The Oracle Hacker's Handbook

The Oracle Hacker's Handbook
Hacking and Defending Oracle
byDavid Litchfield
John Wiley & Sons 2007


It's terribly important that Oracle get security right, and so far their record has been poor. The Oracle RDBMS has had more critical security vulnerabilities than any other database server product. By critical, I mean those flaws that can be exploited by a remote attacker with no user ID and password and which gives them full control over the database server. To put these critical security vulnerabilities in context, IBM's DB2 has had 1; Informix has had 2; and Microsoft's SQL Server has had 2. Oracle has had 9. That's more than the other database servers put together. In terms of flaws that require a user ID and password but yield full control when exploited, again Oracle outstrips the rest by far. These facts stand in stark contrast to Oracle's marketing campaigns claiming that their product is "unbreakable." When Oracle executives say, "We have the security problem solved. That's what we're good at … ," it makes you wonder what they're talking about. So far the problem is not solved, and complacency should have no home in an organization that develops software that is installed in most governments' networks. This is why it is absolutely critical for Oracle to get it right-national security is at stake.

Oracle's idea of what security means is formed largely on the U.S. Department of Defense's assurance standards. This is why Oracle can state that they "get security." This may have worked 15 years ago, but the security landscape has entirely changed since then. Let me explain further. The Oracle RDBMS was evaluated under the Common Criteria to EAL4-assurance level 4-which is no mean feat. However, the first few versions of Oracle that gained EAL4 had a buffer overflow vulnerability in the authentication mechanism. By passing a long username to the server, a stack-based buffer is overflowed, overwriting program control information, and allowing an attacker to take complete control. How on earth did this get through and how was it missed? The answer is that there is a vast divide between what "standards" security means and what real security means. There is, of course, an important place for standards, but they are not the be all and end all, and Oracle would do well to learn this lesson. Standards imply rules but hackers don't play by the rules.

Perhaps Oracle is beginning to understand, though. By all accounts they have shaken up and improved their coding standards, and have invested in numerous tools to help them develop more secure code; and there is evidence to suggest that things are getting better on the security front. Oracle 10g Release 2 is a dramatic improvement over 10g Release 1. Security holes are still being discovered in 10g Release 2, but nowhere near the numbers that have been found with 10g Release 1. Oracle has also improved their security patch release mechanism. Every quarter, Oracle releases a Critical Patch Update (CPU), and up until July 2006 every CPU was reissued multiple times because of failings and missing fixes and other problems. The July 2006 CPU was different; it was released once-hopefully the start of a trend.

Considering that things are improving, where exactly is Oracle on this journey to "security" utopia-by which I mean a secure product that actually matches the marketing speak? In answering this question, for any vendor, a key pointer is to look at how they respond to security researchers. In the summer of 2006 at the Blackhat Security Briefing, I was on a panel that discussed the issues surrounding the disclosure of security flaws. The panel moderator, Paul Proctor from Gartner, insightfully suggested that "Microsoft is in the acceptance phase. Cisco is slowly moving out of the anger stage and into the acceptance stage. Oracle, on the other hand, is just coming out of the denial stage and into the anger stage."

This is an accurate assessment in my estimation. Like Microsoft a few years ago, when Scott Culp published his "Information Anarchy" paper, Oracle too had their say about security researchers when Mary-Ann Davidson, the Chief Security Officer of Oracle wrote her article "When Security Researchers Become the Problem." The difference between Mary-Ann's article and Scott's paper is that Scott's needed to be said, as it was published at a time when there was information anarchy and not much responsible disclosure going on; it was an attempt at convincing security researchers to work with the vendor. This is why Mary-Ann's article a few years later failed to hit home: The security researchers she disparaged were already working with Oracle to try to help improve their product. Oracle failed to see that they and security researchers were working toward the same goal-a more secure database server. Part of the article discusses security researchers making explicit and implicit threats, such as "Fix it in the next three weeks because I am giving a paper at Black Hat." However, Oracle should understand that a security researcher is under no obligation to inform them that they are going to present a paper; and if they do tell them, Oracle should appreciate the heads up. Such information is a courtesy. Calling this an "implicit threat" is disingenuous and risks alienating the very people best placed to help them secure their product. It would be in the best interests of all for Oracle to get over their anger stage and embrace the acceptance phase.

