>> Good morning. I like to say it is nice to see all of you bright and early, but I can't see anybody at all right now so I've got bright lights in my face. We're going to be talking about Oracle data redaction and how it failed to protect data at the moment. Or actually not at the moment because it has to be patched so I won�t be dropped an 0day at the moment. But before we get there who am I? I'm David Lichtfield. I'm been a security researcher for 12, 14 years now or so. I work for some companies work with really cool people. At stake back in the day NCC, we were acquired by NCC back in 2008 and since then they Accu VON. I'm working for a company in Australia called DataCom TSS well, TSS is a nice company. It's more for the sharks and Australian waters. Buffer exploitation was my forte. I enjoyed the bits and bytes but commercially I was driven towards database security. No one seemed to be doing it or doing it very well, and so basically I took a decision that I would get out of the bits and bytes; well to be fair, I still do a lot of bits and bytes because database obviously have data overflows.
>> Probably the best bit of work I did was in 2003. I've not really done anything great since then or what I feel is good. When I wrote the first paper on defeating the MicroSoft stack protection and SafeSEH. Ever since then, I have not really been writing exploits.
>> If you're interested in security or sharks, you can follow me at D Lichtfield on twitter or if you wander to have a session longer conversation not necessarily in public I can be contacted.
>> Who remembers the Sony Play Station breach in 2011. That was an Oracle based server. That senior Oracle management didn't know it was their database. It was criminal. He should spend less time on his boat and more time concentrating on his software.
>> We should be buying other products. So standing by those words I would like to then continue this talk. I want to give you some background before we get to how we bypass Oracle. Let's do it from the beginning. So, the guy a few years ago about 12, 14 years ago called RFP, still around but he was one of the greatest researchers of our time and he did a lot of research into sequin injection. It wasn't called sequin injection at the time. People were talking about things like sequence session at the time. RFP had written a couple papers and we had a conversation boy it. I was like I've never really looked at the service.
>> So I put together a paper called web application disassembly. This was my first venture into the database world essentially. And then we were kicking the hell out of Microsoft server. I wrote a paper called trip profiler and I covered ‑‑
>> Some of the more interesting patching stories we've had with Oracle, I want to ‑‑ the reason I'm bringing this up is because as I said it's sort of setting the scene for where we are today and why we are called data re‑‑ the Oracle data redaction stuff is as bad as it is. It's not so much that it can be bypass. It's more representative of what's going on in the Oracle security world or their approach to security. Any way I want to give background. One of the reports I reported to them was essentially you could without user ID and password cause the database server to load an arbitrary library, execute an arbitrary function. Now the way this operates is through ‑‑ what happens when you have a PR package that sort of like PR sequel is the stuff that extends an Oracle database server, the ‑‑ if you want to load the library and call a function or something like that what happens is the IPBMS ‑‑ sorry, the IBBMS connects to the T nest listener the great way to all Oracle communications essentially so the database connects to the listener. When you execute this function it says no‑no I won't do that but I know a program that will. It launches a program and passes Oracle back, the handle ‑‑ redirects it to a port basically and the Oracle connects to X pock loads the library and executes the function. There's no authentication going on there. IBBMS from the other side of the network and say to the listener will you load the library for me. It goes no way will I do that but I know a program that will. Lo and behold Xbox loads the library in this case in the case of windows executes the system function and executes an operating system without using any password and of course the network so that's pretty bad so I report this to Oracle of course because I'm one of these people who wander to find a bug and report it straight to the vendor, I'm quite happy nowadays but let's be honest about it, you know, computer security is a fine distinction am I report my bugs to the vendors when I find them and so Oracle said yeah, okay, we're going to fix this and what they do now or did at the time was basically turned around and said if someone attempts to do this we'll block it but we'll log it which is good because we want to see if someone is attempting to attack us. The problem is they ‑‑ they know exactly what's going on. There's a stack box for the overflow. So I was like Oracle we can still exploit this without using (Inaudible). And then we were like oh yeah we'll fix that. So what we'll do this is Oracle speaking here, I'm paraphrasing of course, we'll put a link check in before we call S print out. Why they didn't