Scribd
Upload
61 views40 pages

Oracle Database Security: Identifying Yourself in The Database

Oracle Database Security: Identifying Yourself In The Database

Uploaded by

Djeloul Algiers
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
61 views40 pages

Oracle Database Security: Identifying Yourself in The Database

Oracle Database Security: Identifying Yourself In The Database

Uploaded by

Djeloul Algiers
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 40

Oracle Database Security

Identifying Yourself In The Database

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 1
Legal Notice
Oracle Database Security Presentation
Published by
PeteFinnigan.com Limited
9 Beech Grove
Acomb
York
England, YO26 5LD

C
Copyright
i ht © 2012 b
by P
PeteFinnigan.com
t Fi i Li
Limited
it d

No part of this publication may be stored in a retrieval system, reproduced or transmitted in any form by any means, electronic, mechanical, photocopying,
scanning, recording, or otherwise except as permitted by local statutory law, without the prior written permission of the publisher. In particular this material may
not be used to provide training or presentations of any type or method. This material may not be translated into any other language or used in any translated
form to provide training or presentations.
presentations Requests for permission should be addressed to the above registered address of PeteFinnigan
PeteFinnigan.comcom Limited in writing
writing.

Limit of Liability / Disclaimer of warranty. This information contained in this material is distributed on an “as-is” basis without warranty.
Whilst every precaution has been taken in the preparation of this material, neither the author nor the publisher shall have any liability to any person or entity
with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions or guidance contained within this course.

TradeMarks. Many of the designations used by manufacturers and resellers to distinguish their products are claimed as trademarks. Linux is a trademark of
Linus Torvalds, Oracle is a trademark of Oracle Corporation. All other trademarks are the property of their respective owners. All other product names or
services identified throughout the material are used in an editorial fashion only and for the benefit of such companies with no intention of infringement of
the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this material.

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 2
Agenda

• What is “identity theft


• Identity at the database level
• Accountability
• Database Identity spoofing
• Detecting spoofing
• Preventing g identity
y theft in the database

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 3
Identity Theft
• 54,100,000 results in Google search for “Identity Theft”!
• Identity theft is a crime!
• Someone pretends to be someone else and uses their
identity
• First coined in 1964 – So an “old issue”
• Usually to gain access to someone else’s resources or to
gain benefits as someone else

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 4
Identity Theft In the Database
• Not really the same as in the news? ... but really it is
• Someone could pretend to be a DBA
• Someone could pretend to be a business user
• Someone could steal or gain access to someone else’s
resources or credit
• For example: “I could as an employee of a company
apply for a loan in someone else’s name and then
channel the payout check to my house but make sure
the original
g victim makes the payments
p y everyy month”
• It is also a “database” level issue not just a “people” level
issue, people use databases
© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 5
Database Accountability
• What sort of accountability is possible in the database?
• Core Audit
• Fine Grained Audit (FGA)
• Trigger based audit for DML
• System triggers
• Redo / streams / CDC
• Listener logging
gg g
• SYSDBA core audit
• SYSDBA trace
• Application trace
• ...
• Lots of possibilities / Correlation also possible
© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 6
Accountability / Identity?
• As you may have guessed; accountability is not useful
without “identity”
• Accountability is making sure each persons actions are
accountable to them
• Theft or masquerading is possible if you can be
someone else in the database
• In
I other
th wordsd llett the
th ddatabase
t b thi
think
k you are someone
else
• Knowing the masquerade took place is not possible
without accountability or “Audit” or at least very transient
session data
© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 7
Default Situation in the database NOW
• Simple core audit in 10gR2, 11gR1 / R2
• Listener log – turned on by default in 10 and11g
• Core SYSDBA connection audit is on by default
• Trace files on Unix
• Event Log entries on Windows
• Redo Logs always available; not necessarily archivea
• But these features are not accountability – to achieve
that we need:
• A log or Audit or trace With
• Attribution back to real people
• In other words a complete solution
© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 8
What is Actually Available?
• On the surface:
• 9i – No real accountability – not supported anyway!!
• 10g
10 – incredibly
i dibl lilimited
it d
• 11g Slightly better but only because of Audit vault
• Actual accountability when layered onto audit is not good
• Limited session values
• Not all of the session is written to the audit trail anyway
• Possible to write session values but we must do it manually
• What is possible if we use core audit features?
• Th message:- “Audit
The “A dit and d accountability
t bilit is
i our job;
j b We
W mustt
design it like any other feature of our systems”