Enough commentary on Oracle, however, at least for the time being. Let's look at why we need a book that details vulnerabilities in their RDBMS and examines how those flaws are exploited. In short, precisely because it is such a popular database server, it is a prime target for hackers, organized crime, and those involved in espionage, be it industrial or foreign. Therefore, there should be a reliable resource for database and security administrators that shows them how their systems are attacked and where they are vulnerable. This puts them in a position of strength when designing defense strategies and mitigations.

This book is that resource. Yes-such a book is, by nature, paradoxical: intended to aid defense, it arms not only the defender with the information but also the attacker. It is my experience, however, that most attackers already know much of this information already, whereas the defenders don't but should. Yet even today, given all the evidence to the contrary, you hear Oracle "experts" claiming that Oracle is secure, citing as proof that Oracle is "always installed behind a firewall" and that it "runs on Unix." Frankly, these "reasons" have nothing to do with whether Oracle is secure or not. It's as easy to break into an Oracle server running on Linux or Solaris as it is on Windows. A firewall becomes irrelevant as soon as you poke a hole through it to allow your business logic and web applications to connect to the database server-SQL injection is a major problem.

Furthermore, it is a myth that Oracle is always installed behind a firewall. According to the "Database Exposure Survey" I performed in December 2005 and published in June 2006, an estimated 140,000 Oracle database servers are out there accessible on the Internet, compared to 210,000 Microsoft SQL Servers. Given that many of these SQL Servers will be MSDE installs, one wonders what effect Oracle Express will have on the number. Oracle Express was released after the survey. Getting back to the core of the problem, however, there is not nearly enough understanding by those in the Oracle world that their servers are exposed to risk. When you consider that Oracle has committed to releasing a Critical Patch Update every three months until at least July 2007 (at the time of writing), this means that in the interim Oracle database servers are in a critically insecure state. Food for thought, indeed. This is the "why" then. If we are to take responsibility for the security of our own systems, knowing that they are critically insecure, we need to know how they're insecure-only then can we take steps to prevent our systems from being compromised.

I hope that as well as finding this book useful and informative, you have fun reading it. I'm always willing to answer questions so please feel free to ask.

Cheers,

David Litchfield

For Download:

