Massive Attack By Botnet To Oracle

In the last two days I have reported, by coworkers and distribution lists, the same alarm on a botnet, known as ECHOBOT, which has between one of its victims a Oracle, is not specified much more, within my professional field and as a database specialist, I’m interested in database engines but reading several notes the part of Oracle (already has a whole stack of products) only reference is made to vulnerability CVE-2019-2725, which is for Oracle Weblogic, and it seems that part of the problem is once again the Serialization problems that Java has. Supposedly Oracle was going to rebuild the whole serialization part

Vulnerable products and versions

  • Oracle Weblogic Server 12.1.3.0.0
  • Oracle Weblogic Server 10.3.6.0.0

I would recommend those affected to access ML / MOS and find the corresponding patches. From what I have read it seems that it affects HTTP, it is a bad idea to use it currently in the year 2019 and when it comes to this product that can be presented in a DMZ to an external network because of you have to maximize the precautions.

HTH – Antonio NAVARRO.

 

PS;

So sorry, I’ve seen that Oracle has updated the note and if it affects HTTPS. The affected Weblogic versions are;

Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0

Advertisements

Error ORA-01924

Recently I have been migrating a database from version 10g to 12c. In the functionality testing phase the error ORA-01924 arose. This occurs (in version 12.1) when the 600 roles assigned to a user are exceeded, Oracle has a specific oneoff collected in bug 18934948. But after applying this oneoff, the problem. After doing several tests we saw that it was a problem of lack of privileges. The user who made the mistake He lacked the ability to interact with roles.

In version 10g I did not have any problem with the level of privileges assigned, but in version 12c I needed to add two new permits. It may seem strange the difference of operation between versions, but it really makes sense if you look at the model of continuity. Oracle in the last has accelerated this part of the databases, in general it has been a leader in many aspects, but here has always been one step behind other  rdbms such as SQL Server.

In this case giving these two privileges to the user solved the problem;

  • drop role
  • grant any role

HTH – Antonio NAVARRO.

 

Crawler Network (Pl Sql)

In some free time, every time I have less, I have been doing a small spider (programmed in PL SQL) for once we have access to a database to launch a discovery process on the network in which the machine that hosts the server is located database. This code is thought as a PoC (Proof of Concept).

Basically what I’m going to do is use a few packages that Oracle usually brings by default (it can vary by version). What if I manage to execute them in the database, this by default will give me access to the network where the database server is and make a discovery of machines / servers in that piece of network. It would be similar to using nmap (for example, as an nmap -sn 173.101.0.0/24) but from Oracle itself.

Indicate that it depends on how the network is configured, its security level (use of ACL), etc. They can ban us and we can not see anything.

Picture show the banner for the tool 🙂

crawler_plsql_drei

This small script receives four parameters

# 1 Prev_range: n IPs to try before the IP of the machine where the database is.
# 2 post_range: n IPs to try after the IP of the machine where the database is.

Suppose that the machine where the database is located is in the ip 173.120.0.50

if we execute: crawler_plsql 5 6

the process will try to discover if it exists and alias the IPs;

173.120.0.45
173.120.0.46
173.120.0.47
173.120.0.48
173.120.0.49
173.120.0.50
173.120.0.51
173.120.0.52
173.120.0.53
173.120.0.54
173.120.0.55
173.120.0.56

The next picture show the start and check process, to verify privileges and permissions for the user that we are using (Actual IP has been pixeled);

crawler_plsql_eins

In the next step the crawler show a list with all host that it a discoverd (inside the range used in param #1 and param #2).  The ollowing picture has been pixeled.

crawler_plsql_zwei

#3 Try dblink: This parameter will try to create a dblink to the destination, against port 1521, the idea is to try to identify if there is another Oracle engine, configured by default on port 1521 (the next version could do a vertical scan 1024 – 65535), and if there is to see how far we get.
if we execute: crawler_plsql 5 6 Y

