Anatomy of a Database Attack

1
Anatomy of a Database Attack
Aaron Newman CTO/Founder Application Security,
Inc. anewman_at_appsecinc.com
2
Agenda

• Overview of Database security
• Methods of Attack
• DB18 exploit demo
• DRILOAD exploit demo
• Worms
• Voyager
• Root kits
• Resources, Conclusion, and Wrap Up

3
Overview of Database Security
4
Database Vulnerabilities

• A decade ago, databases were
• Physically secure
• Housed in central data centers not distributed
• External access mediated
• Security issues rarely reported
• Now, databases are externally accessible
• Suppliers directly connected
• Customers directly connected
• Customers and partners directly sharing data
• Data is the most valuable resource in application
  stack
• Value increases with greater integration and
  aggregation
• But so does the threat of data theft,
  modification, or destruction

5
New Target Applications Databases
6
Barrier Defense Is No Longer Enough
Web Proxy
Firewall
Main Office Network
Business Partners Network
Firewall
VPN
Firewall
VPN
Remote Employees
Remote Office Network
7
External threats

• Exposing a database to the Internet
• DO NOT DO THIS!
• Protocol stacks are riddled with overflows
• ALL the database vendors!
• Behind a firewall
• Recommend data be served through web app
• Still vulnerable to application level attacks
• Still vulnerable to internal attacks

8
Internal threats

• Need to focus less on people getting through
  perimeter
• Need to focus more on securing data at the source
• Attacks from DBAs, sysadmins, and legimate users
• Need to focus not only on vulnerabilities
• Be able to see who is doing what in your
  applications
• Providing auditing and accountability for users
  and database administrators
• Being able to identify malicious activity
• http//www.thesmokinggun.com/archive/0623042aol1.h
  tml
• JUNE 23--An AOL software engineer was arrested
  today for stealing the company's entire
  subscriber list--totaling 92 million screen
  names--and selling it to a 21-year-old Las Vegas
  spammer.

9
Forrester on Database Security
Source Comprehensive Database Security Requires
Native DBMS Features And Third-Party Tools,
Forrester Research, Inc., March 29, 2005
10
Attackers focusing on databases
http//news.softpedia.com/news/Toying-with-Microso
ft-s-breaches-is-no-longer-fun-for-hackers-1603.sh
tml .. until now the hackers have mostly
targeted Microsofts software products, starting
with this year, it seems their attention has been
draw to other products and services ... According
to a recently published study, ...its clear they
are exploring new territories besides the old
Windows .. the software products developed by
Oracle Corp ... have started to be more and more
targeted by hackers.
11
Methods of Attack
12
Default Passwords

• Oracle9i and earlier had lots of them
• User Account sys / Password change_on_install
• User Account system / Password manager
• User Account dbsnmp / Password dbsnmp
• User Account outln / Password outln
• User Account scott / Password tiger
• Oracle10g eliminated all Oracle default
  passwords
• Dont leave accounts even if they are non-DBA
• We will demonstrate later why
• Third-party default passwords
• http//www.petefinnigan.com/default/default_passwo
  rd_list.htm
• List of 600 default usernames/passwords

13
Easily-guessed Passwords

• Passwords can be guessed
• Attacking a single account with 100k passwords
• Attacking many accounts with a few very common
  passwords
• People leave test/test or password same as
  username
• Oracle10g enabled Password Lockout for default
  profile
• Password dictionaries
• http//www.openwall.com/passwords/wordlists/
• The wordlists are intended primarily for use with
  password crackers

14
No Listener Password

• Oracle10g changed Listener Authentication model
• Most security issues fixed by this changed
• All previous versions of the Listener
• No password by default
• Allowed an attacker to write arbitrary files on
  OS
• Full compromise of the database
• For details see my presentation from last year
• Or download whitepaper Protecting Oracle Database
  from
• http//www.appsecinc.com/techdocs/whitepapers/rese
  arch.shtml

15
Buffer Overflows

• Allows an attacker to overwrite memory
• And gain full control of the database
• Bypasses any form of access control or auditing
  you have in place
• Fixed by quarterly Critical Patch Updates
• Still seeing dozens of buffer overflows addressed
  each CPU
• Still exist many unpatched buffer overflows in
  process with Oracle
• For details see my presentation from last year
• Or download whitepaper Protecting Oracle
  Databases from
• http//www.appsecinc.com/techdocs/whitepapers/rese
  arch.shtml
• Oracle Corp implements source code review tools
• To help discover buffer overflows