say SSM print I don't know. They expanded environment variables. That's in between you remember so if I said don't sign par that is expanded off to a line check so that's five characters and that expands. So suddenly we have a (Inaudible). They should have just done SFM print F260 bites max but they didn't do that. This went over a period of years backwards and forward until eventually they fixed all supported versions. Unsupported versions are still vulnerable to this. There are still people out there using Oracle seven. So, this was the kind of, you know, approach to patching that Oracle would take. You would wait two years for a patch and it would be insufficient and I'll give you another good example of this. So, way back when, Oracle application seven, originally called the Oracle web listener had something called ‑‑ it's a cool function especially if you want to hack into it, essentially what it does is the PR sequel gateway allows you to program your web application in PISQUELL and have it execute in the database and the results are broadcast back to the browser. Essentially what happens is the web server takes the user's web request, get flash PLSv package dot procedure, basically the web server turns around and takes that request, strips out the package dot feature, turns around to database server and says execute that for me and pass me back the results. This is going to be riddled with security bugs because nothing is being validated and it's just being executed by the database server. If you knew of a vulnerable package or procedure, so who remembers ‑‑ how many actual Oracle people do we have in here? Show of hands? Who remembers dry load. It was a package that basically had a procedure validate statement and what it did was basically ‑‑ remember it was a BB8 form. You passed ‑‑ would execute it. Executes would deviate privileges and so you could say grant BBA to public and suddenly the public was a DDB essentially. We could execute this through the server. We could just go get slash dolt validate statement question mark C buffer equals select star from whatever or create user or load ‑‑ create library, whatever we wanted to do we would deviate privileges essentially. So that's pretty bad. Oracle introduced the exclusion list and on that list are things in the SIS schemer, it's like root the most powerful ‑‑ anything that starts with DBMS underscore would be rejected because most of the SIS has a synonym so we can access it without specifying a schemer and they will be given that ‑‑ most of the packages start with DBM underscore schemer. They decide to reject that. Anything that started with the OWA underscore because the Oracle web application took it basically had things ‑‑ there was a package called OWM underscore and one of the features was sells print and it presented the results back to you so this was bad. So, it became incumbent upon you if you wanted to break into an Oracle database server ‑‑ things like CTX were not in the band from the get go so you could still exploit things like the dry load validate. And assuming we wanted to execute scheme load we had to bypass the PR sequence. So having reported this and them introducing the exclusion list it was not important to bypass the list. And so certainly the first way of doing it was put up imprint assist 'cause it's a space and a space does not match of course SIS. They're two different things. Or you could go zero wave new line, zero defer line feed and all of these things would bypass the exclusion list so we could gain access to everything for example. So I reported this to Oracle, Oracle fixed it so on and so on. All good. We came across another Oracle application and they all patched. We have to bypass the exclusion list again so this way next time was basically using angle brackets. If you do double angle bracket, double angle bracket that's like a go to label. You would request get slash PL slash angle bracket angle bracket, bar angle bracket angle bracket and that would break the matching. Oracle fixed it. This is now about year three and another time they ‑‑ I found a few bugs in the schemer and they were like they're not going to fix them because the only risk is through the application server. What if we find another bypass. They're we fixed all the bypasses. You're not going to get around it this time. And I was like well I'll stop you guys. And it's silly, I should have thought of it from the get go. Double quotes bypasses their exclusion list. So they go ahead and fix that and eventually, you know, we're now sort of like ping‑pong or tennis T they fix it, I bypass it, they fix it, I bypass. Eventually and this is a real funny one. Who knows what the character with the value hex FX looks like? Anyone many like a Y with a numeral on top of it. Looks like a letter Y and guess what the database server thinks it is? So, anyway the web application server would look at it you go SFS, you know, for SIS essentially, the web server would go well that is not SYS because that FS part, that's any other a Y, that's some weird thing, I've never seen that, pass it through. The database searcher depending upon the language eventually says what the hell is this double doing on there. I don't think you mean it. It would revert to it a Y. So then you would get access to the SYS schemer.