Sponsored Links

E-Books

Ubuntu
Ubuntu Hacks Tips and Tools for Exploring Using and Tuning Linux
Ubuntu®Linux® TOOLBOX
Beginning Ubuntu LTS Server Administration
ASP.NET
Foundations of ASP.NET AJAX
AJAX
Foundations of ASP.NET AJAX
Solaris
System Administration Guide, Volume I
UNIX
UNIX Programmer's Manual
UNIX® Network Programming Volume 1
SunSystems UNIX Oracle Platforms Manual
System Administration Guide, Volume I
BSD UNIX® TOOLBOX
BSD
BSD UNIX® TOOLBOX
SAP
SAP Basis Installation on UNIX: Oracle Database
C
Sams Teach Yourself C in 24 Hours
Apache
Beginning PHP5, Apache, and MySQL® Web Development
Apache HTTP Server Configuration
Professional LAMP
The Definitive Guide to Apache mod_rewrite
Architecture
Outstanding Wood Buildings
C++
The Visual C++ Language for .NET 3.5
Advanced CORBA® Programming with C++
C#
E-Books: Step By Step Microsoft Visual C# 2005
Step By Step Microsoft Visual C# 2008
C# Yellow Book
Essentials of Object-Oriented Programming
Acclerated C# 2008
Hack
The Oracle Hacker's Handbook
Hacker Highschool: Complete Table of Contents and Glossary
Hacker Highschool: Lesson 1 Being a Hacker
Hacker Highschool: Lesson 2 Basic Commands in Linux and windows
Hacker Highschool: Lesson 3 Ports and Protocols
Hacker Highschool: Lesson 4 Services and Connections
Hacker Highschool: Lesson 5 System Identification
Hacker Highschool: Lesson 6 Malware
Hacker Highschool: Lesson 7 Attack Analysis
Hacker Highschool: Lesson 8 Digital Forensics
Hacker Highschool: Lesson 9 E-mail Security
Hacker Highschool: Lesson 10 Web Security and Privacy
Hacker Highschool : Lesson 11 Password
Hacker Highschool : Lesson 12 Internet legalities and ethics
Hack Attacks Revealed
Html
The Essential Guide to CSS and HTML Web Design
HTML Css in Pictures
Beginning HTML with CSS and XHTML
HTML, DHTML and JavaScript
HTML 4 for Dummies
J2EE
J2EE Developer's Handbook
Java
Java Data Access - JDBC, JNDI, and JAXP
Java™ After Hours: 10 Projects You'll Never Do at Work
Data Structures and Algorithms in Java
Data Structures & Algorithms in Java
Professional Hibernate
Core Servlets and JavaServer Pages
JavaScript
JavaFX™ Script
The Book of JavaScript 2nd Edition
Making Use of JavaScript
JavaScript Programming For the Absolut Beginner
Simply JavaScript
Pro JavaScript Techniques
Linux
Linux Security
Ubuntu Hacks Tips and Tools for Exploring Using and Tuning Linux
Ubuntu®Linux® TOOLBOX
Beginning Ubuntu LTS Server Administration
Professional LAMP
LINUX System Programming
MatLab
Introduction to Simulink® with Engineering Applications
Oracle
The Oracle Hacker's Handbook
SunSystems UNIX Oracle Platforms Manual
Essential Unix (and Linux) for the Oracle DBA
Oracle Database 10g PL/SQL Programming
Migrating Forms Applications from Forms 6i
Oracle9i: Advanced SQL
Advanced SQL Functions in Oracle 10g
Expert Oracle Database 10g Administration
Expert Oracle Database Architecture
Oracle Database 11g PL/SQL Programming
Pascal
Turbo Pascal 5.5 Object Oriented Programming Guide
Object Pascal Language Guide
PHP
Pro PHP XML and Web Services
Build Your Own Database Driven Website using PHP & MySQL
Beginning PHP5, Apache, and MySQL® Web Development
SQL
Microsoft SQL Server 2008 A Beginner's Guide
Build Your Own Database Driven Website using PHP & MySQL
Beginning PHP5, Apache, and MySQL® Web Development
Professional Hibernate
Professional LAMP
Beginning SQL
Microsoft® SQL Server™ 2005 Developer’s Guide
Oracle Database 10g PL/SQL Programming
Advanced SQL Functions in Oracle 10g
Professional SQL Server 2000 Database Design
Microsoft SQL Server 2005 for Dummies
Visual Basic
Step By Step Microsoft Visual Basic 2008
Visual Basic 6
Visual Basic for Applications Programming Excel
Learn Visual Basic 6.0
Database Access with Visual Basic Jeffrey Mcmanus
Visual Basic 6 Black Book
Web
11 Steps to create a successful Web Site
Pro PHP XML and Web Services
Beginning PHP5, Apache, and MySQL® Web Development
Wireless
Webmaster’s Guide to the Wireless Internet
Wireless Communications and Networking
Certified Wireless Network Administrator
Certified Wireless Security Professional
Facebook
Building Facebook™ Applications
Google
Building Your Business with Google
Network
Wireless Communications and Networking
Networking with Microsoft Windows Vista
Absolute Beginner's Guide to Networking, Fourth Edition
NetBackup
VERITAS NetBackup™ 6.0 Installation Guide
VERITAS NetBackupTM 6.0 System Administrator’s Guide
VERITAS NetBackup™ 6.0 for Oracle System Administrator’s Guide
Skype
Skype For Dummies
Microsoft Office
Step By Step: Microsoft Access 2003
XOOPS
Building Websites with XOOPS A step-by-step Tutorial
Windows
Microsoft Windows Group Policy Guide
Microsoft Windows Registry Guide
Windows Vista
Networking with Microsoft Windows Vista
Internet
Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed
SEO
Get to the Top on Google

