Loading
Notes
Study Reminders
Support
Text Version

Oracle Exploitation and Security Best Practices

Set your study reminders

We will email you at these times to remind you to study.
  • Monday

    -

    7am

    +

    Tuesday

    -

    7am

    +

    Wednesday

    -

    7am

    +

    Thursday

    -

    7am

    +

    Friday

    -

    7am

    +

    Saturday

    -

    7am

    +

    Sunday

    -

    7am

    +

In this series of lessons we're going to look at the oracle database first we're going to analyze the installation process to set up our lab and we're going to talk about the architecture of the oracle database itself then we're going to walk through ways to potentially compromise the oracle database slash audit the oracle database and then finally we're going to wal through som best practices relative to locking down the database and how we can ensure that as network admins and database admins that we are protecting our database using best practices so the first thing i'm going to do is go ahead and download the oracle database express edition so as usual i'm running ubuntu 14.04 now let me make a comment here um the oracle database is not natively supported on ubuntu okay so typically the distributions are red hat based as far as support and linux so i'm going to do a little bit of trickery here and do some emulation and create some symbolic links and add some additional libraries and modify some paths to allow this to run on ubuntu so you don't have to run this on ubuntu for your lab you don't necessarily have to go through these steps but if you do want to run it on ubuntu i'm including some of those steps here for you so in order to get it to run on ubuntu i'm going to install alien and a few other packages and i'm going to configure those so that really we're going to emulate an environment that the installer is looking for and that includes things like kernel parameters and memory configuration parameters we want it to look like a supported configuration
even though technically it's not oracle as a database wants to install generally on red hat a i mentioned before so i'll show you these steps here shortly so the first step is to run the alien command and generate some scripts off of the rpm and of course rpm is the installer format specific to red hat we are running ubuntu which is a debian derivative and so you notice that we've generated the debian installer now so we actually have an installer native to the format that we've created and so now that we've got that out of the way we want to modify the configure file and some of these config files are going to outline things like kernel parameters and other configurations that the installer is going to be looking for copying and pasting in a config file here in this config filter it's doing several things but some of what it's doing is just creating an environment that is emulating a supported enviroinment
so i'm creating an additional configuration file here that's setting some of the min and max variables for the kernel from a memory standpoint all right so we've validated that some of the cernel parameter changes have indeed taken effect so we also need to create some symbolic links for some of the paths because the paths for tools liking said and awk in uibuntu are different paths than they will be natively in red hat so now we're going to go ahead and run the installer we're going to install the oracle xe database notice we're using the debian package that we created using the alien tool so now we're going to run the configure command on the database and this sets up things like the oracle application express server which for our purposes we won't be using as well as the database listener which we will be using we'll set up the password for the sys and system account and we define whether or not we want the database to be started on boot so we're going to wrap up the configuration of the database the dot slash configure notice that the listener is getting started and we're going through the process of configuring the database which is just the initial setup so the setup's complete the instance is running the listener started and now we have oracle 11g express edition running on an unsupported operating the system so in order to get that to work properly there was an additional step to mount the temporary file system or a temporary file system specific memory configuration all right wonderful sysdba which is the to start the oracle database now that we have the database installed let's talk a little bit about the architecture of the database so the database has a listener component so think of the listener as the front door to the database the the listener will listen to requests and it will route them to various services or service id slash sid instances you can have multiple sids you can have multiple databases and so the listener is the front door slash traffic cop for the database as a result there's a lot of security consideration that needs to be taken into account because if you leave your front door unlocked then you're inviting activity that isn't necessarily desired or warranted so the listener little or lsnr ctl command allows us to look at the status of the listener and print out some information about the version of the listener to start the listener as well as stop the listener and so it's it's worth noting here that the database also has provided lots of information when we run this command that an attacker could particularly find useful of course i'm running this locally with root permissions so that's why I can get this information but if it's not configured properly some of this information can be leaked slash disclosed remotely now there are various security configurations that we can set up for
