http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2008-05-11 23:34:43 - Oracle Forensics by Paul M. Wright : http://wwwsecurityfocuscom/archive/1/491865 In short if anunauthenticated user makes this request: “http:/site/pls/portal/%0A”Then they will be able to access this URL“http://site/dav_portal/portal/” as though they were authenticatedInteresting bug i thought Also I came across the web site below theother day which has some interesting material on it regarding OracleSecurity such as 10g password hashing algorithm written using pythonhttp://www.secuobs.com/revue/news/24309.shtmlhttp://www.secuobs.com/revue/news/24309.shtml Secuobs.com : 2008-04-16 01:33:36 - Oracle Forensics by Paul M. Wright - http://wwworaclecom/technology/deploy/security/critical-patch-updates/cpuapr2008htmlApril 2008 CPU came out at 900pm UK time tonight as normal Two ofthe vulnerabilities are ones that I found whilst working at NGS andare both PL/SQL injections but the most critical bug is the JInitiatorJVM bug… Java Vulnerabilities are the subject of a Presentation I amgiving next week at SANS http://www.secuobs.com/revue/news/18736.shtmlhttp://www.secuobs.com/revue/news/18736.shtml Secuobs.com : 2008-04-01 19:35:46 - Oracle Forensics by Paul M. Wright - This is an interesting paper on using OS level file recovery to recoverdatafiles in Postgres and could theoretically work on Oracle as wellhttp://www-edlabcsumassedu/cs691i/files/DBforensicspdf I will posthere and when I have tried this process out on Oraclehttp://www.secuobs.com/revue/news/15646.shtmlhttp://www.secuobs.com/revue/news/15646.shtml Secuobs.com : 2008-04-01 19:35:46 - Oracle Forensics by Paul M. Wright - More on forensics with large data sets… First of all there is thephysical requirement of actually copying large disks in a short timehttp://wwwics-iqcom/ advertise 39 gigabytes per second for theirhigh speed duplication machiner To speed up network transfer of datausing netcat pipe through tar first to make the transfer quickerReceiving end # netcat -l -p http://www.secuobs.com/revue/news/15645.shtmlhttp://www.secuobs.com/revue/news/15645.shtml Secuobs.com : 2008-04-01 19:35:46 - Oracle Forensics by Paul M. Wright - Oracle Audit Vault looks like it is going to be an interesting productfrom an Oracle Forensics perspective from what I have readhttp://wwwsoftwarepipelinecom/files/Oracle_Audit_Vaultpdf The factthat 11g is audit on by default and said to be less performancedegrading will make for more archived audit in the vault and thepossibility to backtrack the potential previous http://www.secuobs.com/revue/news/15644.shtmlhttp://www.secuobs.com/revue/news/15644.shtml Secuobs.com : 2008-04-01 19:35:46 - Oracle Forensics by Paul M. Wright - http://wwwtruecryptorg/ and http://wwwgpg4winorg/ are goodreplacements for PGP disk and PGP email for outlookhttp://www.secuobs.com/revue/news/15643.shtmlhttp://www.secuobs.com/revue/news/15643.shtml Secuobs.com : 2008-04-01 19:35:46 - Oracle Forensics by Paul M. Wright - I found out a while ago that my intended URL domain wwworaseccom andhttp://orasecblogspotcom was in fact named after a city inMacedonia If any one from Macedonia would like to have the URL fortheir city you are welcome to buy it from me at cost value as Idecided to fit into a more http://www.secuobs.com/revue/news/15642.shtmlhttp://www.secuobs.com/revue/news/15642.shtml Secuobs.com : 2008-04-01 19:35:46 - Oracle Forensics by Paul M. Wright - Given a central Oracle loghost which collates audit and logs fromfirewall, WWW, OS, DB, IDS and which accesses these logs through SQLdriven EXTERNAL TABLES, TIMESTAMP becomes an effective primary andforeign key to join the relations so that actions by an individualover a network