Anatomy of a Database Attack

1
Most Recent Advances A Review of DC BlackHat
2007
Aaron NewmanCTO/Founder Application Security,
Inc.
2
Agenda

• Overview of BlackHat 2007
• Cursor Snarfing
• Cursor Injection
• Local Binary Exploits
• Database Network Protocols
• Resources, Conclusion, and Wrap Up

3
Overview of BlackHat 2007
4
Presentations on Hacking Oracle

• Three independent researchers
• Presenting details on new vulnerabilities
• Presenting new classes, or methods, or attacks
• Each presentation entirely different focus
• PL/SQL attacks
• Network Protocol attacks
• Binary level attacks
• Outstanding vulnerabilities
• All three listed security vulnerabilities
• Waiting for security fixes from Oracle
• Unknown when to expect specific fixes

5
Cursor Snarfing
6
How does it work?

• Using the DBMS_SQL package
• You PARSE a SQL statement
• BIND variable
• EXECUTE the cursor
• FETCH_ROWS
• Then CLOSE the cursor
• A CURSORS has a HANDLE
• Handles work until cursor or session is closed

7
How to exploit?

• Find a function or stored procedure
• That is using DBMS_SQL
• Cause an exception to occur
• Which leaves the cursor dangling
• Rebind your new value to the CURSOR
• EXECUTE the cursor under higher privileges
• Where does this occur
• In your home-grown PL/SQL
• In the built-in SQL from Oracle

8
Solutions

• Check your own code
• Anytime you use DBMS_SQL
• Check exceptions and close the CURSORS
• EXCEPTION WHEN OTHERS THEN
• IF DBMS_SQL.IS_OPEN(CURSOR) THEN
• DBMS_SQL.CLOSE_CURSOR(CURSOR)
• END IF
• Risk Level
• Medium

9
DemoWhite-paper
10
Cursor Injection
11
How does it work?

• Leverages PL/SQL Injection vulnerabilities
• Allows you to inject arbitrary SQL
• Into a PL/SQL Injection vulnerability
• Escalates Medium or Low Risk vulnerabilities
• Makes them High Risk or Critical

12
Understanding PL/SQL Vulnerabilities

• Problem with dynamic SQL
• EXECUTE IMMEDIATE
• DBMS_SQL
• Danger allowing the user to pass parameters that
  are used in the parsed SQL statement

13
Dynamic SQL Example

• CREATE PROCEDURE BAD_CODING_EXAMPLE (
  NEW_PASSWORD VARCHAR2 ) AS
• TEST VARCHAR2
• BEGIN
• -- DO SOME WORK HERE
• EXECUTE IMMEDIATE 'UPDATE ' TABLE_NAME '
  SET ' COLUMN_NAME ' ''' NEW_PASSWORD
  ''' WHERE USERNAME '''
  CURRENT_USER_NAME '''
• END BAD_CODING_EXAMPLE

14
Valid input

• Input
• EXEC BAD_CODING_EXAMPLE( testabc )

• SQL Created
• UPDATE APPLICATION_USERS SET PASSWORD testabc
  WHERE USERNAME aaron

15
Hacker input

• Input
• EXEC BAD_CODING_EXAMPLE( testabc, ADMIN1,
  FULL_NAMETEST )

• SQL Created
• UPDATE APPLICATION_USERS SET PASSWORD
  testabc, ADMIN1, FULL_NAMETEST WHERE
  USERNAME aaron

16
How to exploit?

• Find a function or stored procedure
• That is vulnerable to PL/SQL Injection
• Review any of the latest CPUs
• Use anonymous PL/SQL blocks
• Declare CURSOR and PARSE a SQL statement
• Use the CURSOR handle in the PL/SQL Injection
• CURSOR runs under elevated privileges

17
Hacker input

• Input
• EXEC BAD_CODING_EXAMPLE( testabc
  CHR(DBMS_SQL.EXECUTE(4)) )

• SQL Created
• UPDATE APPLICATION_USERS SET PASSWORD testabc
  CHR(DBMS_SQL.EXECUTE(4)) WHERE USERNAME
  aaron

18
Why?

• Argument between researchers and Oracle
• Over severity of vulnerabilities
• Oracle classifies vulnerabilities as low risk
• Researchers say they should be high risk
• Researcher finds way to prove Oracle wrong
• Need for CREATE FUNCTION privilege
• Not anymore
• You just need CREATE SESSION

19
Examples

• Check your own code!
• SDO_DROP_USER_BEFORE
• DDL Trigger when a table is dropped
• Yet unnamed vulnerable procedures being fixed
• Risk Level
• High if you have PL/SQL injection

20
DemoWhite-paper
21
Local Binary Exploits
22
How does it work?

• Debugging the Oracle Process
• Looking for vulnerabilities
• Inside the Oracle process
• Scan for named pipes and other handles
• That are not granted appropriate permissions
• Non-privileged user on the operating system
• Gains control over the Oracle process

23
How to exploit?

• Attach to the operating system
• Using Remote Desktop
• Using Citrix
• Using Terminal Server
• Or directly through the console
• Relies on valid access or discovering a
  non-privileged account
• How to exploit
• Find the security hole on your own database
  server
• Write an exploit
• Run it on the target database

24
Zero-day exploits

• Means that you are given zero days to fix the
  problem
• No fix available
• Oracle might be working on a fix
• Need to find work arounds to mitigate the risk
• Restricting access to components
• Disabling components
• Firewalling the database from everything
• Another quoted example of unnameable
  vulnerabilities
• That are in the process of being fixed
• Purchase the Ultimate 0day Exploits Pack
• Risk Level
• Medium to Low

25
DemoWhite paper
26
Database Network Protocols
27
How does it work?

• Sniffing the Oracle traffic
• Looking for vulnerabilities
• At the network traffic level
• Attacks from reverse engineering proprietary
  protocol
• History of database drivers
• Almost always high level risk

28
How to exploit?

• Find a proxy client
• Redirect Oracle client drivers to local proxy
• Local proxy replaces desired details
• Local Proxy then forwards to Oracle Server
• How to exploit
• Tamper with message structure
• Change the expected field size
• Change the expected order of messages

29
Why?

• Multiple companies have learned SQLNet
• Required knowledge to provide an IDS/IPS for
  Oracle
• In the course of researching SQLNet
• Simple to manipulate fields to cause side
  effects
• Very old code in the network drivers
• Backwards compatibility

30
Examples

• By watching Oracle authentication protocol
  packets
• You can determine the difference between
• An invalid username and an invalid password
• Even subtle differences can be leveraged
• Time to respond
• Type of response
• Another quoted example of unnameable
  vulnerabilities
• That are in the process of being fixed
• Risk Level
• High

31
DemoProxy ALTER_SESSION
32
Resources, Conclusion, and Questions
33
How Do You Address These Vulnerabilities?

• Stay Patched
• Stay on top of all the security alerts and
  bulletins
• Defense in Depth
• Multiple Levels of Security
• Regularly perform audits and penetration tests on
  your database
• Encryption of data-in-motion / data-at-rest /
  data-in-use
• Monitor database activity log files
• Implement database intrusion detection and
  auditing
• Especially if you cant stay patched!

34
Questions?

• Thank you
• Questions on
• Vulnerabilities
• Locking down the database
• anewman_at_appsecinc.com