16
Application Logic Security Bugs

• Bugs in the way the software works
• Allows attackers to manipulate system to get
  around security
• Seeing a lot more of these types of bugs in
  Oracle
• Range from PL/SQL Injection to authentication
  weakness
• Much more difficult to detect then buffer
  overflows
• Requires human analysis to discover these flaws
• Very difficult be detected by automated methods

17
DemoDB18 Exploit
18
DemoDRILOAD Exploit
19
Oracle Voyager Wormhttp//lists.grok.org.uk/pipe
rmail/full-disclosure/2005-October/038290.html
20
First Oracle Worm

• Posted to Full Disclosure list in October 2005
• By an anonymous source
• Not truly a worm
• Really an example of how easy a worm could be
• Based on Oracle PL/SQL only
• Only works if you arent securing your Oracle
  database
• Reminds us of the Spida worm
• Relies on default usernames/password
• Relies on default ports 1521
• Not dangerous (broken) in its current form

21
What does it do?

• Gets the local IP address
• Use UTL_INADDR built-in package
• Cuts off the last octet to generate a local
  subnet
• Looks for other Listeners on local subnet
• Uses UTL_TCP built-in package
• Sends connect and waits for response
• Sends to port 1521
• Looks for an instance name
• Create a database link to each Oracle instance
  found
• Uses dbms_sql
• Relies on default usernames and passwords
• Runs commands on Instance

22
Oracle Voyager Worm - Version 2

• December 27th, 2005 enhanced version of Voyager
  worm released
• Posted on Full Disclosure mailing list
• Still lacks the propagation techniques
• Discovers other Oracle databases on the network
• But does not make the final step of copying virus
  to databases
• Dangerous payloads
• Backdoors a system
• Uses Logon triggers
• Emails your usernames and passwords to several
  addresses
• Uses Google search engine
• As a means of restarting itself
• Denial of Service
• Shuts down all listener services on the local
  subnet
• Tries to access other systems
• Using default usernames and passwords

23
How to prevent?

• Very easy to prevent
• Get rid of default username/passwords
• Revoke public permissions on built-in packages
• Oracle10g\Latest version of database is first
  step
• Most have removed default usernames/passwords
• But 99 of databases are still old versions
• Oracle behind a firewall
• Default configuration is very standard
• Most large companies would be vulnerable to a
  real worm

24
Root kits
25
What is a root kit?

• Creates a back door on a computer system
• Have been used on operating system for many years
• Create a copy of a system command
• Place hackers commands in new replacement system
  commands
• Root kit is used after breaking into a system
• Allows the hacker to come back later
• And to stay totally cloaked
• Change system to
• not show that the hacker is logged in
• not log what the hacker does
• to allow hacker to do anything

26
Oracle Root Kits

• Apr 2005 demonstrated at BlackHat Security
  conference
• By Alexander Kornbrust
• Introduced the idea of creating root kits
• Full copy of presentation available at
• http//www.red-database-security.com/wp/db_rootkit
  s_us.pdf
• Demonstrated hiding users granted DBA
• Modified the DBA_USERS and ALL_USERS views
• Demonstrated hiding connection
• Modified the vsession view

27
2nd generation Oracle Root Kits

• Summer 2006 announcing release of 2nd generation
• At BlackHat Security conference
• By Alexander Kornbrust
• http//www.eweek.com/article2/0,1895,1914465,00.as
  p
• New improved hard-to-detect versions
• Based on modifying memory of executing stored
  proc
• Root kit cant be detected by looking in system
  tables
• We will see this summer!

28
Resources, Conclusion, and Questions
29
How Do You Address These Vulnerabilities?

• Stay Patched
• Stay on top of all the security alerts and
  bulletins
• Defense in Depth
• Multiple Levels of Security
• Regularly perform audits and penetration tests on
  your database
• Encryption of data-in-motion / data-at-rest /
  data-in-use
• Monitor database activity log files
• Implement database intrusion detection and
  auditing
• Especially if you cant stay patched!

30
How Do You Address These Vulnerabilities?

• Im running auditing, vulnerability assessment,
  and IDS tools for the network/OS. Am I secure?
• NO!!!!
• Databases are extremely complex beasts
• Databases store your most valuable assets
• Significantly more effort securing databases is
  necessary
• If your workstation gets hacked, thats bad.
  But if your database gets hacked, youre out of
  business.
• http//www.devx.com/dbzone/Article/11961

31
Questions?

• Thank you
• Questions on
• Vulnerabilities
• Locking down the database
• Email me at
• anewman_at_appsecinc.com