can be correlated Interestingly the uniqueness of eachhttp://www.secuobs.com/revue/news/15641.shtmlhttp://www.secuobs.com/revue/news/15641.shtml Secuobs.com : 2008-04-01 19:35:46 - Oracle Forensics by Paul M. Wright - http://translategooglecom/translateu=http%3A%2F%2F20985135104%2Fsearch%3Fq%3Dcache%3A_Fr4aQniTH4J%3Awwwcsncch%2Fstatic%2Fevent%2F2006_Best_of_Oracle_Security_2006pdf%2BOrasploit%26hl%3Den%26gl%3Duk%26ct%3Dclnk%26cd%3D3etlangpair=de%7Cenethl=enetie=UTF8http://www.secuobs.com/revue/news/15640.shtmlhttp://www.secuobs.com/revue/news/15640.shtml Secuobs.com : 2008-04-01 19:35:46 - Oracle Forensics by Paul M. Wright - dcfldd is an improvement on dd as it shows progress through the bit copyhttp://dcflddsourceforgenet/ It also does a checksum at the end tomake sure you have a perfect copy Recommended for forensics workhttp://www.secuobs.com/revue/news/15639.shtmlhttp://www.secuobs.com/revue/news/15639.shtml Secuobs.com : 2008-04-01 19:35:46 - Oracle Forensics by Paul M. Wright - One of the students in my class asked to see the ALTER SESSION, SQL ASDBA demo so here it ishttp://www.secuobs.com/revue/news/15638.shtmlhttp://www.secuobs.com/revue/news/15638.shtml Secuobs.com : 2008-04-01 19:35:46 - Oracle Forensics by Paul M. Wright - This code can be used to check and compare the objects in your databasehttp://wwworacleforensicscom/dbstatecheckersql This would be usefulto see the effects of a security patch installation and to check theintegrity of database objects at the database level See my new paperat http://wwwsansorg/reading_room/whitepapers/application/1736phphttp://www.secuobs.com/revue/news/15637.shtmlhttp://www.secuobs.com/revue/news/15637.shtml Secuobs.com : 2008-04-01 19:35:46 - Oracle Forensics by Paul M. Wright - The Oracle password paper I have written for my employer NGSSoftware Ltdhas been translated to Japanese and also mirrored in HTML by mypublisher Don Burleson’s Rampant Techpress The English PDF URL forthe paper ishttp://wwwngssoftwarecom/research/papers/oraclepasswordspdf and theactual OraBrute tool itself is available athttp://wwwngssoftwarecom/research/papers/oraclepasswordsziphttp://www.secuobs.com/revue/news/15636.shtmlhttp://www.secuobs.com/revue/news/15636.shtml Secuobs.com : 2008-04-01 19:35:46 - Oracle Forensics by Paul M. Wright - SELECT * FROM ORACLE_SECURITY INTERSECT SELECT * FROMCOMPUTER_FORENSICS I am interested in forensics applied to Oracledatabases but also in Oracle databases applied to forensics which isthe other half of the INTERSECTION Digital investigations areincreasingly having to handle very large datasets as confirmed by arecent posting at security focus belowhttp://wwwsecurityfocuscom/brief/448 Additionally Advances http://www.secuobs.com/revue/news/15635.shtmlhttp://www.secuobs.com/revue/news/15635.shtml Secuobs.com : 2008-04-01 19:35:46 - Oracle Forensics by Paul M. Wright - SANS/GIAC have published my new GSOC on using computer forensics conceptsapplied to vulnerability detection in Oracle databases and it hasgained a place in their Reading Room which is quite an honour This isthe URL for the GSOC andhttp://wwwgiacorg/certified_professionals/listing/gsocphp and forthe Reading Roomhttp://wwwsansorg/reading_room/whitepapers/application/ It gives ataste of what to expect from my http://www.secuobs.com/revue/news/15634.shtmlhttp://www.secuobs.com/revue/news/15634.shtml Secuobs.com : 2008-04-01 19:35:46 - Oracle Forensics by Paul M. Wright - David Litchfield has a new paper out that is interesting as it shows howPLSQL injection can be carried out using only the CREATE SESSIONprivilege as well as utilising the Cursor Snarfing concept It iscalled “Cursor Injection - A New Method for Exploiting PL/SQLInjection and