David Litchfield
Dave Litchfield is about to happen:
NEW FREE WEBCAST - Oracle Database Forensics
Black Hat's webcast series continues with another powerful presentation from
a popular Black Hat speaker. This month's presenter is David Litchfield of
NGS software, speaking on Oracle database forensics, and he will be
releasing a new tool called orablock which he describes this way:
"Orablock allows a forensic investigator to dump data from a "cold" Oracle
data file - i.e. there's no need to load up the data file in the database
Name: Multiple SQL Injection Flaws in Oracle CTX_DOC package
Systems Affected: Oracle 10g release 1 and 2
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 6 June 2005
Date of Public Advisory: 17th October 2007
Advisory number: #NISR17102007A
superceded by cursor injection
(http://www.databasesecurity.com/dbsec/cursor-injection.pdf) which was
written 3 days after.
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
--
E-MAIL DISCLAIMER
Lately, MS Windows SEH overflow attack technique only uses the methods.
[mostly used method]
win xp sp2(SEH): 'pop pop ret' - David Litchfield 2003.
win xp sp3(SafeSEH): unloaded module's 'pop pop ret' - Litchfield 2003.
win server 2008/Vista sp1(SEHOP): SYSDREAM(c)'s 'xor pop pop ret'.
[my new method to exploit SEHOP]
I researched SEH and any reference I found a way to exploit SafeSEH+SEHOP protections all at once.
Name: Oracle RDBMS Data packet DoS
Systems Affected: Oracle 8.1.7.4, 10g Release 2 and 1, Oracle 9
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 23rd June 2006
Date of Public Advisory: 17th October 2007
Advisory number: #NISR17102007D
Name: Oracle TNS Listener DoS and/or remote memory inspection
Systems Affected: Oracle 8.1.7.4, 10g Release 2 and 1, Oracle 9
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 22nd June 2006
Date of Public Advisory: 17th October 2007
Advisory number: #NISR17102007C
Name: Oracle audit issue with XMLDB ftp service
Systems Affected: Oracle Oracle 9ir2, 10g Release 1
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 9th March 2006
Date of Public Advisory: 17th October 2007
Advisory number: #NISR17102007E
Name: SQL Injection Flaw in Oracle Workspace Manager
Systems Affected: Oracle 10g release 1 and 2, Oracle 9i
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 22nd August 2006
Date of Public Advisory: 17th October 2007
Advisory number: #NISR17102007B
I've just released some research that demonstrates a new class of
vulnerability in Oracle and how it can be exploited by an attacker. You can
grab the paper from here:
http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
http://www.davidlitchfield.com/blog
http://www.databasesecurity.com/oracle-forensics.htm
The new paper is entitled "Oracle Forensics Part 5: Finding Evidence of Data
Theft in the Absence of Auditing" and explores some of the ideas I discussed
at Blackhat.
Cheers,
David Litchfield
--
E-MAIL DISCLAIMER
The information contained in this email and any subsequent
DBMS_ASSERT can be used to prevent PL/SQL injection. In certain cases it can
be bypassed. This is documented in a paper I wrote in July 2008 but am only
publishing now:
http://www.databasesecurity.com/oracle/Bypassing-DBMS_ASSERT.pdf
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
--
E-MAIL DISCLAIMER
Name: PLSQL Injection in Oracle Application Server
Systems Affected: Oracle Application Server 9.0.4.3, 10.1.2.2, 10.1.4.1
Severity: Critical
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 9th October 2007
Date of Public Advisory: 15th July 2008
Advisory number: #NISR15072008
CVE: CVE-2008-2589
box. Indeed, this is the subject of the paper "Oracle Forensics Part 7:
Using the Oracle System Change Number in Forensic Examinations". Both the
tool (which compiles on Linux, Mac OS X and Windows) and the paper are
available from http://www.databasesecurity.com/.
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
--
E-MAIL DISCLAIMER
Name: Trigger abuse of MDSYS.SDO_TOPO_DROP_FTBL
Systems Affected: Oracle 10g R1 and R2 (10.1.0.5 and 10.2.0.2)
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 23rd July 2008
Date of Public Advisory: 13th January 2009
Advisory number: #NISR13012009
CVE: CVE-2008-3979
Recently, David Litchfield asked me to help him out a bit with a research project he was working on by having me set up a network capture in my DMZ to log SQL Slammer attacks. I don't publish any services here at my Santa Cruz facility (meaning there are no required inbound protocols and no references in DNS anywhere) so I figured it would be nice "quiet" circuit to use for testing. I basically port-forwarded UDP 1434 to a laptop in my DMZ running NetMon3 also filtering for UDP 1434. After about 4 days of running NetMon, I had captured almost 30 (verified) random SQL Slammer attacks. What I found interesting was that every single one of them was sourced in China (all from different addresses).
Now, it's not my intent to start some geopolitical debate here, but I've long heard about how some people would block entire countries at the border in order to obviate issues with malicious traffic. There are obviously some issues with this (both from a technical and potential customer standpoint) so I set out to do a bit of research on my own. First thing I found out was that if one does decide to block entire countries, that it's going to be a bit of work from a rule standpoint. Sure, if I wanted to block all of China I could block APNIC, but that would block WAY more than I would want. So I set about finding a good resource for country-by-country IP ranges. Fortunately, Wade Alcorn, one of my colleagues at NGSSoftware turned me on to one that seemed pretty decent (there are a few around, though). But finding the resource was just the beginning... The list I got included 234 countries, comprised by almost 100,000 records of IP ranges.