Yahoo Tools

YTK Pro 1.5.0.494
Yah Earth Version 4
Yhook 542
Ymsgr 9.0.0.1912
Yahoo ACE V1.0.0.569
Room Destroy V 59 Updated by Strange Shahn
Room Domination 8.0
Yahaven Version 2.5.9
Y!safe Beta Yahoo Chat Client
Pinoy Room Conquer V9
Y!hook 5.26 Chat Client
Pinoy Room Conquer V8
Shit Party Yahoo
Pinoy Room Conquer v7 Yahoo Client
New Chat Killer V30
Y-Lions Multi Room Message & Multi Room Pm Spammer
YahooACE V1.0.0.569 By Brian Meeks
New Yahelite for Download
Super Spy v28
Free link download Chat Supremecy V4.4.0
YTK Pro
Mencuri Webcam dengan Yintai
No5
Pidgin multi-protocol Instant Messaging
Konfigurasi Pidgin untuk Room Yahoo Messenger
Install Pidgin 2.3.0
Easy Chat Room Yahoo with yahelite
Ytk Pro
Download YTK Pro
yam
Download Yam
Room Domination 7.0
Chat Killer V24
Room Destroy
Elite Chat
Pidgin 2.4.0
Chat Killer V29
Chat Killer V27
Chat Killer V28
Yintai
Scan Yahoo Id Name Scanner By Slayer
Fast N Ez Scanner
Extreme Name Scanner
Name Scan By Killer
Crack Id Yahoo Messenger CrackerDotNet Beta
Boon Dogs Kleptomaniac
Bulldozer 1.3
Consumption-1.02
Viper unleashed
CrackHouse Vengeance v1.0
Illy Ownage
Stfu & Crack By Hypn
Underworld Cracker
Vipra Ncc V2.0
Vipra Ncc V5.0
Dragonz WaR Cracker
Proxy Master V3.0 By WALT
Proxy Grab V.06
Y! Buddy Controller
Proxified
Cap Size Id Scanner
Ncc The Bitch V1.0.1
Viet ncc v2.0 Cracker Yahoo Id
Confirmed Cracker
Menghapus id yahoo messenger
Y Server Control V3 For Crack Yahoo Id
Kriptonite v3 for Download Crack Id Yahoo messenger
Free Download EnrangedX
Free Download scream 3.0
Y! Jacker Proxy Cracker
Free Download Heetseeker
Create Id Boot YCC Yahoo Bot Maker
Yahoo Swat Team id Maker
The Illusionist Yahoo Id Maker
Fast ID Maker 10
Y Lions Bots Maker
Viprasys ID Creator
CP BotMaker Reborn
I Robot Creation
Ascii id maker
YCC Bot Maker V1.2
Fast ID Maker 8.0
Puddys-World Botmaker v 4+4.1
Create Id Yahoo Revoxlu3s Big MakeR Yahoo Id
BT internet maker by Kadmiwe
The Enigma 1.6 Yahoo Id Maker
Tutorial Create id Yahoo @kimo.com
New Create Yahoo id@rocketmail.com
Free Download EgY Booter
Free All Star List Generator
id@yahoo.cn
id@btinternet.com
Id@y7mail.com
Btinternet Maker
Proxy Multi Socks Scanner
Port Spliter
Spider HTTP Proxys Get V1.0
6 Sic 6 Range Scanner
Zdc socks scaner
Proxy Switcher Pro
Proxy
Proxy Pro by Arachnid-X
Proxy Grabber 5.21
Leech V3 Update and Fixed by _PLaNeT___
Heaven Socks Scanner v1.0
Proxy Grabber 5.21
Proxy Finder v2.0
Proxyfire Master Suite FREE 1.22
Yahoo ! Club - Cracker
Anonymous Friend v2.9
Palestine Proxy Graber
Voice Nepal Yahoo locker Mic
Y! Messy Voice v1
Super Bike Mike Lock v1.4
Power Mic Yahaven
Power Mic Yahelite
Power Mic For Yazak
Win Amp Status
MnT Magnum Voice 2.0
The Sniper 3.0 by FLZ
Donkey Punch Y!Beep
The Sniper 3.0
Dark VOx
iTunes Status for YIM!9
WinAmp Status Changer
Download Untouchable Vox 1.2
Ghost Room
Bomb Vox2
Yahvox Domination V3
Super Mic Locker
Vc guard Beta
Yah Room Vox By RMH
Evil Voice for Room Yahoo
Soft Vox V6 Good Voice Domination on Yahoo Room
Download Voice Domination Mass Iggy 3.0
Webcam Webcam attack V 1.0
Web Cam Attack
Cam Studio
1st Screen Recorder
Oripa Yahoo Web Cam Recorder
Unlocker Id Yahoo Unlocker Id Yahoo
Delete Yahoo Id Yahoo Terminate Yahoo Id / Delete Yahoo id
Lock id Locker Y ID 4.0
Super ID Locker v2.0
7778QU-KO Lock Yahoo Id
Account Locker V3.0
Lock The Homo
G.T.S Go To Sleep Id Locker
Shit Locks
Secret Account Locker Beta
Y! Spy Account Locker
Hackahoo Locka Focka v1.3
Y! Multi Locker by Killer Keygen
Dcs Paradise Dead Lock
Y! Spy Account Locker
Lamer Locker V2 Lock Yahoo Id
Shit Locks to Lock Yahoo Id
Yaho0o's Super Account locker
ID Locker to Lock Yahoo Id
Spammer For Simple PM Spammer For Yahoo Messenger
Pm Spammer WD Pm Spammer
Yahoo PM Spammer Chambers Owns Mass
Server Yahoo Server Scan Elite V.1 and List Update Server
Tools Y Fighter pm Spammer
Hellz Pass Changer
Dark Check v1.0
Yahoo Messenger Multi Patch
IP Force
Invisible Yahoo Messenger
Chambers Multi room Name Grabber V1.2
FX RooM LaGGeR V1.0
Check Victim Location With IP
Matrix Annoyer
I Killer by Alikhoub
Nice Status
W@ Yahoo Multi Tab V1
Multi Yahoo
Client Detection
Prixi Status Changer V1.0
Alien-warez Y!M Multi Maker v 1.0
Yahoo UnlockV1.2
x-netstat-professionalv55-download
Voodo Bot Tester v.1
Register OCX and DLL Tool
ViCiOuSPassGen2.0
Bluriee-Password Generator
Scanneration 2.0
Scanneration
Y-S ID Leecher 3.0
Web Browser Download Mozilla Firefox 3
Download SeaMonkey Browser
Apple - Safari Browser for Windows