Potential Defences” And is from this URL:http://wwwdatabasesecuritycom/dbsec/cursor-injectionpdf I havehttp://www.secuobs.com/revue/news/15633.shtmlhttp://www.secuobs.com/revue/news/15633.shtml Secuobs.com : 2008-04-01 19:35:46 - Oracle Forensics by Paul M. Wright - In addtion to timestamps and filesize the checksum of a DB object such asa PLSQL package is useful to verify integrity This query will provideall the object names and corresponding checksums in a given schemaselectobject_name,utl_rawcast_to_rawmd5summerobject_type,object_name,ownerfrom dba_objects where owner=’SYS’; Where md5summer is a functionwrapped around dbms_obfuscation_toolkitmd5 Only problem is that thisonly http://www.secuobs.com/revue/news/15632.shtmlhttp://www.secuobs.com/revue/news/15632.shtml Secuobs.com : 2008-04-01 19:35:46 - Oracle Forensics by Paul M. Wright - Unbreakable Linux works well with Oracle database but I have noticed thatUnbreakable Linux does not behave reliably in VMware and also does notact as a reliable host for VMware This is interesting as RedHatEnterprise 4 is fine with VMware in both respectshttp://www.secuobs.com/revue/news/15631.shtmlhttp://www.secuobs.com/revue/news/15631.shtml Secuobs.com : 2008-04-01 19:35:46 - Oracle Forensics by Paul M. Wright - Interesting exploit payload below http://wwwmilw0rmcom/exploits/3177——————————– v_commands := 'insert into syssysauth$ ' || ' values' ||'' || v_user_id || ',4,' || '999,null'; ——————————- Instead of grantdba to scott the exploit payload inserts the values into sysauth$This will bypass many IDS signatures David mentioned this to me quitea while ago and it is now public so better update those IDS ruleshttp://www.secuobs.com/revue/news/15630.shtmlhttp://www.secuobs.com/revue/news/15630.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - 10gR2 logging to SYSLOG means that central loghost tools can now be usedto collect Oracle Audit SQL> ALTER SYSTEM SET audit_trail=OSSCOPE=SPFILE; SQL> ALTER SYSTEM SET audit_syslog_level=’USERALERT’SCOPE=SPFILE; System altered SQL> SHUTDOWN IMMEDIATE SQL> startup Agood syslogd is minirsyslogd at the URL below:http://bentlatencynet/bent/darcs/minirsyslogd-102/src/minirsyslogd-102targzhttp://www.secuobs.com/revue/news/14643.shtmlhttp://www.secuobs.com/revue/news/14643.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - DB EXTENDED adds two extra columns to the SYSAUD$ table which includessqltext and sqlbind: SQLBIND http://www.secuobs.com/revue/news/14642.shtmlhttp://www.secuobs.com/revue/news/14642.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - The checksum process can be done using the MD5 algorithm For highsecurity purposes it is preferable to check integrity using both MD5and SHA1 due to the fact that collisions in MD5 allow for two fileswith differing content to have the same checksumhttp://wwwdoxparacom/md5_somedaypdf Also by using a tool calledstripwire http://wwwdoxparacom/stripwire-11targz it is http://www.secuobs.com/revue/news/14641.shtmlhttp://www.secuobs.com/revue/news/14641.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - An IDS evading attack: SQL> SELECT paSsWOrd, username from DBA_USERSwhere username = chr83|| chr89||chr83; PASSWORD USERNAME—————————— —————————— 0C15939594CE60D2 SYS DB Extended audit willrecord the text of the attack in the extra column called SQLTEXT whichis a CLOB This is a query that can be used to search it in a caseagnostic manner select auditid, sqltext from sysaud$ http://www.secuobs.com/revue/news/14640.shtmlhttp://www.secuobs.com/revue/news/14640.