Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: oracle

[Defcon] Hacking Oracle From Web Apps

Hacking Oracle From Web Apps – Sumit Siddharth

Exploitation techniques for exploit SQL Injection attacks on Web Applications with Oracle databases

Because it’s Defcon… and we love SQL Injection!

No free tools for hacking Oracle Databases from the web

  • Even commercial tools like Pangolin have outdated techniques

Oracle Privileges

Oracle comes with a number of default packages. This has reduced a lot with the latest 11g release

By default these packages run with the privileges of the definer

This can be changed to the caller of the function, but must be set in the function/procedure (AUTHID CURRENT_USER)

Owning from the network is easy

  • Enumerate SID
  • Enumerate common users
  • Connect to the Oracle DB
  • Exploit SQL Injection in a procedure owned by SYS
  • Become DBS
  • Execute OS Code

Demonstrated by Chris Gates last year using a number of Metasploit plugins

In Oracle there are 2 classes of Injection

  • PL/SQL
  • SQL
    • Limited
    • Doesn’t allow chained statements

OS Code execution is also not as simple as it is in Microsoft SQL Server

PL/SQL Injection

  • Injection in Anonymous PL/SQL Block
  • No Restriction
  • Execute DDL/DML

SQL

  • Common SQL Injection
  • Limited capabilities
  • No chained statements

eExploitating PL/SQL Injection

Using David Litchfield’s exploit from Blackhat DC 2010 –> Enable JAVA IO Permissions

OS Command Injection can then be obtained by calling a JAVA function (DBMS_JAVA_TEST) and calling a command on the local system

Exploiting SQL Injection

This could mean many thing… do you want data from the DB or a shell –> depends on the goals of a test/attacker

Extraction of Data

  • Error Messages Enabled
  • Error Messages Disabled
    • Union Query
    • Blind injection
    • Time delay / Heavy queries
    • Out-of-band channels
  • Privilege escalation
  • OS Command Execution

Is your SQL Injection Privileged or unprivileged?

Are you executing with DBA privileges or something else

  • Privileged SQL Injection
    • Happens more often when the application connects to a database with DBA privs
    • SQL Injection is in a procedure owned by the DBA (regardless of the connection string)
  • Unprivileged SQL Injection

To exploit the Os we need Functions executable by public and vulnerable to :

  • PL/SQL Injection
  • Allows PL/SQL execution as a feature
  • Buffer overflow

There are a few functions known but the exploit is not publicly available

e.g. DBMS_JAVA_TEST (10g) buffer overflow

Of those known the following are popular:

  • DBMS_EXPORT_EXTENSION
  • GET_DOMAIN_INDEX_TABLES()
    • Function vulnerable to PL/SQL Injection
    • Runs with definer (SYS) privileges
    • Allows privilege escalation
    • OS Command Execution

Privileges needed to execute code on the OS

  • DBA Privileges
  • JAVA IO Privileges

Versions prior to CPU April 2006 there are a number of exploits in Pangolin and CoreImpact

Functions to execute code on the OS

  • DBMS_JAVA.RUNJAVA()
  • DBMS_JAVA_TEST.FUNCALL()

These take an Oracle class as input and cannot be executed without JAVA IO Privileges.

DBA can grant himself the required privileges, however even without he can use the SYS.KUPP$PROC.CREATE.MASTER_PROCESS() function on 10g/11g to execute code on the remote OS.

Bsqlbf 2.6

Supports these new attack types and can be downloaded from Google Code.

Includes the ability to upload and execute a Metasploit payload through these vulnerabilities

Supports JAVA IO and DBA execution as required

Has a cleanup mode for nice penetration testers 😉

Non-interactive second order injections

Even if a field is not injectable it could be that the code is executed if for example, an administrator views the injected code through a second vulnerable application (for example a logging tool, or administration screen).

The malicious user will never see the response however, as the secondary user is running the injection. This means any output will be returned to the secondary user and not the malicious user.

