Upgrade to Pro — share decks privately, control downloads, hide ads and more …

+TetCon.2013_Hacking.Oracle.2012.pdf

duongkai
December 23, 2012
120

 +TetCon.2013_Hacking.Oracle.2012.pdf

duongkai

December 23, 2012
Tweet

Transcript

  1. SELECT * FROM v$me! § Phạm Tùng Dương (K4i) § R&D Engineer

    @FPT Telecom § 3+ years experience in Oracle Database (auditing and security) § OSS evangelist § Emaill: [email protected] § Interested in: Applied Cryptography | Database Security | Source Code Auditing
  2. Overview   1.  The DBA Dilemma :-s 2.  The good,

    the bad and the ugly. 3.  The first story (CVE-2012-1675) 4.  The second story (CVE-2012-1675) 5.  Which way will we go? (Lối đi nào cho em)
  3. The  good,  the  bad  and  the  ugly   Oracle security

    2012 perspectives: 1.  The good: found vulns is the least among 3 years (2010, 2011, 2012)
  4. The  good,  the  bad  and  the  ugly   2. The

    bad: 3 critical bug cannot be FIXED. Work-around, plz SCN bug was not fixed TNS poisoning was not fixed Stealth Password Cracking
  5. The  good,  the  bad  and  the  ugly   3. The

    Ugly: Bad communication. Unwilling to fix problems Customer is guilty for not fixing issues
  6. First  story   § Codename: CVE-2012-1675 (aka:TNS Listener Poison Attack) § Affected

    version: 10gR2, 11gR1 and 11gR2 § 4-year 0day. § Author: Joxean Koret
  7. First  story   § …“Ngày 30/04 vừa qua, Oracle đã đưa

    ra thông báo đặc biệt hướng dẫn các cách khắc phục tạm thời (work-around) về lỗi bảo mật CVE-2012-1675 hay còn gọi là lỗi TNS Listener Poison Attack. Đây là một lỗi bảo mật cực kì nghiêm trọng cho phép các hacker có thể can thiệp từ xa vào luồng dữ liệu trao đổi giữa client và các máy chủ cơ sở dữ liệu Oracle mà không cần đến bất kì một cơ chế xác thực nào. “… HVA News
  8. TNS  Listener  and  remote  instance   registering  process   § 

    Client -> Server: CONNECT §  Client <- Server: ACCEPT §  Client -> Server: information needs to be registered §  Client <- Server: OK. Registered successfully. ⇒  What happen? No Authentication, man ⇒  What happen if two instances with same name are registered with a LISTENER
  9. MiLgaLon   § COST (Class of Secure Transport) §  DocID: 1453883.1

    for Standalone instance. §  DocID: 1340831.1 for RAC instances
  10. The  second  story   § Codename: CVE-2012-3137 (aka: Stealth password cracking)

    § Affected version: 11gR1, 11gR2 § Author: Esteban Martinez Fayo (teamSHATTER)
  11. Strange  behaviour   § The account is locked after a number

    of password guessing attempts which is greater than configured paramter § With a wrong password, ORA-1017 is returned immediately without sending password to server! => Assumption: The correct password was sent to client in a encrypted way.
  12. O5Logon  protocol   § Server side §  SESSKEY = RANDOM() #

    40 bytes §  SESSKEY = SESSKEY || 0x08 * 8 # 48 bytes §  KEY = hashPassword || 0x00 * 4 # 24 bytes §  AUTH_SESSKEY = AES192 (MODE_CBC, SESSKEY, KEY, IV=0x00)
  13. O5Logon  protocol   § Client side §  KEY = SHA1(PASSWORD ||

    SALT) || 0x00 * 4 §  SESS_KEY_PADDING = DECRYPT_AES192 (AUTH_SESS_KEY, KEY, MODE_CBC) §  If SESS_KEY_PADDING[-8:0] = 0x08 * 8, RETURN TRUE
  14. ExploitaLon   § SID? Easy to know § Username? Easy to know

    § AUTH_SESSKEY, AUTH_VRF_DATA? No need to capture packets, Oracle provide it for us. (sqlnet.ora) § Cracking? Small script, John the Ripper plugin. STEALTHY § Accelerating cracking? GPU, dictionary.
  15. MiLgaLon   § The patch is not backward compatibility. § Use external

    authentication (SSL, LDAP). § Use 10g-way authentication. § AUTH_SESS_KEY § DocID: 1492721.1
  16. Which  way  will  we  go?   § Harden your database with

    security parameter and security features. Be careful with your database performance. §  Oracle security guide §  SSL-enabled traffic §  Oracle auditing, Oracle Advanced Security §  Oracle log §  Don’t believe to ORACLE!