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 9
Higher Level Summary Of Now
• General lack of accountability in the database
• Some audit by default – situation is changing
• Oracle identity products (don’t see many using), secerno..
• No standard reports (audit)
• No audit management built in
• Changing now dbms_audit_mgmt is here but again basic
• Supports archive/purge/clean
• Moving in right direction but maybe because of audit vault?
• No Privileged audit by default
• If audit is enabled then some better options for
accountability y exits
© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 10
Can correlate records –
i this
in hi case using
i time
i
Example – Listener Log
This is the only place
we have
h th
the ffullll client
li t
• A number of possible log entry formats “program” “path/name”
• 11gR1 has XML log as well
• V
Very Li
Limited
it d d
details
t il – database
d t b user nott always
l shown
h
C:\>sqlplus system/oracle1@ora11gpe
...{gives}...
{ i }
24-NOV-2012 16:11:49 *
(CONNECT DATA=(SERVER=DEDICATED)(SERVICE N
(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_N
AME=ora11gpe)(CID=(PROGRAM=C:\odc\product\
11.1.0\client_1\sqlplus.exe)(HOST=ORACLE-
q p
HACK-BOX)(USER=Pete))) *
(ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PO
RT=7240)) * establish * ora11gpe * 0
© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 11
A lot of details but not that many useful
details for accountability directly

SQL id’s may be useful if used in a session


Session Details
Rows removed to make it fit on one slide
SQL> exec print_table('select * from v$session where sid = (select distinct
sid from v$mystat)');
AUDSID : 1852215
USERNAME : SYSTEM
SCHEMANAME : SYSTEM
OSUSER : Pete
MACHINE : WORKGROUP\ORACLE-HACK-BOX
TERMINAL : ORACLE-HACK-BOX
PROGRAM : sqlplus.exe
TYPE : USER
SQL_EXEC_START : 24-nov-2012 17:01:52
MODULE : SQL*Plus
ACTION :
CLIENT INFO
CLIENT_INFO :
LOGON_TIME : 24-nov-2012 16:11:49
CLIENT_IDENTIFIER :
_
SERVICE_NAME : ora11gpe

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 12
Session Details Using SYS_CONTEXT
SQL> @check_2 SYS_CONTEXT is a
User :SYSTEM convenience for selecting
Username :SYSTEM
session values.
C
Current
t UUser :SYSTEM
SYSTEM
Session User :SYSTEM
Most values can be
Proxy User :
Action :
selected from v$session
SessionID :1852215 anyway.
Client Identifier :
Client Info : BUT SOME like IP Address
Entry ID : are nott directly
di tl available
il bl
Host :WORKGROUP\ORACLE-HACK-BOX
IP Address :127.0.0.1
M d l
Module :SQL*Plus
SQL*Pl
Terminal :ORACLE-HACK-BOX
OS User :Pete
--------------------------------

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 13
I will p
put this on my
y site

Check_2.sql – For Information

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 14
Audit is set to the “DB” as default; OS user is in
spare1,
Privilege used and action# can be converted or
Core Audit in AUD$ DBA_AUDIT_TRAIL used instead
y is striking!!!
The stark lack of accountability g

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 15
These trace files are written
to the OS because audit
SYSDBA Trace cannot be written for
database startup and
shutdown to the database
• Fixed format trace files
Also helps with separation
• Core trace cannot be turned off
• Records user, os user, terminal etc
• Not many people in my experience look at them
• Files cycle based on PID (on Unix) – performance bugs
on some platforms
• SYSDBA trace – audit_sys_operations – can be written
here also

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 16
Other Sources of Data
• The Alert Log contains information at the system level
• Trace files can include:
• Action
• Module
• Cli t ID
Client_ID
• Session ID
• And of course data in the form of binds or in static SQL
• Structure in the form of table and code

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 17
The SID and SERIAL
are not preserved in
Other Sources Of Data (2) the audit trail

We could save them


SQL> alter session set events '10046 trace name context forever, level 12';
with a logon trigger
Session altered.
...
SQL alter
SQL> lt session
i set
t events
t '10046 t t Time
trace name context based correlation
t off';
ff'
Session altered. can be used.

*** 2012-11-24 19:50:53.116


*** SESSION ID:(142.347) 2012-11-24 19:50:53.116
*** CLIENT ID:() 2012-11-24 19:50:53.116
*** SERVICE NAME:(ora11gpe)
gp 2012-11-24 19:50:53.116
*** MODULE NAME:(SQL*Plus) 2012-11-24 19:50:53.116
*** ACTION NAME:() 2012-11-24 19:50:53.116
SQL> exec print_table('select
i bl (' l * from
f v$session
$ i where
h sid=(select
id ( l di
distinct
i sid
id from
f v$mystat)');
$ )')
SADDR : 2F0E3D30
SID : 142
SERIAL# : 347
AUDSID : 1852215

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 18
Issues And Discrepancies
• Obvious things are missing in the Core Audit
• Action, Module
• Program
• Sid, Serial
• Some things are there though
• Session value can be used to correlate to other audit
• SESSIONID, AUDSID
• There is a lack of depth to identity; very little to go on
• What is obvious is that we need to use alternate audit to get
more details
• Some detail is only available in the comment text of the audit trail

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 19
Customising Identity
• We can customise identity
• Interestingly after logon and during logon (depending on
the API used)
• Client Info can be set
• Cli t identifier
Client id tifi can be
b sett
• Module can be set
• Action can be set
• Custom contexts can be created
• We can use data values
• Indeed we can use anything selectable from the database
• Customising before logon seems better... BUT....