Another possible scenario is a trigger or automated nightly process that acts on the injected code when run.

So how can we make these non-interactive attack vectors interactive ?

Encode and upload a binary (Metasploit payload) to the remote server and wait for the secondary user/process to trigger the exploit –> Shell –> WIN

webraider tool implements this style of attack to upload a Metasploit module

You’ve been hacked… so what?

PCI compliance mandates the card data must be stored encrypted –> So the output is encrypted

PCI doesn’t specific if the encryption happens at the DB or App level

If it’s at the DB level, then the App decrypts the data when requesting –> Passing the encryption key means an attacker could extract them

  • v$sql table logs statistics on shared SQL area
  • Typically stores last 500 queries –> including the encryption details


Links:

Advertisements

Blackhat Europe: Oracle, Interrupted: Stealing Sessions and Credentials

Oracle, Interrupted: Stealing Sessions and Credentials (Steve Ocepak & Wendel G. Henrique)

Abstract (source: Blackhat.com)

In a world of free, ever-present encryption libraries, many penetration testers still find a lot of great stuff on the wire. Database traffic is a common favorite, and with good reason: when the data includes PAN, Track, and CVV, it makes you stop and wonder why this stuff isn’t encrypted by default. However, despite this weakness, we still need someone to issue queries before we see the data. Or maybe not… after all, it’s just plaintext.

Wendel G. Henrique and Steve Ocepek of Trustwave’s SpiderLabs division offer a closer look at the world’s most popular relational database: Oracle. Through a combination of downgrade attacks and session take-over exploits, this talk introduces a unique approach to database account hijacking. Using a new tool, thicknet, released at Black Hat Europe, the team will demonstrate how deadly injection attacks can be to database security.

Talk Abstract –> Oracle, Interrupted: Stealing Sessions and Credentials

Speaker Bio –> Steve Ocepek, Wendel G. Henrique

Thicknet demo

40,000 foot view of what the talk is about.

What is vamp ?

  • arpspoof is getting a bit old, hard to compile with new version of libdnet
  • Need something to use with thicknet
  • Stateful – i.e. new hosts can join the fun
  • Cross-platform: libdnet, libpcap / winpcap, libev

What is Ticknet ?

An injection tool that listens for database queries, and then alters it to perform actions as designated by an attacker.

Password not required, as the session is already authenticated.

Vamp, Arp Poisoning and you

  • Most reliable way to get data about local network
  • Injection opens up a whole category of attacks
  • Good way to find important services
  • It was very cool in the 80’s

The ARP protocol is old.

Arpspoof is also old, hard to compile with new version of libdnet

Vamp improves on this by being stateful and cross-platform (based on the updated libraries)

Don’t worry though…. ARP will disappear when we start using IPv6 (next week right?)

Hot Session Injection

Ettercap can do this, to a certain degree

  • In connections view (curses or GTK), select TCP connection
  • Can inject file or ASCII characters
  • I had limited success, not a commonly-used feature
  • Etterfilter also an option, but is not session aware

This allows modification of sessions / or to take-over the whole session. This session can be kept open as long as needed.

Injection

  • Two types: packet modification and takeover
  • Packet modification
    • UNC Injection attack works this way
    • Also downgrade attacks
  • Takeover
    • Allows sending of arbitrary packets into the session
    • Issue asynchronous SQL queries, etc..

Modification

  • Monitor for pattern
  • Modify according to logic (replace string, change bytes, …)

Takeover

  • Inject data asynchronously
  • Requires taking over the session completely (original client is disconnected)
  • Gathering a sled helps to ensure we get this right
  • This is all reliant on data layer as well…

Understanding Oracle Queries

TNS – Net8

  • TNS – Transparent Network Substrate
    • Fairly simple, well-known
    • Wireshark decoder exists
    • Purpose is to encapsulate a variety of higher-layer protocols
  • Net8 – Used by Oracle to issue queries, sits on top of TNS
    • Not well known or documented
    • Specification is available, requires contract and $$$
    • No Wireshark decoder

TNS protocol has a lot of fields…. a lot are just 0x000 (at least that’s what was see in testing)

Net8 – 3 types of messages seen frequently

  • User-to-Server, Net8 Bundle call 0x03 0x5E
  • Piggyback call 0x11E
  • User-to-Server, Fetch 0x03 0x5E

Why wait for a SELECT request from the host and change it…. we want to send data now.