>> Eventually Oracle decides that they can't rely on the web developers to do the validation so here's a really smart idea. Let's get the guys to do the validation. So I'm sorry I was expecting a laugh. You're getting the database server to do its own validation. So guess what? That first attempt is vulnerable sequence injection. We're now six years into this. So, you send this stuff and you wait six months or eight months for them to come back with a suitable patch and it's just not sufficient enough. You've paid it lip service. We'll come back to Oracle patch in a minute. Spend some time looking at ‑‑ I'm not just pulling at Oracle here. Sent IBM is bunch of bugs I think about 15 in all. We'll talk about common criteria in a minute and a problem Oracle had with it but info Mex had a buffer flow way long user name. The authentication procedure ‑‑ I said we'll come back to that. As time progresses you start looking for these wonderful things, you know, and coming up with new classes of attacks such or new classes of flaws. Lateral sequin injection but here's the thing. Nine times out of ten you go and do an assessment of someone and they still got like weak password management in place so they don't care about things like lateral soup are injection and stuff like that. They've not even got the password stuff right. It's a bit of a disappointment. And so yeah long story short I went by eventually and came back to it: Most of the time they used to fix the flaw. They didn't fix the flaw they would fix the exploit. If my exploit had a space in it because you like select start from SYS user dollar or whatever it happens to be they would say well if the parameter being supplied by the user has a space in it, reject it. Well, hold on, we don't need a space. We could replace the space with forward slash star, star forward slash. And ‑‑ or you know double pack. There's a whole number of things. It was still vulnerable. They hadn't fixed the actual flaw itself but just the exploit. So that was typically the kind of response you would get. Or they would use a super secret that no one is supposed to ever know but of course that's what hackers do, researchers do that, they reverse engine. As long as you knew what that secret was you would pass that as a parameter and you would still be able to execute the flaw. You would typically report an issue and often you would find the same vulnerability in the probe two lines later that they had neglected to fix but they fixed the one you had reported so again I just wanted to stress it that this is ‑‑ Oracle often takes a long time to patch. Two years you used to wait for a patch to come out and it would be broken severely broken. I do wander to point out though that ‑‑ who remembers the hacker group, they found ‑‑ this is the flaw that slammed ‑‑ (Inaudible) ended up exploiting. Anyone remember that? It was very nice. Any way, just, you know, showing that even people like Microsoft basically after the whole SDL stuff they fell vulnerable to this. There was a heap of overflow they forgot to overfix. Two lines of code later they fixed the base overflow. So, it's not that this is just Oracle doing this, it's the other vendors, too. So, I want to do some comparisons between Oracle and Microsoft in terms of just the database side of things. So, we can see that they're actually getting better. Back in 2004 days, you know, they would patch you 28 issues ‑‑ each one of these blue blocks represents a flaw that they have caught in their advisories basically and so before 2004 they patched things on an ad hoc basis. Now, this was at time when Microsoft was turning towards patch Tuesday. And Microsoft was saying we have to patch so many things we need to really get on top of this so our customers can have a recognizable date when they know they're going to have to look for patches. Excuse me. Oracle at the time slagged them off. Oracle was like that's leaving your customers exposed for a month, you know. Says the company that waits two years to patch things crappily. Oracle has three months, a quarterly patch update. So, after slagging off Microsoft for doing a monthly patch cycle, Oracle will do a three month, you know. So, I think one of the things that Oracle doesn't like to do is be like schooled by Microsoft but they really should and one of the things we'll talk about is SDR, the security development life cycle and really if ‑‑ I know Oracle says they've got one but I see no evidence of it at this stage of the game and this what we'll talk about towards the end of the talk. So, here is for all Microsoft SDL server products is the comparison. So, this is Oracle 9R8 remember eventually that died out. So, all the way to Oracle 12C, so this is all Oracle's products. This is all Microsoft server products. That's a pretty good record so it sorter of those SDL is probably working. On the left‑hand side of the graph is the days when people who like myself were weekly kicking the crap out of it basically. And at that point Microsoft turned around and said you know what, enough is enough. In fact, bill gates trustworthy memo was at this time, they were hemorrhaging customers and what's important here is that they took everyone off, this is unheard of in, you know ‑‑ at the time was unheard of, they took everyone off the development review con and said you know what, let's get back to sequel server 2000 and do code review and the results have paid off as far as I'm concerned. That's a fantastic graph compared to that one. It was a number of years before some decent bugs were found in it. I think it was a bit more from security assessment found a couple overflows or something and again there's been so many ‑‑ so few flaws. I don't want to talk about IE because IE doesn't follow this track record so well, but when was the last time you saw a bug in internet information server. When you saw a decent overflow in exchange server? It was a long time ago. They got the service life down and it is due to the script. I don't know what's going on with internet Explorer. I think they're trying to compete with fire fox and Chrome or something but those guys are doing really well. You know, the other people ‑‑ yeah, it's just like IE what is going on? I'm confused. So they actually work for the same company, they read the same documentation. Where are we? Yeah. So, this is the background. This is the back drop to Oracle. And when I retired from the industry in 2010ish I went shark diving and decided I'm never coming back. I'm back unfortunately. I actually gave them a B plus am I was like, you know, they've sold the ‑‑ oversold the PL sequel injection problem so that's pretty good. Their processes are looking comfier and so on. When they're releasing problems, like when Madden came out not bad Oracle, B plus and I go away diving for a couple years and I come back and I'm like what the hell. What's going on? They revert back and they're back to an F. We are going to be looking a the something very, very simple. Oracle data redaction. At any stage this is ‑‑ these are points from the Microsoft SDL by the way. If Oracle had an SDL in place, a decent one, any one of these stages would have found and stopped the bugs that I'm about to speak about in their tracks. They would not have reached the public. So, establish security and privacy requirements, attack service analysis, skipping through to the end, conduct a final security review, okay. That means pen test the product before it goes out the door. Anyone with a mod come of SQL would have found these bugs as far as I'm concerned. And I think you'll agree with me by the time you get to the end of this talk. So you're going to be really disappointed so what is Oracle data redaction? It's a simple but it's a great idea. So, if you have a web ‑‑ a database application there has some kind of potentially confidential information in one of the columns, for example, E‑mail addresses, passwords, credit cards, whatever it happens to be, you can redact it so what is presented to the user, if they select from that table, is a list of X's or whatever you want to redact it with essentially. It's not a bad idea. We don't have to change any redaction code. We change the policy on a particular table and if our web application is vulnerable and someone tries to do a union collect stop in customer kind of situation, you know, and snap all the juicy stuff out there they're not going to get the secret stuff because we redacted it. The no change necessary to the application code which is I think really cool. The problem is at the door, this is in Oracle 12C, the back port to Oracle 11 release, it's trivial bypass. It failed within the first five minutes of simple assessment so it's real ‑‑ it really speaks to Oracle not pen testing their products before they ‑‑ in their flagship product before they go out the door. So, let's look at some demos. So, before we do anything I'm going set up a table called redaction tests and insert a fake credit card number into it and then we'll commit it. Okay. And now so if we select it. Can everyone see or do I need to increase the font size? Increase. Come closer.
>>> Let me see. All right. I'm just going to modify the size of the window now. Layout, width. All right. And zero. Okay. No, I said zero. Okay, perfect. Okay, so if we select from select CC, that's the name of the program we're going to redact and ID from redaction test see if we get the credit card. We don't want the world seeing that credit card. We're going to create a privacy on it and if we grant select and update to David, then connect as David, we do a select from the redaction test table, we can see we get a list of X's essentially so we can't see that date today. The data has not been changed. The data is still there, it's just the way it's been presented to us has been modified. If I had bypassed policy and stuff like, that redaction policy wouldn't patch me and I would get to see the stuff. If I was like a DBA for example I can see the data but I'm not a DBA so I can't see the data. All there is is the redacted data. Let's get the data out. There are a couple of X and L inquiries that allow you to run X inquiry. One of those X and L inquiry functions is called X and inquiry and it allows you to use these ‑‑ this is Q inquiry stuff and we're using X and L inquiry function. Now, those of you who do penetrate testing and get involved in exploiting sequence injection rule understand the importance of functions. We can execute this X and L inquiry to get the unredacted data back. We are going through a path that they've forgot about. A simple pen test anyone with an idea of how the Oracle data server works and everything like that would have said they should probably check X and L inquiry to see if they can bypass redaction and of course you can. If you're going to ‑‑ if you're looking for information like, you know, monitor and everything like that the X and L table function is also vulnerable so it's not just sufficient to protect against X and L inquiry. Table needs to be do as well. These are trivial. This is SQL. One of the DML operations update, we'll concentrate on update has a returning into sub codes and what returning into basically says once I get this table if there's an auto column for example a sequence that's incremented or whatever return that value to me so I can include it later on in a further