the listener including the authentication methods we can configure source and port and ip constraints and we can set up a password for the listener as well all right so as we take a look at the architecture and explore the database installation for oracle let's go ahead and do an examination of the running processes so you'll find that once you install an oracle database that there are a lot of processes there that get installed and that are running so multiple threads multiple processes and so it's definitely an enterprise class database but with enterprise class comes enterprise bloat arguably so we don't necessarily need all of these services running and so that's where an examination of the architecture is important so we have some services running including piemont esmond the database writer the log writer checkpoint and recovery services now these are very much required services and they are core services specific to the oracle database and the oracle database architecture but there are other components that we don't necessarily want to have enabled depending on what we're doing
and we'll get to that a little bit later in the hardening section so i want to turn our attention to authentication and authorization for the database so oracle supports operating system and database user level authentication so let's go ahead and take a look at the default users that are installed in the oracle database just as part of the basic installation so we need to run sql plus well sql plus as sysdba now i'll try to run a select but this isn't going to work the reason it's not going to work aside fromsyntax is the fact that the database has not been started up yet so make sure that you go through the startup process and that the database is started so startup is very simple if we're connected with the correct user sysdba run startup you can see that the buffers have been populated the database has been mounted and it's been opened with that particular select statement we have a chance to look at the users that have been installed just as part of the basic installation and the hashes of their passwords this these actually are not obviously the actual passwords so we have an xdb user and we're going to focus on that one here in a minute which is the xml database and as i mentioned before some services are installed that we might not use or need and commensurately in addition to those services well they're typically going to have service accounts of some sort that were installed we might want to lock those accounts or disable them or even expire them so the next step is to go ahead and look at which of these accounts have elevated privileges just because they've been installed doesn't mean that they have a whole lot of privileges we're very concerned with the accounts that have high levels
of privilege in particular database admin privileges so if we run a select distinct a name from sysuser kind of a long command here we can grab that information as to you know which one of thes accounts that we're looking at are highly privileged so once we entered that incorrectly you can see very simply it's just system and sys at least we know that all those other accounts are not highly privileged now that doesn't mean that we don't want to lock those down or potentially remove them because we probably do when analyzing the security architecture of the oracle database it's important to understand that oracle defines two fundamental levels of privileges and those are database wide privileges and then object level privileges so a database wide privilege would be granted to as the name suggests the entire database any databases any objects any tables any schemas within that installation an object level privilege would be specific to let's say a given table so it's much more granular in nature the first thing i want to explore here is or are privileges specific to the system
that are system-wide this is a query of all the privileges that are available at the system level okay so there's quite a bit here you can see drop any library drop tables create any table these privileges once they're assigned to a user at the system level will allow that activity to take place across the entire installation so if you assign someone drop user that's not something that we can find to an object it is a system-wide privilege the ability to create a view is a system-wide privilege so you can see this version of the oracle database 11gr2 has 208 distinct user privileges that are system wide in nature so
you can see that assignment of privileges can get pretty complex and pretty granular quickly and a little bit later we'll talk about ways to manage that so there are several privileges that are object
specific not quite as many but there are 26 and the 11gr2 you can see things like select read and these are schema related slash table related type privileges and not system-wide in nature so we've talked about authentication and authorization so now it's time for the third a in aaa which triple a is authentication authorization and audit and so that third a is audit while authentication and authorization help protect the front door and keep the bad guys from getting in audit lets us know whether or not it happened so it's important to have audit configured and as we'll find out there are many different levels of granularity by which we configure or can configure auditing in the oracle database now always remember that when you set up auditing there's a potential performance impact in doing so relative to cpu usage memory usage but also that we can be eating up disk space so make sure that in a production capacity that you plan accordingly all right so when setting up auditing there's some basic configurations in the init.aura file which is the initialization file for the oracle database we can log to a file we can also log to a database but log into files pretty standard and many admins like to take this information aggregate it and correlate it into let's say a common syslog server for centralized audit correlation so let's go ahead and modify the init or at least look at it from an auditing standpoint so there are lots of parameters in here but the ones we care about right now are specific to audit so you can see that the autofile destination is the base slash admin slash oracle