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 20
Customising Identity Example
SQL> select client_identifier from v$session
2 where sid=(select distinct sid from v$mystat);

CLIENT_IDENTIFIER
-------------------------------------------------------------

SQL> exec dbms_session.set_identifier('Hack the planet!');

PL/SQL procedure successfully completed.


SQL> select
l t client_identifier
li t id tifi f
from v$session
$ i
2 where sid=(select distinct sid from v$mystat);

CLIENT_IDENTIFIER
CLIENT IDENTIFIER
----------------------------------------------------------------
Hack the planet!

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 21
Customising Identity Example (2)
SQL> select sys_context('USERENV','SESSIONID') from dual;

SYS_CONTEXT('USERENV','SESSIONID')
---------------------------------------------------------------
1854567

SQL> alter user orascan identified by orascan;

User altered.
SQL> select
l t client_id
li t id from
f db
dba_audit_trail
dit t il
2 where sessionid=1854567;

CLIENT_ID
CLIENT ID
--------------------------------------------------

Hack the planet!

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 22
Customising Identity
• The other main session values that can be customised
easily through the SQL Interface are
• Action –
DBMS_APPLICATION_INFO.SET_ACTION(‘Action
Name )
Name’)
• Module –
DBMS_APPLICATION_INFO.SET_MODULE(‘Module (
Name’,’Action Name’)
• Client Info –
DBMS_APPLICATION_INFO.SET_CLIENT_INFO(‘Client
Info Text’);
• BUT;
BUT ththese d do nott permeate
t tto th
the C
Core A
Audit
dit ttrail
il
© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 23
Core Audit
• Core audit from an identity point of view doesn’t provide
enough – recurring message !!!
• We need to provide the additional information ourselves
• Like lots of data security implementation tasks it is the
customers job to design and implement the security
• This includes technical security controls
• Audit trail design and reports
• Identity requirements
• We have limited options
p though
g with jjust core audit
• Just like designing screens, tables, views we have to
design security as well
© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 24
Application Contexts/ Secure App Roles
• Often used for controlling access and for controlling
policies in VPD, FGA, LBAC, Audit
• The context or the role often provides additional security
BUT often uses core values to control its enablement
Create role my_role using orablog.role_admin;
...
If(sys_context(‘USERENV’,’IP_ADDRESS’) = 192.168.254.2) then
dbms_session.set_role(‘MY_ROLE’);
....

Create context my_con using orablog.init_con;


...
If(sys_context(‘USERENV’,’PROGRAM’)=‘sqlplus’) then
dbms session set context(‘MY
dbms_session.set_context( MY_CON
CON’,’app
app_role
role’,’Manager’);
Manager );
...
© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 25
The Bad News!
• Almost all context/session values can be spoofed either
in
• The session
• Sys_context
• AUD$
• Trace files
• Listener logs
g
• ...
• Some things are easy to spoof
• Identifier – DBMS_SESSION
• Module, Action, Info – DBMS_APPLICATION_INFO

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 26
Spoofing
• Some a little harder, but not much
SQL> alter session set current_schema = scott;
Session altered
altered.
SQL> select schemaname from v$session
2 where sid=(select distinct sid from v$mystat);

SCHEMANAME
------------------------------
SCOTT

SQL> select sys_context('USERENV','CURRENT_SCHEMA') from dual;

SYS_CONTEXT('USERENV','CURRENT_SCHEMA')
---------------------------------------------------------------
SCOTT
© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 27
Other ways to do this on patched
d b
databases
Spoofing (2)
• Some even harder (needs privileges) – works on un-
patched 11.1.0.6 (and other un-patched versions) – as a
user with
ith IMP
IMP_FULL_DATABASE
FULL DATABASE
SQL> connect importer/importer@ora11gpe
Connected.
SQL> @check
USER USERNAME CURR SESS SCHEM
---------- ---------- ---------- ---------- --------
IMPORTER IMPORTER IMPORTER IMPORTER IMPORTER

SQL> exec sys.kupp$proc.change_user('SYS');


