Oracle Security (12c)

Paul M. Wright
www.OracleSecurity.Com

“It is just as foolish to complain that people are

selfish and treacherous as it is to complain that the
magnetic field does not increase unless the electric
field has a curl. Both are laws of nature.”
Professor John von Neumann 1903-1957

www.oraclesecurity.com 1
 Paul M. Wright’s Biography
• First book on database forensics 2007
• Six Oracle Alert credits
• 1st Oracle/Java security SANS Instructor in EU
• Maintained UKCERT.org.uk for past 10 years
• Consult to financial institutions in London
www.OracleSecurity.com
• Apress/Springer book due soon:
http://www.amazon.com/Protecting-Oracle-Database-Paul-Wright/dp/1430262117

www.oraclesecurity.com 2
 Structure of Presentation

1. DEMO priv escalations on 12c/11.2.0.x

2. Custom Defences
3. Inbuilt security improvements in 12c
4. Conclusions and ethical reporting

www.oraclesecurity.com 3
 Privilege Escalations
• In 12c Oracle remains best performing Database
• 12.1.0.1.0 appears to have had less QA than a second release like 11.2
• Exploitable Directories, External tables, Libraries
SQL>select directory_name, directory_path from dba_directories;
DIRECTORY_NAME DIRECTORY_PATH
------------------------- --------------------------------------
ORACLE_HOME /
ORACLE_BASE /
OPATCH_LOG_DIR C:\app\abfb378\product\12.1.0\dbhome_1/QOpatch
OPATCH_SCRIPT_DIR C:\app\abfb378\product\12.1.0\dbhome_1/QOpatch

How to exploit these directories as no privileges granted on them?

1. ADVISOR to SYSDBA – DBSNMP Grid/Cloud Control

2. GRANT ANY OBJECT to SYSDBA – DevOps

www.oraclesecurity.com 4
ADVISOR DIRECTORY WRITE BYPASS
http://docs.oracle.com/cd/E16655_01/server.121/e15858/tgsql_sqlaccess.htm#CHDIAEBE

www.oraclesecurity.com 5
ADVISOR can directly WRITE to the OS
– ADVISOR privilege does not require DB DIRECTORY
privileges to WRITE directly to the OS!
– MS at OOW – integration skills important
– Use ORACLE_BASE ‘/’ directory to write autoexec.bat
to root of C:/
– Or autorun.inf as well – virus writers heaven
– Force restart will make this script run
– Oracle MS collaboration ..definitely needed..
– Because 12.1.0.1.0 on Windows is not secure
– My recommendation is to keep to *nix for a while
– DEMO 1
www.oraclesecurity.com 6
 DBSNMP to SYSDBA
– How to get ADVISOR?
– DBSNMP has ADVISOR privilege
– Remote Admin account through Cloud Control
– Cloud Control is not encrypting sessions
– Laszlo’s oradecrypt could be used on the session auth
– DBSNMP password DBSNMP but expired..have to
change?
– ALTER USER IDENTIFIED BY VALUES…bypasses complexity
function so can set it back to default
– This is security issue as allows app account owners to
persist legacy passwords – saves them time. Costs risk 7
www.oraclesecurity.com
GRANT ANY OBJECT, ‘DevOp’ to SYSDBA
GRANT ANY OBJECT PRIVILEGE is for Junior DBA/DevOps to manage non-SYS, PL/SQL schema releases
http://dba010.wordpress.com/2012/06/04/grant-any-object-privilege/

Meant to honour the spirity of O7_dictionary_accessibility – no dictionary access

But it can grant privs on SYS directories which can be escalated e.g. CREATE ANY DIRECTORY TO SYSDBA
http://www.oracleforensics.com/wordpress/index.php/2008/10/10/create-any-directory-to-sysdba/

grant all on directory OPATCH_SCRIPT_DIR to gaoptest;

ERROR at line 1:
ORA-01749: you may not GRANT/REVOKE privileges to/from yourself

grant all on directory OPATCH_SCRIPT_DIR to public;

Grant succeeded.

grant gaoprole to gaoptest;

grant all on directory OPATCH_SCRIPT_DIR to gaoprole;

Grant succeeded.

