Defcon 2006: Oracle not so "unbreakable"

Las Vegas (NV) - Your company's cleaning staff could be illegally moonlighting as your Oracle database administrator. Alexander Kornbrust, founder and CEO of Red Database Security, says hackers could easily exploit vulnerabilities in Oracle database and gain administrator access. Speaking at the Defcon security convention in Las Vegas, he also explained that administrator passwords are often stored and easily retrieved on company computers.

Kornbrust talked to a packed audience for his Oracle 2.0 rootkits session, but despite the ominous sounding title, he told TG Daily that his purpose was not to show a complete rootkit. "I just want to show how easy it is to gain administrator privileges," said Kornbrust. He believes there are 40 to 50 vulnerabilities, ranging from minor to critical, in Oracle 10G.

Many of the vulnerabilities Kornbrust focused on were privilege escalation hacks which required the hacker to already have database access. In one example, hackers could simply grant themselves administrator or "dba" privileges after renaming the sys.user$ table to sys.aser$ and then entering a "grant dba to hacker" command.

Instead of renaming tables, hackers could just alter Oracle binary files. Kornbrust said hackers could just rename the alter session command to "grant dba to public" in the oraclient9.dll and oraclient10.dll files. This effectively would give everyone administrator access. "It would be democracy in the database, but many administrators would call it anarchy," Kornbrust said.

But hackers often don't have to work too hard to gain administrator privileges because many companies either have poor password policies or don't realize that the passwords could be stored on client computers. Kornbrust believes that 95% of companies are vulnerable to easily retrieved passwords on client computers. Part of the problem is that many administrators think security is just a server side problem.

"Most people focus on the database itself, not the whole system which includes the client side environment," Kornbrust explained.

Alexander Kornbrust believes there are 40-50 vulnerabilities in Oracle 10G

According to Kornbrust, many administrators are storing their passwords in text files for easy cutting and pasting into dialog windows. Passwords are also stored in the configuration or .INI files of some development tools like TOAD. Kornbrust showed us a sample TOAD .INI file which contained a password encrypted with the Ceasar-Chiffre algorithm - a simple letter shifting encryption. Pointing to the scrambled password, Kornbrust said, "I'm not sure if you can even call that encryption."

What is the ultimate risk to companies if their databases are compromised? Kornbrust says a company can lose all of their databases in a few minutes and recovery from such a loss could take a full week. "Once someone gains DBA privileges, they can write a simple script to loop through and destroy each database," says Kornbrust.

Backup tapes can usually restore a database or two quickly, but Kornbrust adds, "if you lose 1000 databases in five minutes, your backup tapes are no good." Recovering from a catastrophic database loss is further hampered by a virtual denial of service attack on the database help desk. "You're going to have emails flooding into the database administrator and many people visiting you," says Kornbrust.

Despite all the vulnerabilities he disclosed, Kornbrust told us that database administrators can protect their systems with file checksumming, hardening the database and maintaining appropriate password policies.

While it may seem that Kornbrust is picking on Oracle databases, he says that all other systems are vulnerable as well. "The same types of problems exist with other databases. It's not just an Oracle problem." But he added, that Oracle is an attractive target since the databases are often connected to other systems like SAP.