary of the application or in our case SQL*Plus.

I wrote about this issue over a year ago in my newsletter where i demonstrated that renaming the SQL*Plus binary on a windows client and also on the server failed to change the values in the module and program columns of v$session. Howard concurred this and also demonstrated that he could change the name of MS Access and trick a login trigger. Jeff also concurred that on Windows 2003 and Oracle 9.2.0.5 when renaming SQL*Plus as i did the columns are changed.

This is an interesting thread as many people try and restrict tools such as SQL*Plus and application by using the module and program columns of v$session. It seems that some Oracle tools are harder to bypass in this scenario but the platform matters. Trying to do the same for other applications is useless for security as renaming will easily bypass this method.

When I was reading Howard’s paper on secure application roles again this morning I noticed that he had another paper listed in the menu on the right called Read-only Tables so I went to have a look.

This paper is again in Howard’s now familiar style of a question and answer session. The paper is very well written and explores the issue raised originally here a couple of weeks ago. I also posted about this thread in my web log at the time. You can find that here.

Howard explores this issue in depth and gives some excellent examples of how various methods can be used to prevent DML from occurring on a table such as locking the table, VPD and DML triggers and then shows that all of them are temporary solutions that can be bypassed easily.

Howard then goes on to show the only possible technique which is to put the table in a read only tablespace. He discusses this technique in depth and compares it to other solutions proposing that this is the only real way to do it.

Excellent paper as usual from Howard. Again its here.