DEMO 2

www.oraclesecurity.com 8
 Custom Defences to those issues
1. Drop Directories from default install (and Ext Tables) – MOS ticket
2. Protect DBSNMP – password complexity, history and default value recheck.
• TCPS free client side on all versions of Oracle! Stops oradecrypt attack
• But not Cloud Control yet..lots of testing and work..! Can use stunnel (see book)
3. Oradebug mitigation - Correlate gaps in audit trail with authorised startups to
identify potential use of oradebug to turn off audit trail.
4. Syslog audit trail on RAC Grid control is like a heartbeat – v.busy and always
sending
SQL> select startup_time from dba_hist_database_instance;
STARTUP_TIME
----------------------------------------------------------
27-SEP-13 04.15.46.000
03-OCT-13 14.05.04.000
03-OCT-13 16.38.17.000
03-OCT-13 17.30.03.000
03-OCT-13 19.49.34.000

– Database Forensics Challenge -> Attacker will hide their actions in SYS audit trail.
“How to tell difference between SYS usage by RAC Grid or human?” AI problem.
– What else can we use Oracle syslog for? Native IPS - example DBLink Blocker
www.oraclesecurity.com 9
 Database Links
• For Oracle Incoming DBLinks are
– Anonymised
– Can come from low security, high risk area like dev to prod
– Have insecure passwords (see Laszlo/Ferenc’s talk tomorrow)
• Payment processing policy ban all DB Links –how to enforce?
• Need incoming DBLink Blocker - Native IPS!!
• Detailed in the upcoming book – preview for you now.
• Problem - Can’t use trigger as cannot kill it’s initiating session.
• Need to kill the session from Unix using DBLINK_INFO from
Syslog audit trail
• Use audsid to gain the PID from v$session
tail -F oracle.log | grep 'DBLINK_INFO‘| dblinkblocker.sh
• Code for dblinkblocker.sh
• NATIVE IPS is the future…
www.oraclesecurity.com 10
Distributed Native IPS using syslog

www.oraclesecurity.com 11
 Built-in Security Improvements in 12c
• Oradebug running OS commands - 12c limits this
SYS@orcl3>oradebug call system "touch<TAB>myfile.txt"
ORA-32519: insufficient privileges to execute
ORADEBUG command: OS debugger privileges required for client

• Definer’s Roles feature - remove need for public

– PUBLIC = Dev bucket for many objective privs
– Because PUBLIC is only role available to program units
– Now can use Definer’s Roles..cool!

• Password hash the same.. for now

– Passwords still 11g format despite signs of SHA-2
http://web.archive.org/web/20121017040328/http://docs.oracle.com/cd/E11882_01/
server.112/e25513/statviews_5081.htm

• _sys_logon_delay More difficult to bruteforce way into the DB

while true;do sqlplus -S -
L sys/wrongpw@orlin:1521/orcl3 as sysdba;sleep 0;done;
_sys_logon_delay fixes the OraBrute issue with 1 second failed logon delay for SYS
http://web.archive.org/web/20070206153311/http://www.ngssoftware.com/research/papers/oraclepasswords.pdf
On by default! Excellent work Oracle! Still need profiles for SYS though.

www.oraclesecurity.com 12
 Conclusions - Ethical Reporting
• Good practise to inform Oracle before publishing
• I have done that myself with this information
– secalert_us@oracle.com gaining credit in the alert is
good for career in the long run.
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

“The only thing we take with us is our reputation”

• More examples of attack and defence code in my
Apress/Springer book available for pre-order here:
http://www.amazon.com/Protecting-Oracle-Database-Paul-Wright/dp/1430262117

• Questions?
www.oraclesecurity.com 13
 The End
• Thank you!
paulmwright@oraclesecurity.com
…..
“It would appear that we have reached the limits
of what it is possible to achieve with computer
technology, although one should be careful with
such statements, as they tend to sound pretty silly
in 5 years.” (1949).
Professor John von Neumann 1903-1957

www.oraclesecurity.com 14