Oracle Security

General

Oracle is a relational database management system (RDBMS) and its popularity lies in its use

as a back end for client-server databases.  Its relational database was the first to support the

SQL language, which has since become the industry standard.

Oracle has number of security issues which are slowly being addressed over time but to date there are still a large number of exploitable holes thru all variants that Oracle have still not released a patch for.  I can summarise the main issues as:

• Default usernames and passwords are enabled on install - This is addressed partially with the majority of accounts being expired and locked out, however, they still do exist and are well-known and could easily be re-enabled by mistake. An example of this is dropping a certain catalogue file re-enables the DBSNMP account with it default password.

• Default installs allow a large number of extra services to be enabled i.e. multiple web browsers serving pages on differing ports.  A custom install of the minimum amount of applications should always be performed.

• Newer versions of Oracle allow the main administrative accounts to have the same password set i.e. SYS, SYSTEM, DBSNMP etc.  From a Security standpoint these should always be different.  

• Major packages have assigned privileges to the database server user group PUBLIC which may lead them open to misuse.  The packages UTL_SMTP, UTL_TCP, UTL_HTTP and UTL_FILE especially have issues relating to them.

• Role accounts do not generally have a password assigned to them.  Users should ideally be given roles and privileges assigned to roles rather than on a per user basis.

• The Oracle TNS Listener is the link a user must use to get the backend database.  Often the listener has minimal, if any, protection afforded to it.  Passwords, Admin Restrictions, logging and obfuscation techniques such as using non-standard ports should be used. Shut down the Listener and effectively you do not have database access anymore ;-(

• The valid node checking security feature is usually not enabled.  Enabling this in the protocol.ora file can possibly aid in preventing DoS attacks.  In addition access control lists to the database can also be set up.

Vulnerability Assessment

As I've mentioned before I am concentrating on vulnerability assessment/ penetration testing based on free "open source" software only, in saying that there is a fare amount of software and scripts available to give you a fair assessment of the state of the Oracle database you are assessing.

Before you can run any sql commands or scripts directly against the database you first of all

need to "acquire/ request" a valid username password pair for the database you are testing

together with the Service Name associated with it.

Free sql scripts that may be able to aid vulnerability analyst and pen testers are available from a number of sources, two very good ones are; Pete Finnigan and Pen Test. 

Exploit code is available from Red-Base Security.

Dumping the Service Name is easy (or it was until >10g came along!), there some nice little GUI tools out there and a favourite one of mine is WinSid or there's OracleTNSLSNR.exe.  These two particular tools quiz the TNS listener on the remote host.  You can also get a basic understanding of any Admin restrictions and Passwords and Logging applied to the TNS listener by using the tool lsnrcheck.exe.  (It may even tell you where your first security hole is found.)

Next is the requirement for a valid username and password.  The tools (Both Linux and Windows variants) that I use to test for Default Usernames and Passwords are OScanner and Oracle Auditing Tool, (OAT). OAT is a suite of tools whose extra functionality can enable you to gain an SQL prompt without the need, for say SQLPlus, or an Oracle Client installed on your machine.

Oracle TNS Listener

The Oracle TNS Listener is the lynchpin between a user/web server offering connection and the back-end database.  As such access to it should be restricted.  The relevant files that control the listener are:

• $ORACLE_HOME/bin/lsnrctl - This is the actual Listener control program

• $ORACLE_HOME/network/admin/listener.ora - The actual TNS Listener config file

• $ORACLE_HOME/bin/tnslnsr - The actual listening process.

The listener is susceptible to a number of issues dependant on the version you are running, these include, Denial of Service, Fragmentation and Buffer Overflow attacks to name but a few.  It must be protected at all costs.

Oracle Password Files

Oracle by default stores passwords in a number of locations and the following would be a good place to start if you manage to get access to a server:
 

$ORACLE_HOME/cfgtoollogs/cfgfw/CfmLogger_install_date.log
$ORACLE_HOME/cfgtoollogs/cfgfw/oracle.assistants.server_install_date.log
$ORACLE_HOME/cfgtoollogs/configToolAllCommands
$ORACLE_HOME/cfgtoollogs/oui/installActions_install_date.log
$ORACLE_HOME/inventory/Components21/oracle.assistants.server/10.2.0.1.0/context.xml
$ORACLE_HOME/inventory/ContentsXML/ConfigXML/oracle.assistants.server.10_2_0_1_0.CFM.1.inst.xml
$ORACLE_HOME/cfgtoollogs\wirelessMid_CA.out
$ORACLE_HOME/wireless\logs\wirelessca_cmd.out

There are a number of default Oracle SID's that exist for Oracle and other third-party products.  When performing an assessment you can start attempting to enumerate/connect with these:

Aris                                                                   ARIS

BEA Weblogic Integration Adapter for Manugistics   MSAM

Cisco CTM R 4 series                                           CTM4_0/1/2/3/4 etc.

(Dependant on the version)

OpenView                                                          OPENVIEW or OVO

Oracle Generic                                                   ORCL and plsEXTPROC

Oracle Express Edition                                         XE

Oracle Enterprise Mgr Repository                          OEMREP

Oracle App Svr 9i - 10g                                         IASDB

SAP Standard System                                            SA(no.) i.e. SA9 or SA(char.) i.e. SAG

VMWware VirtualCenter Database                           VPX