slash a dump path and our audit trail is a database audit trail so go ahead and navigate to that folder that's outlined in the init.ora file we need to make sure that we're using the appropriate privileges we can see that there are a lot of odd files aud audit files we can open those up and take a look at them and here we see that there was a shutdown issued the privilege that was used to issue the shutdown as well as the date and time stamp and so these are default audit logs i haven't done anything in particular to configure what's being audited aside from the default installation config so before we move any further i want to install some sample content and we'll use our old friend scott and the scott slash tiger schema user to install a sample database that we'll use to illustrate some of the security configuration examples so i've installed or set up a user scott and the command is create user scott identified by tiger which means that his password will be tiger and i've granted him a system-wide level
privilege which is dba and i've granted him connect privileges to that system as well so we'll enter in tiger as his password based on how we set it up alright so we're connected as the scott schema and the next thing i want to do is run a sql script that is going to populate and create a sample data
database which we're going to use for security testing purposes and one of the things i want to do with some of these tables that get created is i want to set up permissions not only at the system level which we've done already but at the object level so show you how to set up permissions let's say at the table level for a particular user so we need to find the path we'll use the at identifier all right we get the path correct we've got the dem demo table created and so we've got some sample tables to work with now so let's look at the tables that make up the scott schema so there's a bonus table and in the bonus table we can see that there are columns for name job salary commission and there are some other tables that have been installed as well next one is the employee table so that's fine and interesting but i want to turn our attention to the privileges and to some extent the contents of the table so we saw the structure of the table now we can see the contents of some of the tables in terms of individual records so you get the idea so now we'll go ahead and enable some auditing on the database and for these tables and in particular objects so by default we're not auditing things like simple sql queries we're auditing object level or excuse me we're auditing system level activities but we're not necessarily auditing individual sql queries so first let's go ahead and enable a system-wide database level audit configuration all right so what we did is we enabled audit of select insert and update on the sys audit table now this is a best practice now this isn't incorporating any of the tables we just installed but what this does is it makes sure that we know.
If the um the audit table the system audit table itself has been modified by one of the users in any way you want to protect your audit data because the information is only as good as the integrity that we have in place for that data from a security control standpoint all right great so now on to some object level security you can as i mentioned before fundamentally audit both ddl and dml statements so that's data description language and data manipulation language so data description language is more schema oriented type activities like creating and dropping tables where dml activities are things like sql statements insert and crud type operations all right so here i have enabled auditing for select statements on the scott dot emp table so what this means is is that if i issue a select or anyone issues a select we should be able to see that from an audit perspective a show parameter audit command will show us the parameters for audit config within the database which we just took a look at to further enable the audit we need to alter the system and set the audit sys operations parameter to true and make the scope of that to be the sp file so we're going to leave that set as a
database audit trail that is extended which will allow us to audit additional information now after we set those parameters we need to shut down the database and restart it so it can pick up the new configurations for the audit settings okay we've restarted the database and you can see that our new audit parameters have been taken into effect the audit trail is now set to db under underscore extended so i'm going to add some additional audit configurations here one is create any table drop any table and i'm going to make that specific to scott so if scott creates a table or drops a table then we want to know about it so to test this out we'll go ahead and log in as scott and connect to the scot schema and we'll try to create a table alright so scott's created a table and ideally per our audit configuration that activity would be audited and just to further test we'll also run an insert statement and we'll try to insert some data into the imp table and there are some constraints for one of the columns the department number column so i need to make sure i enter a number that falls within the constraints defined in the table so we've issued an insert we've created a record slash row within that table which is another event that should be audited and then we'll round that out with a test of a delete object and we'll delete an employee record there are no employees with the record 1300 so that's fine and then we want to commit those changes all right so our next step is to go back and test that some of this has been audited so we'll want to log back in as sysdba so next we want to see whether or not the audit was successful in other words were we able to audit the select insert and delete operations that were issued by scott in the audit trail all right well here we can see that he did create a table created a tails table was one of the events. So we did indeed capture an audit operation that was specific to the table creation now that was a system-wide audit configuration so now that we understand how to install the sql database and set up some sample contents and we've kind of got our lab set up and we've walked through some of the architecture of the oracle database we're going to talk through the process of attacking slash auditing the database so first it's important to know what version you're running because most of these vulnerabilities and their associated attacks are
