Secure Your Oracle DB by breaking into!
This document helps to increase the security of an Oracle
Database with a particular approach: by breaking it!
Other intresting informations on how to protect Your Oracle RDBMS are in
Pratical Security in Oracle.
Secure Your Oracle RDBMS by breaking into!
There are several ways in which You can test the security of
an Oracle Database. We have organised them by treath.
- Ask people their password.
A lot of people will give it to You, if You find good excuses.
A good excuse is the incredible:
"We need Your password to check the database security!"
- Look for public accessible tables and views
and select data from them. Poor data protection design
is very common. Accesible table can be easly found with:
select table_name from all_tables where owner <> user;
- A lot of people protect carefully the database
but forget to protect backups.
Look for backup copies with
find / -name '*.dmp' -print
then import it on an other system!
The same can be performed with physical backups
(it's a bit more complex but feasible:
You have to recover the database then
connect internal, change passwords ...).
BRUTE FORCE ATTACS and PASSWORK GUESSING
- Try well-known passwords like SYS/CHANGE_ON_INSTALL
SYSTEM/MANAGER and so on.
- Run a password guessing program.
Use all the knowledge of the environment You have
to guess users and passwords. I developed one of them which
can be free downloaded.
- Sometimes the DBA passwords are well protected, but not the
Oracle owner password on the operating system!
If You can become "oracle" on Unix You can do whatever You want
on the DB connecting as internal.
Of course if You know the "root" password You can easly become "oracle"
with su - oracle.
DENIAL OF SERVICE ATTACS
- Connect as scott/tiger
then perform a query like
from emp, emp, emp, emp, emp, emp, emp;
This easy query select more than 1 million records!
Similar results can be obtained with looping PL/SQL programs or
"forgetting" a join condition between two large tables.
Update very large tables without
commiting in order to overextend rollback segments.
Lock data on tables using update or lock statement
Submit heavy sort operation in order to end up the space in
the temporary tablespace
Bombard the TCP-IP ports 1521, 1525 and 1526 with
funny (?!) messages.
If Oracle auditing is active try to end up the
tablespace performing millions of audited actions.
Create big tables till You end up all the
tablespace free space.
In some Oracle versions there are bugs that can halt the system: use them!
Look for operating system security breaks.
If You find any You can probably
shutdown the RDBMS, the operating system,
the SQL*Net listener, remove or overwrite Oracle files
or directories, start recovery/restore procedures,
- Once You break a System You can implement a backdoor.
Create a new user choosing a username that seems (or is)
an Oracle Tool user.
Assign it DBA or near DBA privileges.
- Sniff the network looking for data and unencrypted passwords.
- Use the same IP address and instances names of an existing
but offline server and sniff the network.
If clients are not well configured
You will see unencripted passwords.
- Read usernames and passwords used with Your application
and store them into a file or, easier, into a table.
- Hide Yourself: when You perform attacks use
other users passwords, systems and addresses.
Database security is very important.
The Oracle RDBMS offers several security features
but they are often underused.
In this paper we presented several security threats.
Use this suggestions to increase Yours' Oracle RDBMS security.
Do not use them to break the security of other one's Databases.
This paper presented a lot of tests You can perform on
Your DB to check system security.
For a full explanation on how to protect Your Oracle RDBMS have a look at
Pratical Security in Oracle.
Title: Secure Your Oracle DB by breaking into!
Date: 2 May 1998