Update - For a complete treatment of
the topic of Oracle security on the web, see these books and resources:
Hardly a week goes by that we do not see a
news report about a major web-based application being hacked. Since most of
these system use Oracle, the savvy DBA must be on the alert for attempts to hack
into the database server. As we will see, a hacker who can get onto your
database server can change the UNIX file permission on the Oracle data files,
and completely bypass Oracle security.
Trick 1 – Hacking your Oracle server from the web
I recently had an Oracle client "hacked" from a foreign
country, and this is the trick that they used to find my client over the web and
access their server.
Internet hackers are constantly cruising the web looking
for servers to attack. To do this, hackers will write simple scripts that
generate random IP addresses randomly "ping IP addresses, looking for a server
that responds "I'm here". The response is called a "ping acknowledgement", and
is a standard feature of the ping utility:
Here is the output from a ping command:
Pinging 172.234.33.101 with 32 bytes of data:
Reply from 172.234.33.101: bytes=32 time=164ms TTL=254
Reply from 172.234.33.101: bytes=32 time=162ms TTL=254
Reply from 172.234.33.101: bytes=32 time=170ms TTL=254
Ping statistics for 172.234.33.101:
Packets: Sent = 3, Received = 3, Lost = 0 (0%
loss),
Approximate round trip times in milli-seconds:
Minimum = 162ms, Maximum = 170ms, Average = 165ms
The acknowledgement packet (called an "ack"
in Netguru jargon) tells the hacker that there is an active server at this IP
address. The hacker will then telnet to your server and begin a series of
attempts to hack the "root" or the oracle" user password. The best way to foil
this type of attack is to disable all server accounts after three password
attempts.
Below is the pseudocode for a UNIX shell
script to prove the Internet for vulnerable servers. Hackers run this script as
a daemon process, and scan hundred of thousands of IP addresses every hour.
Please note that I have
deliberately introduced syntax errors into the pseudocode routine. This script
has been made unusable in order to prevent evil people who see this article from
possessing a dangerous tool.
/*#/bin/ksh
while true
do
#****************************************************
# Generate a random IP address
#****************************************************
$IP_ADDRESS=rnd(1-255).rnd(1-255).rnd(1-255).rnd(1-255)
#****************************************************
# Submit the IP address to the ping command
#****************************************************
nohup ping $IP_ADDRESS > /tmp/t.lst 2>&1 &
#****************************************************
# If ping is responding – start the attack
#****************************************************
if `cat /tmp/t.lst|wc –l` > 0
then invoke attack_routine
fi
done
The attack_routine is a standard tool using
random user/password generation, and after several million attempts, the routine
can almost always gain access to the database server. I recently hired a "white
hat" hacker to see how easy this was, and their attack script was able to gain
entry to the server in less than 3 hours!
As we can see, even a novice computer
person can write an attack program and locate opportunities for server attack.
While the main method of attack is directly from the IP address, some creating
hackers gain entry with I/O-enabled Java applets, and other programs that
compromise the writing of cookies. To prevent these types of external attack,
savvy companies employ some of the following techniques:
-
Trusted IP addresses - UNIX servers can be configured to only
answer pings from a list of "trusted" hosts. In UNIX, this is done by
configuring the .rhosts file. The .rhosts file restricts server access to a
list of specific users.
-
Server account disabling – If you suspend the server ID after
three password attempts, you thwart attackers. Without user ID suspension, an
attacker can write a program that runs millions of passwords until it guesses a
user and password combination.
-
Special Tools – There are products such a
Zone Alarm that sends an alert when an external server is attempting to
breach your firewall security.
As we have noted, once the hacker gets access to the Oracle
server, they can use tricks to bypass Oracle and read the data files directly
from disk.
Trick 2 – Bypassing Oracle security
One trick commonly used by UNIX hackers is
to leverage the UNIX operating system to probe into the Oracle data blocks.
With some knowledge of UNIX and Oracle, the nasty hacker can use UNIX to verify
the contents of Oracle data rows.
This technique is also useful if a data
corruption is causing a data file to go offline, or if Oracle data is suspect.
Let's see how this is done.
We start by running a SQL query to locate
the ROWID of the data block that contains the row we want to investigate. Here
we rely on the dbms_rowid package, and use the row_block_number procedure to
return the data block corresponding to our desired row.
select
dbms_rowid.rowid_block_number(rowid) block
from
customer
where
customer_name = ‘Burleson';
BLOCK
-----
141
Here we see that the customer information
for Burleson resides on the 141st block in the data file. We can now go to UNIX
and display the contents of this row.
This is a great tool because we can display
Oracle data even if the database is shut down. Of course, hackers can also use
these tools to bypass the security of the Oracle database, hacking directly into
the Oracle data files.
To display block 141, we can use the UNIX
dd command. The dd command accepts a skip parameter that tells it how far into
a file to travel. To get to block 141 we must allow for nine blocks in the
datafile header. We must also remember that the skip statement should take us
to the block immediately before our data block.
Hence, our data block is on block 150
(141+9) and the skip parameter for block 141 will be: 141+9-1 = 149. We also
need to specify the blocksize for the dd command in the ibs parameter.
Once we run the UNIX dd command to read the
Oracle data block, we can filter the output by piping it to the UNIX strings
command to only show printable information. Here is the UNIX command and the
output showing the displayable data inside the data block:
root> dd if=/u01/oradata/prod/customer.dbf \
ibs=8192 skip=149 count=1|strings
1+0 records in
149+0 records out
Donald Burleson 3/35/56 1401
West Avenue
While this technique is most useful in
emergency situation when you cannot start the Oracle database, it is important
to understand how a UNIX hacker can bypass Oracle and read information directly
from your Oracle database files.
See my related notes on Oracle web
security:
Please note that Donald Keith Burleson is
not related to Donald Gene Burleson, a person charged in Texas computer-related
crimes.