The process will try to create a database link against the IPs. If we use the previous example, try to create a dblink against each of the IPs in the range 173.120.0.45 – 173.120.0.56.
#4 send_mail: Send all the information you have collected and send it by mail, if you are doing something that you should not do not send it to a address that may be associated with you. It would be an exfiltration of data.

if we execute: crawler_plsql 5 6 Y Y

Will send the mail based on the configuration of the section “Settings for email” the parameters to be configured are

CMailIp        -- IP where start mail
CPort          -- Port to start resend, by default 25
CFromName      -- Name (sender)
CFromEmail     -- Boxmail (sender)
CToName        -- Name (receipent)
CToEmail       -- Boxmail (receipent)
CSubject       -- Issue

finally, the link to the code is this.

CRAWLER_PLSQL (github download

 
Any comment is welcome.

HTH – Antonio NAVARRO

Generating Hash Passwords In Oracle

I have shared in my github a small code fragment, programmed in java, that from a database user and its password generates the hash that Oracle would generate (in versions 11 and below). This is just an example to see how easy it is to get the data. Logically we can play with the username and hash to get the password.

From version 12 onwards, the form and algorithms that Oracle uses to generate the hash (or encrypted password), including the use of cryptographic salt, have changed. The concept and use of cryptographic salt I promise to see more in detail in another post, although I advance you that its main function is to shield the hash in the face of possible attacks by dictionaries.

Please, for see the code follow the next link;

Generate Hash Code (Java implementation)

HTH – Antonio NAVARRO

 

Error in Certificate Validation

They report the error below when they try to use a certificate against a secure website (the configuration is in Spanish);

 

 
SELECT UTL_HTTP.REQUEST('https://testweb1.intranet34.com/') FROM DUAL;
SELECT UTL_HTTP.REQUEST('https://testweb1.intranet34.com/') FROM DUAL
       *
ERROR en línea 1:
ORA-29273: fallo de la solicitud HTTP
ORA-06512: en "SYS.UTL_HTTP", línea 1722
ORA-29024: Fallo de validación de certificado
ORA-06512: en línea 1

 

In this case the certificate that is used is the correct one, but the database is in a version 11.2.0.1. The problem is causedbecause the url you are trying to access uses TLS, and the database version does not support the lowest level of TLS (1.1). It can solve with an upgrade to 11.2.0.4.2.

 
HTH – Antonio NAVARRO

Error “Unable to save wallet at”

This morning installing certificates in a old release (11.2.0.1) I got the next error

 

 

$ orapki wallet create -wallet /sandbox34/shared/certificates  -pwd Sistemaspro
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

Unable to save wallet at /plustes/test/utilidades
$

 
After a while of verifying permissions and trying to generate files in this filesystem, which is all right, it came to my mind that it was a problem that had already happened to me on some occasion, and that was because of the password itself. The issue is that there are a series of minimum requirements, but simply putting a substring of numbers and a capital letter is valid. Let’s see the following example;

 

 

$ orapki wallet create -wallet /sandbox34/shared/certificates -pwd Sys123456
Oracle PKI Tool : Version 11.2.0.1.0 - Production
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.

$

 
HTH – Antonio NAVARRO

 

Schema Only Accounts

From 18c have introduced a schema only account. This allows us to create schemas that do not have direct connection permission. They are thought mainly to accommodate objects that will be used later by other users or processes. From the point of view of Security increases a security step by eliminating the possibility of making a connection. Apart this type of user It is usually rich in privileges. To create a user of this type we must replace the clause “IDENTIFIED BY XXXX” with “NO AUTHENTICATION”. Let’s see the following example;

CREATE USER schema_without_access NO AUTHENTICATION

Since it is not possible to make a direct connection with this type of users as we connect then to do things with it. We must give permission previously “CONNECT THROUGH”

ALTER USER schema_without_access GRANT CONNECT THROUGH antonio;

We can connect in the following way;

CONN antonio[schema_without_access]/my_password@database
Connected.
SQL>

HTH – Antonio NAVARRO