application code. This returning into feature, guess what? We don't ‑‑ it doesn't have to be incremented or whatever. You can just basically specify return the credit card column information into this buffer and print it to the screen so there we go. So, we can see what's going on there. We've updated the redaction test column set the ID to itself so it doesn't modify data but it returns the credit card column into the buffer and then printed the buffer to the screen. So, again, trivial way. Anyone who has done will know the returning into clause. So anyone at Oracle who I assume they know SQL because they work in Oracle would have said well, do a pen test on this project and we got to check this because without it you'll be able to bypass redaction, you know. The predicate is not ‑‑ is not checked either so I would like to take credit for this one but turns out Al Cornbusker had already done this. He noticed that the web predicate was not protected either so you could pass it to UTL underscore HTTP, you know, dot request and send it tout some server somewhere and there's a couple other functions that can be used that generate an error or alternatively what you can do is simply force it. So we'll create a ‑‑ creating a little procedure here and let's talk about what it does. We select from the redaction test table the where, the credit card column sub string so we get the first character of the proper credit card column and convert it to a letter and check if that letter is a zero, one, a two, a three, a four up to nine. Once we find out what the answer is we then go to the second character and the third character and the fourth character. Essentially we guess it as we go along. Now we created that procedure where we can simply do a server ‑‑ sorry. So, if we execute that little procedure now, it basically, you know, returns the information. So, given that the information once we can't get that information back from the where inquiry unless of course you're shelling out using UPI it's not protected its another thing to be aware of. They can't fix it in the where clause. The other stuff has been patched apparently but this they can't fix because they need to be able to inquiry in the predicate. So just be aware of that if you are using that redaction. If you have the privileges to execute DDMS underscore redact you have the privileges to create redaction policies in auto people schemers. You have the privileges to remove redaction qualities from other people schemers. Again that's another thing you need to be aware of. If you've got privileges on DDMS redact you have control over everyone basically. There is a thing called a lateral sequence injection in most database sis and what it essentially does is where there's information coming from, say, environment variables or stuff like that, that's considered obviously trusted, you know, by database server and often the developers will like, you know, do simple straight encapsulation and that may become vulnerable to sequence injection. For example, in ‑‑ a couple years ago people used to think if it was a number, you could not exploit a number ‑‑ numeric sequel injection. You can because you can specify the number format in a certain way that the comma or the decimal sign is actually a letter. So, essentially we can provided we can create a synonym, we can create a function that eventually is ‑‑ can calculate it as a number and would be translate it into a, B01. If we have a B01 that gets executed. So, because of developers thinking you can't ‑‑ it's a number how are you going get arbitrary SQL into a number there is a way but they forgot about that. So remember I spoke about PL sequel injection almost being gone and Oracle doing a good job in that regard. They have left all of the numeric sequel injection flaws so typically this stuff I'm sending them these days is a numeric sequel injection flaw. But anyway, we have to ‑‑ I've got five more minutes for questions and stuff like that. So I'll wrap up. Just last point. As I said this is basic stuff. A pen test of the product before it was shipped should have found this stuff and this really speaks to the Oracle security processes so going back to what Mary Anne Davidson said, the beginning, you know, that I spoke about, holding the vendors to a higher standard, well, this is what we need to do. If you don't ‑‑ if you're running Oracle database servers and you don't like the way they're treating you as far as security is concerned get on the phone to them and tell them I'm going to start buying something else instead because we really need to get this improved. So thank you for listening. Are there any questions?
>> Sure. Oracle, which features?
>> Database 12. No, I haven't. But I know other people have done ‑‑ sorry. Oracle database, I have played with Oracle database 12 yet. I know some other people have done great research in that area and I can't think of who it was off the top of my head but if you Google it, you know, you'll find it but it's on my list to do because they've patched a lot of stuff. The same with audit volt as well. I suspect it's going to be like the rest of Oracle product. Sure. Any other questions. Sure. In the front here.
>> I'm sorry?
>> It should be, yeah. You just need to ‑‑ yeah. Right. I think we'll wrap up. I thank you everybody for attending. Hopefully it was useful.
>> So, I used to but these days ‑‑ I don't really want to get involved in that. That's the thing. They should be. They should have a checklist to make sure. Exactly, yeah.
>> We have, yeah, yeah.
>> Yeah. Did I say that? Well, don't quote me on that. I'm not talking about data, so ‑‑ I don't want to ‑‑ yeah.
All right, thank you.