predicated upon the version that you're running and so when i did a services command or rent a services command i saw that i'm running 11202 so i can look in the oracle cve alert database and really what i want to do is find alerts that are for versions after 11 202 it's not so much 11 202 that i'm that concerned about so i've found one here and um this is kind of a well-known bug in the tns listener now the point of this exercise is not necessarily for you to go out and execute this hack or slash audit on your system but it's really to illustrate the methodology by which you would audit your systems now typically what we're going to do is we're going to go in and we'll run a vulnerability scanner and we'll find out where our gaps are and then if we wanted to do some level of pen testing that's where we would look for potential available exploits and use a tool maybe such as metasploit to either passively or actively exploited vulnerability now this 11202 installation in its current version has a known exploit that's defined here in the exploit-db database and so it many times they will show you how to do a proof of concept on the exploit so I've downloaded and compiled some of the proof of concept code code for the exploit there are several python files here and what this is is this is an exploit that sets up a proxy listener and will send some binary contents out to the listener in an attempt to inject and potentially you know gain control over the database so now we're going to round out this session and we will talk through locking down and hardening the oracle database so we've talked through the installation process we've talked about the oracle database security architecture we've even talked about how you would go about exploiting the database and so we round this out with a discussion around best practices for hardening our oracle database instances.
Now as i mentioned initially the listener serves as the front door to the database so the first thing we need to do is lock the front door and metaphorically speaking that can mean a lot of different things when it comes to the listener one of the first things that we'll do here is to set up a password for the listener and i'll show you how to do that alright so we'll run the change underscore password command from a listener ctl prompt and we've verified that that parameter file has been modified now notice it created a backup file and also when we look at the contents of the file you'll see that the password that we entered has been encrypted hashed we certainly would not want that variable to be set up in clear text and you know as a penetration tester slash security assessor i see more times than
not scenarios where you have text files with unencrypted passwords so let's go ahead and navigate into that configuration file and what i want to do is i want to check for the password make sure that it's been set in the listener ora and not only make sure that it's been set but make sure that it's been encrypted slash hashed as i mentioned there are two versions of the file we want to look at the the new version the old version has a dot back extension when we look at the old version we should see that there are no passwords set I need to do that with the correct privileges okay so no password set
and that's just what we expect so now we'll exit the listener.back and we'll enter the new listener.ora and validate that there has been an encrypted password set for the new version of the listener all right so we navigate down to the bottom and you can see added by tns listener passwords underscore listener and then we see our hash password information so it has indeed been added so now this is not the only way to configure the listener there are additional controls or locks that we can put on the front door of the database specific to authentication and ip address parameters so let's explore some of those as well and also keep in mind that some of these controls that we're implementing only affect remote requests which is where the notion of defense and depth comes into play anyone that has local operating system access can leverage that as a stepping stone to access the database so we've navigated back into the listener.ora file and there are additional parameters that we can add that can further lock down the listener so we've added some administrative restrictions to make sure
that administrative commands can only be executed locally so you can also see here that from a security configuration standpoint we have password or local os authentication set all right next we'll go ahead and enable tcp valid node checking and this is where we're going to implement some firewall type settings and rules to make sure that only certain hosts can connect to our listener so if you think about this for a minute in a typical database implementation you're probably going to have an app server which might be in a dmz or elsewhere and it's likely that we only want that app server or the ip addresses of a few app servers maybe that are load balanced to be able to access the database you may also want some dbas to be able to access it using tools such as toad if that's the case you'll need to add those addresses accordingly when we set up this configuration and we can set this up as a whitelist type configuration or a blacklist type configuration for tcp node checking so depending upon the version of the oracle database that you're running this would be configured in sqlnet.org as opposed to protocol.org so you can see that here in the sqlnet.ora i've enabled valid node checking
