Professional Documents
Culture Documents
2013-ConferencePresentationBudapest-Oracle - 12c - Security - Hacktivity - 2013
2013-ConferencePresentationBudapest-Oracle - 12c - Security - Hacktivity - 2013
Paul M. Wright
www.OracleSecurity.Com
www.oraclesecurity.com 1
Paul M. Wright’s Biography
• First book on database forensics 2007
• Six Oracle Alert credits
• 1st Oracle/Java security SANS Instructor in EU
• Maintained UKCERT.org.uk for past 10 years
• Consult to financial institutions in London
www.OracleSecurity.com
• Apress/Springer book due soon:
http://www.amazon.com/Protecting-Oracle-Database-Paul-Wright/dp/1430262117
www.oraclesecurity.com 2
Structure of Presentation
www.oraclesecurity.com 3
Privilege Escalations
• In 12c Oracle remains best performing Database
• 12.1.0.1.0 appears to have had less QA than a second release like 11.2
• Exploitable Directories, External tables, Libraries
SQL>select directory_name, directory_path from dba_directories;
DIRECTORY_NAME DIRECTORY_PATH
------------------------- --------------------------------------
ORACLE_HOME /
ORACLE_BASE /
OPATCH_LOG_DIR C:\app\abfb378\product\12.1.0\dbhome_1/QOpatch
OPATCH_SCRIPT_DIR C:\app\abfb378\product\12.1.0\dbhome_1/QOpatch
www.oraclesecurity.com 4
ADVISOR DIRECTORY WRITE BYPASS
http://docs.oracle.com/cd/E16655_01/server.121/e15858/tgsql_sqlaccess.htm#CHDIAEBE
www.oraclesecurity.com 5
ADVISOR can directly WRITE to the OS
– ADVISOR privilege does not require DB DIRECTORY
privileges to WRITE directly to the OS!
– MS at OOW – integration skills important
– Use ORACLE_BASE ‘/’ directory to write autoexec.bat
to root of C:/
– Or autorun.inf as well – virus writers heaven
– Force restart will make this script run
– Oracle MS collaboration ..definitely needed..
– Because 12.1.0.1.0 on Windows is not secure
– My recommendation is to keep to *nix for a while
– DEMO 1
www.oraclesecurity.com 6
DBSNMP to SYSDBA
– How to get ADVISOR?
– DBSNMP has ADVISOR privilege
– Remote Admin account through Cloud Control
– Cloud Control is not encrypting sessions
– Laszlo’s oradecrypt could be used on the session auth
– DBSNMP password DBSNMP but expired..have to
change?
– ALTER USER IDENTIFIED BY VALUES…bypasses complexity
function so can set it back to default
– This is security issue as allows app account owners to
persist legacy passwords – saves them time. Costs risk 7
www.oraclesecurity.com
GRANT ANY OBJECT, ‘DevOp’ to SYSDBA
GRANT ANY OBJECT PRIVILEGE is for Junior DBA/DevOps to manage non-SYS, PL/SQL schema releases
http://dba010.wordpress.com/2012/06/04/grant-any-object-privilege/
But it can grant privs on SYS directories which can be escalated e.g. CREATE ANY DIRECTORY TO SYSDBA
http://www.oracleforensics.com/wordpress/index.php/2008/10/10/create-any-directory-to-sysdba/
DEMO 2
www.oraclesecurity.com 8
Custom Defences to those issues
1. Drop Directories from default install (and Ext Tables) – MOS ticket
2. Protect DBSNMP – password complexity, history and default value recheck.
• TCPS free client side on all versions of Oracle! Stops oradecrypt attack
• But not Cloud Control yet..lots of testing and work..! Can use stunnel (see book)
3. Oradebug mitigation - Correlate gaps in audit trail with authorised startups to
identify potential use of oradebug to turn off audit trail.
4. Syslog audit trail on RAC Grid control is like a heartbeat – v.busy and always
sending
SQL> select startup_time from dba_hist_database_instance;
STARTUP_TIME
----------------------------------------------------------
27-SEP-13 04.15.46.000
03-OCT-13 14.05.04.000
03-OCT-13 16.38.17.000
03-OCT-13 17.30.03.000
03-OCT-13 19.49.34.000
– Database Forensics Challenge -> Attacker will hide their actions in SYS audit trail.
“How to tell difference between SYS usage by RAC Grid or human?” AI problem.
– What else can we use Oracle syslog for? Native IPS - example DBLink Blocker
www.oraclesecurity.com 9
Database Links
• For Oracle Incoming DBLinks are
– Anonymised
– Can come from low security, high risk area like dev to prod
– Have insecure passwords (see Laszlo/Ferenc’s talk tomorrow)
• Payment processing policy ban all DB Links –how to enforce?
• Need incoming DBLink Blocker - Native IPS!!
• Detailed in the upcoming book – preview for you now.
• Problem - Can’t use trigger as cannot kill it’s initiating session.
• Need to kill the session from Unix using DBLINK_INFO from
Syslog audit trail
• Use audsid to gain the PID from v$session
tail -F oracle.log | grep 'DBLINK_INFO‘| dblinkblocker.sh
• Code for dblinkblocker.sh
• NATIVE IPS is the future…
www.oraclesecurity.com 10
Distributed Native IPS using syslog
www.oraclesecurity.com 11
Built-in Security Improvements in 12c
• Oradebug running OS commands - 12c limits this
SYS@orcl3>oradebug call system "touch<TAB>myfile.txt"
ORA-32519: insufficient privileges to execute
ORADEBUG command: OS debugger privileges required for client
www.oraclesecurity.com 12
Conclusions - Ethical Reporting
• Good practise to inform Oracle before publishing
• I have done that myself with this information
– secalert_us@oracle.com gaining credit in the alert is
good for career in the long run.
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html
• Questions?
www.oraclesecurity.com 13
The End
• Thank you!
paulmwright@oraclesecurity.com
…..
“It would appear that we have reached the limits
of what it is possible to achieve with computer
technology, although one should be careful with
such statements, as they tend to sound pretty silly
in 5 years.” (1949).
Professor John von Neumann 1903-1957
www.oraclesecurity.com 14