Secure Your Oracle DB by breaking into!

Torino, Italy

Introduction

This document helps to increase the security of an Oracle Database with a particular approach: by breaking it! Other intresting informations on how to protect Your Oracle RDBMS are in Pratical Security in Oracle.

Secure Your Oracle RDBMS by breaking into!

There are several ways in which You can test the security of an Oracle Database. We have organised them by treath.

• Ask people their password. A lot of people will give it to You, if You find good excuses. A good excuse is the incredible: "We need Your password to check the database security!"

• Look for public accessible tables and views and select data from them. Poor data protection design is very common. Accesible table can be easly found with: select table_name from all_tables where owner <> user;
• A lot of people protect carefully the database but forget to protect backups. Look for backup copies with find / -name '*.dmp' -print then import it on an other system! The same can be performed with physical backups (it's a bit more complex but feasible: You have to recover the database then connect internal, change passwords ...).

• Try well-known passwords like SYS/CHANGE_ON_INSTALL SYSTEM/MANAGER and so on.
• Run a password guessing program. Use all the knowledge of the environment You have to guess users and passwords. I developed one of them which can be free downloaded.
• Sometimes the DBA passwords are well protected, but not the Oracle owner password on the operating system! If You can become "oracle" on Unix You can do whatever You want on the DB connecting as internal. Of course if You know the "root" password You can easly become "oracle" with su - oracle.

• Connect as scott/tiger then perform a query like select count(*) from emp, emp, emp, emp, emp, emp, emp;
  This easy query select more than 1 million records!
  Similar results can be obtained with looping PL/SQL programs or "forgetting" a join condition between two large tables.
• Update very large tables without commiting in order to overextend rollback segments.
• Lock data on tables using update or lock statement
• Submit heavy sort operation in order to end up the space in the temporary tablespace
• Bombard the TCP-IP ports 1521, 1525 and 1526 with funny (?!) messages.
• If Oracle auditing is active try to end up the SYSTEM tablespace performing millions of audited actions.
• Create big tables till You end up all the tablespace free space.
• In some Oracle versions there are bugs that can halt the system: use them!
• Look for operating system security breaks. If You find any You can probably shutdown the RDBMS, the operating system, the SQL*Net listener, remove or overwrite Oracle files or directories, start recovery/restore procedures, create backdoors...

• Once You break a System You can implement a backdoor. Create a new user choosing a username that seems (or is) an Oracle Tool user. Assign it DBA or near DBA privileges.

• Sniff the network looking for data and unencrypted passwords.
• Use the same IP address and instances names of an existing but offline server and sniff the network. If clients are not well configured You will see unencripted passwords.

• Read usernames and passwords used with Your application and store them into a file or, easier, into a table.

• Hide Yourself: when You perform attacks use other users passwords, systems and addresses.

Conclusion

Database security is very important. The Oracle RDBMS offers several security features but they are often underused.

In this paper we presented several security threats. Use this suggestions to increase Yours' Oracle RDBMS security. Do not use them to break the security of other one's Databases.

This paper presented a lot of tests You can perform on Your DB to check system security. For a full explanation on how to protect Your Oracle RDBMS have a look at Pratical Security in Oracle.