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - This is QI IMO SQL> CONN SCOTT/TIGER Connected SQL> CREATE TABLETESTINPUT VARCHAR220; Table created SQL> INSERT INTO TESTVALUES’FIRSTROW’; 1 row created SQL> SELECT * FROM TEST; INPUT——————– FIRSTROW SQL> UPDATE TEST SET INPUT=’FIRSTROWUPATED’ WHEREINPUT=’FIRSTROW’; 1 row updated SQL> SELECT * FROM TEST; INPUT——————– FIRSTROWUPATED Wait 5 minute and the row is updated in thetable with the new value AND the old value is kept The DBF file http://www.secuobs.com/revue/news/14639.shtmlhttp://www.secuobs.com/revue/news/14639.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - These two queries should be helpful especially in the absence of atimestamp column: SQL> select ora_rowscn, name from sysuser$;ORA_ROWSCN NAME ———- —————————— 5072905 SYS 5072905 PUBLIC 5072905CONNECT 5072905 RESOURCE 5072905 DBA 5072905 SYSTEM 5072905SELECT_CATALOG_ROLE 5072905 EXECUTE_CATALOG_ROLE 5072905DELETE_CATALOG_ROLE 5072905 EXP_FULL_DATABASE 5072905IMP_FULL_DATABASE SELECT To_CharTIME_DP,’dd/mm/yyyy hh24:mi:ss’,SCN_BAS FROM SYSSMON_SCN_TIME; 30/04/2006 10:07:00 9637921 30/04/200610:01:53 9637140 30/04/2006 09:56:46 9636359 30/04/2006 09:51:399635645http://www.secuobs.com/revue/news/14638.shtmlhttp://www.secuobs.com/revue/news/14638.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - http://wwwsecurityfocuscom/news/11453 The metalink site is available toall licensed Oracle users and one cannot help but make a copy of a webpage when one downloads it BUT offering this on again as third partysupport is questionable imo allegedly This case maybe interestingfrom a forensics perspective because of the question of whichgeographic legal http://www.secuobs.com/revue/news/14637.shtmlhttp://www.secuobs.com/revue/news/14637.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - I have written a short paper to give an overview of the essential basicsof Oracle Forensics which will be useful as an introductory crib sheetwhere time in short supply Feel free to let me know how best toupdate the paper OracleForensicsInANutshellpdf This is a taster forthe full version available from Rampant Techpress http://www.secuobs.com/revue/news/14636.shtmlhttp://www.secuobs.com/revue/news/14636.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - As well as carrying out a forensics analysis of an Oracle database I amalso interested in using an RDBMS as a tool in a forensicsinvestigation This link is relevant to that subjecthttp://computerforensikblogde/en/2006/05/ftk_2_0_will_be_based_on_oracle_databasehtmlhttp://wwwaccessdatacom/media/en_US/press/PressOracle_Partnershipen_uspdfThe pdf above describes using Oracle 10g to handle and sort thedata/evidence of many investigations conducted by many analysts withthe http://www.secuobs.com/revue/news/14635.shtmlhttp://www.secuobs.com/revue/news/14635.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - David Litchfield has released three in-depth papers which will aid aforensic examiner tasked with analysing an Oracle database The firstpaper uncovers the logic behind the structure of the redo logs and thesecond analyses the structure of the data files whilst the thirdillustrates how to detect Authentication attacks This is recommendedreading and http://www.secuobs.com/revue/news/14634.shtmlhttp://www.secuobs.com/revue/news/14634.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - The April 2007 CPU is out at this URL It is worth taking a DBState ofbefore the patch and one after to see what has changed as per my GSOCpaper NGS are the only company with two researchers mentioned andDavid was first to publish an in-depth analysis of the CPU at this URLhttp://wwwngssoftwarecom/research/papers/NGSSoftware-OracleCPUAPR2007pdfDavid’s http://www.secuobs.com/revue/news/14633.shtmlhttp://www.secuobs.com/revue/news/14633.