Making a firewall rule to block China, for instance, would require entering in almost 600 IP ranges - so the "manual" route was clearly out. The thing is, I just didn't want to block countries without more research, so I needed a way to gather some statistics first. Enter ISA Server - as many of you know, I'm a big fan of ISA - it's a true enterprise security product with great scripting capabilities, so I set to work creating an automated method by which to create computer sets in ISA for each country. Basically, I created a SQL database and loaded all the records into it - I then wrote a little COM app to reach out and grab the data by countries, create the sets in ISA, and loop through the different ranges of IP's to add them to the set. It worked great.
This accomplished two things - one, I now have full detailed computer sets for each country to do with as I please. Secondly, I have an excellent way of producing detailed reports for traffic analysis in ISA- this was key. With data collection points set up at different places around the world, I was able to capture 3.1 million inbound connection attempts. The results were quite interesting. While China still led with connection attempts overall, it was interesting to see that Canada was a close second. However, while China's traffic consisted of SQL Slammer, HTTP, SMTP, probes for GhostProxy, etc, almost all of Canada's traffic was MESSENGER spam (UDP 1026,1027,1208). The world leader for HTTP was Brazil, strangely enough. Now, all of this will change based on who and where you are, and the types of services being offered. For example, I only got 5 SMTP connection attempts to my cable modem in a week, but my ISP in BM got hundreds of thousands (understandably) in the same time period. I'll whip up some cool reports for what I found and post them once I get some more data in from different collection points, but the valuable outcome of the project was the creation of these individual country-by-country Computer Sets for ISA.
Beforehand, I had no real way of easily and effectively reporting on traffic patterns by source country. Whether you can or can't block entire countries is your business, but at least this affords someone an easy way of doing research. You may not be able to (or even want) to block HTTP from China, but you very well may want to block SMTP - with ISA and computer sets, you can easily do this. Even if you don't block anything at all, you can use the sets to get rich reports of what kind of traffic your are getting from a particular country. While the validity of the practice of blocking entire countries (or particular protocols for that matter) may be up for debate, you now at least have the option to make your own decision based on factual information - to be sure, you've always been able to do this obviously, it's just been my experience that maintaining rule lists by country/protocol has been quite difficult and time consuming.
I've exported every countries entire list to ISA 2006 .XML format, and have posted them on the HoG site for community use. Since I've automated the Set creation process, I'll be updating the sets each month or so to ensure that changes are processed correctly. I would like to thank NGSSoftware for purchasing the required business services to receive the updates - their donation makes it possible for me to give you updated sets for free.
> this...
Interesting reasearch.
It looks like Oracle DBMS may be vulnerable to the "Unicode Smuggling"
attack exploiting homoglyphic translation. As outlined by David Litchfield
in an old full-disclosure post [1]:
"It didn't take long to discover that this patch could be bypassed using
the following techinque: due to internationalization, an Oracle database
server will convert the ? character (value 0xFF) to a capital Y. The PLSQL
the install are the passwords changed. This means that there is a window of
opportunity for an attacker to log into the database server during the
install process. Depending upon "which" install options you choose
determines the size of the window. Full details for those that are
interested can be found here:
http://www.davidlitchfield.com/blog/archives/00000030.htm - since I reported
this to Oracle on the 3rd of November they've updated their security
checklist document:
http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_
db_database_20071108.pdf
Cheers,
* Erik Cabetas
* Dino A. Dai Zovi (Trail Of Bits) @dinodaizovi
* Alexander Sotirov @alexsotirov
* Barnaby Jack (IOActive) @barnaby_jack
* Charlie Miller (SecurityEvaluators) @0xcharlie
* David Litchfield (V3rity Software) @dlitchfield
* Lurene Grenier (Harris) @pusscat
* Alex Ionescu @aionescu
* Nico Waisman (Immunity) @nicowaisman
* Philippe Langlois (P1 Security, TSTF, /tmp/lab) @philpraxis
* Jonathan Brossard (Toucan System, P1 Code Security, /tmp/lab)
For anyone that's interested I've just posted another paper entitled "Oracle
Forensics Part 6: Examining Undo Segments, Flashback and the Oracle Recycle
Bin". You can get this and other papers on Oracle forensics from
http://www.databasesecurity.com/oracle-forensics.htm
Cheers,
David Litchfield
--
E-MAIL DISCLAIMER
The information contained in this email and any subsequent
history is broken. This can affect compliance. This was addressed by Oracle
in their April 2009 Critical Patch Update and maps to the currently
unspecified vulnerability at
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0988
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
--
E-MAIL DISCLAIMER
-[ MS02-039 Exploit Structure
Before we start talking about the techniques applied in ENG, let’s take a
look on how the exploit structure must be.
David Litchfield Very First Exploit
[VECTOR] [BUFFER ] [RETURN ADDRESS] [JUMP] [WRITABLE ADDRESS
] [NOPS ] [SHELLCODE]
[0x04 ] [AAAABBBB...] [0x42b0c9dc ] [0x0e] [0x42ae7001 (SP0) |
0x42ae7001 (SP1-2)] [0x90 ] [STATIC ]
|
