340 likes | 492 Vues
Have You Fixed It Yet?. Ross Paterson MSc Ethical Hacking. Select What From Oracle ;. Oracle is a world leading Database. On it’s 11 th release known as 11g. Previous release known as 10g. The G stands for grid computing. 12c is on the horizon.
E N D
Have You Fixed It Yet? Ross Paterson MSc Ethical Hacking
Select What From Oracle; • Oracle is a world leading Database. • On it’s 11th release known as 11g. • Previous release known as 10g. • The G stands for grid computing. • 12c is on the horizon. • Oracle patches every quarter in CPUs (Critical Patch Updates).
Select What From PL/SQL; • Oracle’s own brand of procedural SQL. • Similar to T-SQL in Microsoft or SQL/PSM in MySQL. • PL/SQL is executed in “blocks”. • Similar to sub routines in other programming languages. • Can be nested and re-used and called by other blocks. • Blocks can be combined to create procedures and functions. • Functions return a single item procedures return multiple items. • Procedures and functions are combined to create packages.
Select* From Why; • “SQL Injection is to hacking what a crowbar is to burglary. It opens the door to enable data theft” – Rob Rachwald. • Injection is STILL number 1 in the OWASP top 10. • Oracle is the worlds leading Database with a 29% market share over its nearest competitor.
Select * From Methods; Our Investigation was split into four Injection Methods: • Cursor Snarfing • Union Select Injection • Procedure Injection • Lateral Injection
Select Definer From Privileges Minus Select Invoker From Rights; • By default Oracle Procedures and functions are created with Definer Rights. • Definer Rights • Always executes with the permissions of the creator. • Usually no need for users to access the actual data. • Invoker Rights • Makes procedures execute with the caller’s rights. • Add AUTHID CURRENT_USER. • Users need access permissions for the tables.
Connect; Database Users Tables Procedures And Functions System - DBA Employees Check_Dept Get_Dept Today_Sales Intruder/Hax – No Privs Sales Grant_DBA
Select * From Employees; • This table illustrates the data that will be queried in the procedure.
Dbms_Sql.Open_Cursor_Snarfing; • Utilises tampering with dangling cursors. • Cursor Snarfingin 10g: • Possible in 2 packages in 10g. • My examples used the DBMS_SQL package. • Totally prevented in 11g. • Limited attack method.
EditCheck_Department; Employee is the variable entered by the user. A cursor is opened and the number output The procedure uses bind variables. IF statement filters out the managers so they cannot be queried Cursor is closed after execution.
Exec Check_Department(); • The procedure in normal working made with an employee that isn't a manager. • The result of attempting to get a manager’s. details. Cursor Number Debora’s Details Access Denied as Roger is a manager.
YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY • Pass the procedure too long a string. • Using the above code we can force an exception and cause the following error. Fills the variable X with 10,000 Ys Cursor Number
Dbms_Sql.Is_Open(Cursor); • To find the ID of a dangling Cursor all an attacker can loop through the possibilities. • This results in all open cursors being output. Loops over all possible Cursor IDs. Outputs open Cursors. Lists any open cursors.
Dbms_Sql.(re)Bind_Variable(); • Now that an attacker has the ID of the cursor it can be re-bound and re-used. Query made against Roger who is a manager Value of the open cursor.
Dbms_Sql.Execute(Cursor_Name); • The result is the unauthorised access to Roger’s details. Implications • Attackers can bypass conditional logic. • Potentially could re-bind with injection code. 10g Countermeasures • Create a catch all exception handler.
Dbms_Sql.Close_Cursor(); • Improvements to DBMS_SQL in 11g: • Cursor Numbers are now randomly generated, 12 digits long. • Cursors are assigned a security ID. • Prevents attempts to discover Cursors and re-bind them. • Any attempt to do either results in the user being locked out of DBMS_SQL for the remainder of the session.
Select Union_SelectsFrom Attack; • Union select attacks work the same in PL/SQL as with regular SQL. • Add “Union Select” followed by a field of the same type, and a table name to the end of a query. • The result is a list of entries that are unique between the two tables.
Create Get_Department; • A Vulnerable Procedure: The user’s input is inserted straight into the query.
‘’ Union Select -- • Normal Execution: • Union Attack:
Union Select Conclusion From Attack; • Both 10g and 11g are susceptible. • Defence is the responsibility of the developer. • Use bind variables such as in DBMS_SQL. • Limited attack method. • Only select statements. • Limited data types. • Limited column numbers
Declare Pragma Autonomous_Transaction; • Procedure injection allows an attacker to perform an action that is totally deviant from the action defined in the programmer’s code. • To perform such an action an attacker needs a vulnerable procedure/function. • This is known as an auxiliary inject function. • The most serious injection method investigated.
Select * From User_ObjectsWhere Package = Vulnerable; • Procedure Injection in 10g: • Experiments used the DBMS_SQL package. • DBMS_SQL patched in 11g. • Two new vulnerable packages in 11g. • KUPP$PROC • DBMS_JAVA • Both were tested. • KUPP$PROC appears to be patched. • DBMS_JAVA patched recently.
Dbms_Sql.Parse; • A Cursor is primed with the injection code. Cursor is opened to hold the injection code. Pragma autonomous transaction allows PL/SQL to perform another separate action from what it is currently doing. Injection code to grant DBA to “Intruder”. Execute immediate parses an SQL command and executes it straight away. Cursor ID is output for injection.
Dbms_Sql.Parse; • The primed cursor is then injected into the vulnerable GET_Department procedure. CHR is used to convert the number to a string so it can be concatenated. Cursor value of 7 is executed. Intruder can now get full DBA access.
Dbms_Java.Set_Output_To_Sql(); • As with the DBMS_SQL example the injection code must first be prepped. Pragma autonomous transaction allows PL/SQL to perform another separate action from what it is currently doing. DBMS_JAVA binds an SQL string until output is sent to the screen The whole query is bound as a string denoted by “TEXT”. Injection code to grant DBA to “Intruder”.
Dbms_Java.Runjava(); • Primed code is triggered by outputting Java. • Once the injection code is executed the user can become DBA. DUAL is a general purpose temporary Oracle table. RUNJAVAexecutes Java classes. Test class simply outputs to the screen.
Conclusion And Counters Select Counters From Solution; • Disable Java packages. • Implement a Trigger. • Use packages that Bind variables such as DBMS_SQL. • Escape bad characters. • Use DBMS_ASSERT.
Nls_Date_Format=‘”Lateral Injection’”; • Lateral Injection attacks manipulate Oracle’s NLS packages so that they contain malicious code. • The injection can be conducted in the DATE_FORMAT and NUMERIC_CHARACTERS packages. • DATE_FORMAT is the most useful of the two. • In 10g it can be combined with Procedure injection using DBMS_SQL results in a total compromise of the 10g Database.
Nls_Numeric_Characters=‘“Lateral Injection”’; • Again due to the improvements in DBMS_SQL lateral injection does not work in 11g. • Extension of the potential in Procedure Injection attacks. • Allows injection into procedures that don’t take direct user input. • Countermeasures much the same as Procedure Injection. ‘’;--
End;/ • Oracle • Continue to patch weak packages. • Find a better way of managing user access. • End Users • Install Critical Patch Updates. • Follow Good Practice. • Use 11g. • Implement Countermeasures.
Refs Execute Immediate