This is where SLED packets come into play.

A SLED packet is something that contains predictable data and does something similar to what we want to do. SELECT queries are great examples. Once identified, a thicknet sled consists of IP Layer, TCP Layer, DATA

Injection time!

The attacker now owns the session, so he needs to maintain it accordingly (ACK packets, etc…)

The client currently gets kicked out of the session

Thicknet tool

  • Proof of concept sled based injection, downgrade
  • Modular, can be expanded to use other protocols
  • Oracle protocol implementation
    • Extensions can be made in the future – MySQL, SMB, MSSQL

If this attack can work for Oracle, why can’t it work for other protocols and services (Samba for example)

Downgrading for credentials

Demo –> MitM attack to grab the password hash in transit between the client and server (after downgrading the authentication)

By performing this kind of downgrading attack it is possible to brute-force crack the password hash using tools like woraauthbf.

Sometimes Oracle isn’t listening on the standard 1521/TCP. This can cause issues with the downgrading attack. This can be overcome by perform pattern matching on packet content to discover the required packets regardless of the port being used.

Using this kind of matching it’s also possible to intercept disconnection requests from the client to the server, and silently drop then (replying with a spoofed response to the client). This will fool the client into closing the session but leave it open for an attacker to continue to use.

Goal: To downgrade the Oracle authentication to the weakest algorithm and password hash. In this case the goal is to downgrade to the hash format used in Oracle 8i, DES (Data Encryption Standard).

The first downgrade attack was released by László Tóth. However the attack was aimed at JDBC connections and doesn’t appear to work on newer Oracle instances with upgrade JDBC (i.e. 11.2.0.1.0).

The JDBC downgrade attack is still valid with older versions of the client. By altering 1 bit, the old 8i authentication takes place. To prevent this from failing, checks are made in the thicknet tool to check the JDBC version in use to ensure it’s vulnerable before performing the downgrade.

InstantClient appears not to be vulnerable to this downgrading attack. When attempting, the connection between the client and server fails. One possible attack is to reply to the user as an Oracle 8i server and harvest the information required. The user will then need to retry connection, at which point the MitM will not attempt y downgrade and the user can then connect.

FullClient doesn’t always respond to this previous method.

  • It works against the Oracle full client 9.2.0.6.
  • Crashes and consequently fails with Oracle full client 10.1.0.2 (possible heap overflow).
  • An exception happens with Oracle full client 11.1.0.7 which causes the connection to terminate.

The Thicknet program can detect the version of full client in use, and if a method is supported, it is automatically selected. However, neither of these methods is supported in Windows….

So is Windows immune?

  • During negotiation there are a few bytes used to define the acceptable protocol version.
  • The client offers different options and the server answers with the highest supported value (0x06).
  • During all our tests, all servers always responded with 0x06, as all clients tested always offer the same six options: 0x06, 0x05, 0x04, 0x03, 0x02 and 0x01.
  • Downgrading at this stage is very easy, we will just replace these values with 0x05, 0x05, 0x04, 0x03, 0x02 and 0x01.
  • Note we are not sending 0x06 as an option anymore;
  • consequently we are sending 0x05 two times.

This means that the server will respond with a 0x05 and the downgrade will happen automatically.

NTLM Downgrade

Similar to the previous downgrade, by changing a bit in the connection request it is possible to downgrade the connection to older LANMAN hashes. These passwords can be recovered using HALF-LM rainbow tables freely available.

Due to lack of time this area was only covered in brief –> please see the whitepaper for full information (link below)

Additional Links

For more information please see the Blackhat Europe website