and that i have an excluded node and i've just put an ip address that's not relevant here but this is more of a blacklist configuration we could set this up as included nodes and just define the machines that we want to have access so the sqlnet.ora is in the network directory of the oracle home installation
so we'll use nano control o to write that out so we've locked the front door now that we've locked the front door we want to make sure that we walk around the house and that we close off or shut any windows that might be open and you can kind of think of windows in this analogy as services right
there are maybe certain services that the database is running that are not necessary for our purposes and the xml database is a prime example for what i'm doing just simple table access and i'm not using the xml database I don't need it so i would like to reduce my attack surface and i can do that by modifying the init oracle.ora file and i'm doing a search here for dispatchers you can see that the oracle xdb service is advertised we can comment that out and make sure that that service is no longer advertised by the database so in order for that parameter to take effect we want to and we'll need to shut down the database and restart it all right so we modified the configuration not only well you can't comment it out you actually have to delete it all together so now that we've deleted that in the configuration altogether you can see that the xml database is no longer advertised and it's no longer available so another area where we can lock down the database is network communications and in particular we can enable encryption but the capability to encrypt network traffic for the oracle database is only available in the enterprise edition of the database and so we're running the express edition so we do not have that available to us if you had an enterprise edition version of the database you would run the net configuration assistant or netca and that's where you would configure network encryption over tls ssl for your database connections so we've looked at securing the tns listener we've also looked at locking down some of the advertised services that the listener can show us or advertise the next step is to go into the database itself and protect or either remove some of these accounts that have been installed by default and remember our goal here is to reduce our attack surface so we do a query we can see that we have as we saw before quite a few users that are created by default some of these may or may not be necessary depending upon what we're using the database for so now that we have the list of users really the next thing we want to do is to find users that have predefined passwords or default passwords because if we have users with default passwords then obviously an attacker can connect with those accounts just using the default values which is not a good security practice so we'll do a select from dba underscore users with defined password you can see that there's quite a few there are 22 users that have predefined passwords so I would call that problematic at the very least so we're not going to go through right now and modify every one of them but I do want to show you how to pick one of these out and how to modify it accordingly so here's the process that we'll use to go about changing their passwords we'll issue an alter user and we're going to pick the xml database.
Here again identified by whatever password we want to use you should use a secure one now the oracle database does not like special characters so uppercase lowercase alphanumeric some combination thereof all right so we've changed that user's default password and you would want to repeat this process for all other users that have been identified with default passwords now as a matter of best practice you can use the same or the different passwords for this the dba accounts such as cis system sysman and others but it's actually recommended that you use different passwords for those accounts and for that matter ideally you don't have people logging into cis because you can't really audit the individuals that are using the account if you have more than one dba all right next we're going to shift our focus over to database user accounts we run the query we can see that there's a good deal of information here it's not necessarily formatted very well and we could format the columns differently and i'll do that here so you can see the default tablespace for these users as well as some other information we have 49 of them you can also see that scott user that i created earlier now many of these accounts are locked by default and you saw that by virtue of the column the locked column and the stars and the locked columns so that's great but some of them are not and we may want to lock them so as we continue to pick on our xdb account we'll go ahead and lock it we've turned off the advertising of the service through the listener so why not go ahead and lock the account out as well we're not using the xml database anyway so this is just a further security control that we can implement to make sure that that service isn't utilized or compromised in any way some of the other things we want to do when paying attention to account security is set parameters such as max failed login attempts and other parameters specific to account security now you can do this at a global level in the configuration files we can also create what's called profiles to set up these types of parameters for groups of users it's similar to a group but the profile is really just a common set of configurations um some of them security oriented for a user so i've created a profile named strong security profile with limit password lifetime of 30 days and so any user that I add to that profile we'll now inherit that security configuration so we created a user fred we added him to the strong security profile so by virtue of the profile association his password lifetime is 30 days.