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - Not been blogging for a while due to being busy at work In the meantimethere has been the following 1Oracle Audit Vault released by Oracle,but don’t forget to read the trial license…and that goes with many“free” Oracle products interestingly 30 days IOW 2 OracleForensics Live response paper by David Starts with code that http://www.secuobs.com/revue/news/14632.shtmlhttp://www.secuobs.com/revue/news/14632.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - Below is an excerpt from my new book on Oracle Forensics which isavailable through Rampant Techpress and contains both the underlyingconcepts and advanced practice of Oracle forensics for both incidenthandling and vulnerability detection A cornerstone of the book is theneed to fully understand the methods that an attacker may use to http://www.secuobs.com/revue/news/14631.shtmlhttp://www.secuobs.com/revue/news/14631.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - David Litchfield’s latest paper on Oracle Forensics is available at thisURL http://wwwdatabasesecuritycom/dbsec/OracleForensicsPt5pdfhttp://www.secuobs.com/revue/news/14630.shtmlhttp://www.secuobs.com/revue/news/14630.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - New Oracle Security/Forensics paperhttp://wwworacleforensicscom/oraclesysdbabackdoorpdf This paper isin follow up to Oracle Passwords and OraBrute paper which describedthe issue of SYSDBA brute forcing in 10g Subsequent to brute forcinga SYSDBA account an attacker will wish to maintain SYSDBA access in acovert manner such that a DBA or security auditor will not be http://www.secuobs.com/revue/news/14629.shtmlhttp://www.secuobs.com/revue/news/14629.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - First half of SYSDBA BACKDOOR paper is easily done without OS access————————————————————————– Attacker brute forces a SYSDBA user andwishes to create a user that is hidden from SYSUSER$ 1 CREATE USER2 GRANT SYSDBA TO USER 3 Rename password file via UTL_FILERENAMErequires CREATE DIRECTORY 4 DROP USER via the DB to lose fromSYSUSER$ 5 Rename password file back In http://www.secuobs.com/revue/news/14628.shtmlhttp://www.secuobs.com/revue/news/14628.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - About time too Copies available through Rampant Techpress Author’scopies in the UK can be made available to reviewers by contactingreviewcopy@oracleforensicscom Cheers and Merry Christmas 2007http://www.secuobs.com/revue/news/14627.shtmlhttp://www.secuobs.com/revue/news/14627.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - Its good to have time to do some reading If you are interested in DBforensics I recommend some of the work from Arizona University listedbelow including a new thesis on the subject of database forensicshttp://wwwcsarizonaedu/projects/tau/tbdb/MelindaMalmgrenThesispdfas well as these preceding papers Kyri Pavlou and Richard TSnodgrass, “The Pre-images of Bitwise AND Functions in http://www.secuobs.com/revue/news/14626.shtmlhttp://www.secuobs.com/revue/news/14626.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - Alex Kornbrust’s Best of Oracle Security Paper 2007 in English Thanksfor the mention Alex Also good paper from David on in-memorybackdoorhttp://www.secuobs.com/revue/news/14625.shtmlhttp://www.secuobs.com/revue/news/14625.shtml Secuobs.com : 2008-03-29 07:27:23 - Oracle Forensics by Paul M. Wright - Hello Folks, I have just been asked for a copy of the UKOUG presentationI gave in December at Brimingham as the person asking could not findit on UKOUG’s site so here it is The UKOUG site is being updated sothis may explain the current difficulty finding recent papers as thelast two year’s http://www.secuobs.com/revue/news/14624.shtmlhttp://www.secuobs.com/revue/news/14624.shtml