BEGIN sys.kupp$proc.change_user('SYS'); END;
SQL> @check
USER USERNAME CURR SESS SCHEM
---------- ---------- ---------- ---------- --------
SYS SYS SYS SYS SYS
© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 28
Spoofing (3)
• Most of the rest of the fields need programming skills to spoof
or use of a network proxy where relevant
• It has
h been
b written
itt ththatt th
the only
l values
l iin session,
i AUD$ and
d
FGA_LOG$ that are completely reliable are the database
USERNAME – http://www.integrigy.com/security-
US p // eg gy co /secu y
resources/analysis/Integrigy_Spoofing_Oracle_Session_Infor
mation.pdf
• As we saw this is not true because BECOME USER can be
used on non-patched systems BUT can be audited
• IP address is harder to spoof but not impossible
• JDBC is the easiest to use to spoof values
• OCI is harder and has less flexibility
© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 29
Spoofing (4)
• Most of the core values such as
• OS User
• Process ID
• Terminal
• Program
• Machine
• Can be spoofed easily using a thin Java client
• Therefore they are not reliable to specify identity

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 30
Spoofing (5)
C:\>java DBC jdbc:oracle:thin:@127.0.0.1:1521:ora11gpe orascan orascan 1 0

SQL*Client : Version 0.1 Very Alpha

Copyright (c) 2012 PeteFinnigan.com Limited All Rights Reserved

SQL> set program "My


My Client"
Client ;
SQL> set osuser "Oracle" ;
SQL> connect ;
...
SQL> exec print_table('select osuser,module,program from v$session where
audsid=1856376');
OSUSER : Oracle
MODULE : My Client
PROGRAM : My Client
-----------------

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 31
Spoofing (6)
SQL> select spare1 from sys.aud$ where sessionid=1856376;

SPARE1
--------------------------------------------------------------
Oracle

SQL>

• The only values making it through to the audit trail is OS


USER – sett here
h to
t “Oracle”
“O l ” and d held
h ld iin S
Spare 1
• With the 11.2 JDBC driver it can be started with a
property –Doracle.jdbc.v$session.osuser=...
Doracle jdbc v$session osuser=

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 32
Spoofing (7)
• Even dates can be spoofed by setting the initialisation
parameter fixed_date
• This can be set with ALTER SYSTEM
• The session would show the same date/time always
• The Audit trail will show the same date/time
• The logon would also show the same date time
• If audit were enabled on ALTER SYSTEM this would be
caught
• Or the hacker can change dates when he wishes

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 33
Spoofing Summary
• A small set of values can be spoofed easily via Java
• Other customisable values are easier to spoof with any
client
• Security (Logon Triggers, FGA policies, VPD, OLS,
Secure Contexts, Secure Application roles...) often rely
on session values
• Session
S i values
l are often
ft central
t l tto security
it
• These values cannot be trusted, therefore security is
compromised as are audit trails (potentially)

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 34
Solutions?
• Each client needs to set a unique value(s) to specify identity
• Don’t control via spoofable values or at least not a set of spoofable
values
• Use application level data? – issues?
• Proxy
y users currentlyy cannot be spoofed
p – so use them
• Maybe use a handshake approach
• Ask the database for a unique value
• Process it – encrypt / hash / PKI – (no simple PKI in PL/SQL
available, can be done in Java or C)
• Send it to the database as client_id
client id
• Database can “know” the real value
• Issues – predictable?, interceptable?
• It’s a hard issue to solve
© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 35
Can We Detect Spoofing?
• The “Pinnacle” – detect spoofing?
• It is not easy BUT “no one” in real terms is probably spoofing your
database
database..........OR
OR are they? – would you know
• If anyone did spoof you well; they would take whatever they needed
from your databases
• Detecting:
• Check all records in a session for changed values in that
session
• some values will be set after logon – CLIENT ID
• Some actions will be detected if audited – BECOME USER
• Time analysis
• Usage analysis – resource effort profile – anomalies?

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 36
Conclusions
• Spoofing of session values is easy even without extra
access
• Spoofing of application or unique values is only easy if
access is available via other users
• Layered design seems sensible
• Layered controls
• Layered Audit
• Don’t rely on core session values
• Correlate different sources
• Correct the basics first
• Reduce access to the database and data

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 37
Questions?

Any Final Questions?

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 38
References
• Steve Kost – “Spoofing Oracle Session Information” -
http://www.integrigy.com/security-
resources/analysis/Integrigy_Spoofing_Oracle_Session_Information.pdf -
2006
• Pete Finnigan –
http://www.petefinnigan.com/weblog/archives/00001313.htm
p p g g - March 2012
• Pete Finnigan -
http://www.petefinnigan.com/weblog/archives/00000064.htm November
2004
• Pete Finnigan -
http://www.petefinnigan.com/weblog/archives/00001275.htm October 2009
• Pete Finnigan – fixed date - http://www.pentest.co.uk/documents/fixed-
http://www pentest co uk/documents/fixed-
date.htm October 2001

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 39
Oracle Database Security
Identifying Yourself In The Database

© Copyright 2012 PeteFinnigan.com Limited. All rights reserved. Tel 0044 (0) 7759277220, http://www.petefinnigan.com 40

You might also like