+TetCon.2013_Hacking.Oracle.2012.pdf

Transcript

1. HACKING  ORACLE  @2012   K4i@HVA  

2. SELECT * FROM v$me! § Phạm Tùng Dương (K4i) § R&D Engineer

   @FPT Telecom § 3+ years experience in Oracle Database (auditing and security) § OSS evangelist § Emaill: [email protected] § Interested in: Applied Cryptography | Database Security | Source Code Auditing

3. Overview   1.  The DBA Dilemma :-s 2.  The good,

   the bad and the ugly. 3.  The first story (CVE-2012-1675) 4.  The second story (CVE-2012-1675) 5.  Which way will we go? (Lối đi nào cho em)

4. The  DBA  Dilemmas   Are you truly UNBREAKABLE???

5. The  DBA  Dilemmas   Is it EASY to UPDATE my

   system?

6. The  DBA  Dilemmas   DOWNTIME = ???

7. The  DBA  Dilemmas   myMoney  =  myInformation   Where_r_u  (myInformation)

              =  Oracle  

8. The  good,  the  bad  and  the  ugly   Oracle security

   2012 perspectives: 1.  The good: found vulns is the least among 3 years (2010, 2011, 2012)

9. The  good,  the  bad  and  the  ugly   2. The

   bad: 3 critical bug cannot be FIXED. Work-around, plz SCN bug was not fixed TNS poisoning was not fixed Stealth Password Cracking

10. The  good,  the  bad  and  the  ugly   3. The

    Ugly: Bad communication. Unwilling to fix problems Customer is guilty for not fixing issues

11. To be continue…

12. First  story   § Codename: CVE-2012-1675 (aka:TNS Listener Poison Attack) § Affected

    version: 10gR2, 11gR1 and 11gR2 § 4-year 0day. § Author: Joxean Koret

13. First  story   § …“Ngày 30/04 vừa qua, Oracle đã đưa

    ra thông báo đặc biệt hướng dẫn các cách khắc phục tạm thời (work-around) về lỗi bảo mật CVE-2012-1675 hay còn gọi là lỗi TNS Listener Poison Attack. Đây là một lỗi bảo mật cực kì nghiêm trọng cho phép các hacker có thể can thiệp từ xa vào luồng dữ liệu trao đổi giữa client và các máy chủ cơ sở dữ liệu Oracle mà không cần đến bất kì một cơ chế xác thực nào. “… HVA News

14. TNS  Listener  and  remote  instance   registering  process   § 

    Client -> Server: CONNECT §  Client <- Server: ACCEPT §  Client -> Server: information needs to be registered §  Client <- Server: OK. Registered successfully. ⇒  What happen? No Authentication, man ⇒  What happen if two instances with same name are registered with a LISTENER

15. ExploitaLon  

16. PoC  

17. MiLgaLon   § COST (Class of Secure Transport) §  DocID: 1453883.1

    for Standalone instance. §  DocID: 1340831.1 for RAC instances

18. The  second  story   § Codename: CVE-2012-3137 (aka: Stealth password cracking)

    § Affected version: 11gR1, 11gR2 § Author: Esteban Martinez Fayo (teamSHATTER)

19. Strange  behaviour   § The account is locked after a number

    of password guessing attempts which is greater than configured paramter § With a wrong password, ORA-1017 is returned immediately without sending password to server! => Assumption: The correct password was sent to client in a encrypted way.

20. O5Logon  protocol  

21. O5Logon  protocol   § Server side §  SESSKEY = RANDOM() #

    40 bytes §  SESSKEY = SESSKEY || 0x08 * 8 # 48 bytes §  KEY = hashPassword || 0x00 * 4 # 24 bytes §  AUTH_SESSKEY = AES192 (MODE_CBC, SESSKEY, KEY, IV=0x00)

22. O5Logon  protocol   § Client side §  KEY = SHA1(PASSWORD ||

    SALT) || 0x00 * 4 §  SESS_KEY_PADDING = DECRYPT_AES192 (AUTH_SESS_KEY, KEY, MODE_CBC) §  If SESS_KEY_PADDING[-8:0] = 0x08 * 8, RETURN TRUE

23. ExploitaLon   § SID? Easy to know § Username? Easy to know

    § AUTH_SESSKEY, AUTH_VRF_DATA? No need to capture packets, Oracle provide it for us. (sqlnet.ora) § Cracking? Small script, John the Ripper plugin. STEALTHY § Accelerating cracking? GPU, dictionary.

24. PoC  

25. MiLgaLon   § The patch is not backward compatibility. § Use external

    authentication (SSL, LDAP). § Use 10g-way authentication. § AUTH_SESS_KEY § DocID: 1492721.1

26. Which  way  will  we  go?   § Harden your database with

    security parameter and security features. Be careful with your database performance. §  Oracle security guide §  SSL-enabled traffic §  Oracle auditing, Oracle Advanced Security §  Oracle log §  Don’t believe to ORACLE!

27. The  final  words.  Q&A