Booter

BlackWidows Dog Bytes boot Yahoo
My Final Card boot for Yahoo
Y!-ir=evlis Booter boot for Yahoo
Tigerus Vi Boot For Yahoo
ECT V 2.0 Boot For Yahoo
Second Boot Exploit boot for Yahoo
Wanna Be Bot all boot for yahoo
Room Eviction Nice Room spamer
Muridnakal SIlent Super Booter V2
Ytunnel smasher boot for tunnel
The Therminator V2 boot for yahoo
S3rial Killer Reborn V1 boot Yahoo
Manuel Ownz by S3rial Kllers boot for Yahoo
Caution boot for yahoo or chat client yahoo
S3rial Final Example boot for yahoo
Yah Mart Total Overload boot for yahoo or chat client
Red Hoot Yahoo Boot or chat client yahoo
Vamp Angel Client Killer boot for yahoo or chat client
Elite V1.0 boot for Yahoo messenger or Chat client
God Of Boot Warr Version 1.0.0 boot for Yahoo
The green hornet Boot for Yahoo
Pm Nikker V1 Boot for Yahoo
Counter attack v10 Boot for Yahoo
Free download 30000 Destroyer Packets
Download Quick Kill 5.0.5 Boot Yahoo
Twisted Fury v2 Boot For Yahoo
Buffer OverLoad V3 Boot For Yahoo
Download Buffer OverLoad V3 boot yahoo
Knobb Muridnakal Freeze.V1 Boot Yahoo
The Booter boot for Yahoo and chat Client
DarkStar Multy Hitter V2 boot Yahoo
Download Kch Bites Back V1 boot for yahoo
Download Floodgate Boot for Yahoo
Download Dark Start Multy Hitter V2
Download Boot War yahoo Messenger
Download Crooked Convict Boot Yahoo
Download Operation nb V2
Free Haze Reborn boot
RAID 5000 Boot Login for client or Yahoo messenger
Boot Red Rover boot for Yahoo messenger
PM Pandemonium boot for Yahoo or chat client yahoo
Awakening Boot yahoo messenger
Y-Soft Super DC 1.0 multi bots login
Pick n Mix Boot fo Yahoo
Remi`s Shooting Machine Boot for Yahoo
Master Dc Boot for Yahoo
Saints Revenge Boot for Yahoo
Anarkis Boot for Yahoo
5 Stars Boot For Yahoo
Others Boot >>>>