[ Pobierz całość w formacie PDF ]
NGSSoftware Insight Security Research
A NGSSoftware Insight Security Research Publication
Hackproofing Oracle Application Server
(A Guide to Securing Oracle 9)
David Litchfield
(
)
10
th
January 2002
1
 NGSSoftware Insight Security Research
Contents
Introduction
Oracle Architecture
Oracle Apache
PL/SQL
Buffer Overflows
Directory Traversal
Administration
OWA_UTIL package
PL/SQL Authentication By-pass
PL/SQL Cross-site scripting
OracleJSP
Translation Files
JSP SQL Poisoning
Globals.jsa
Physical Path mapping
XSQL
XSQLConfig.xml Access
XSQL SQL Poisoning
XSQL Style Sheets
SP
SOAP Application Deployment
SOAP Configuration File
SAMPLES
Dangerous Samples
DEFAULTS
Dynamic Monitoring Services
Perl lias
TNS LISTENER
Listener Security Issues
EXTPROC and External Procedures
Oracle Database
PL/SQL External Procedures
Default User Logins and Passwords
Appendix A
2
 NGSSoftware Insight Security Research
Introduction
Contrary to claims by Oracle Corporation C.E.O., Larry Ellison, Oracle 9
is
breakable. Perhaps Oracle's "Unbreakable" marketing campaign was more to
show their commitment to getting close to producing a secure product, and
indeed, Oracle do take security very seriously. Oracle product has undergone
and passed fourteen independent security evaluations including the Common
Criteria assessment. In the database world this is quite an achievement with all
of Oracle's competitors far behind. Whilst Oracle 9 has not yet been certified it is
no doubt currently being assessed. In the mean time this paper will hopefully
help Oracle customers get closer to the secure environment they were promised.
Some would consider writing a white paper on securing Oracle a task worthy of
Sisyphus himself. Oracle Corporation develop hundreds of products and each
product could have their own dedicated paper. Limiting the scope of this
document, then, we will examine the most common environment - an Oracle web
front end feeding into an Oracle database server. The main emphasis will be on
the web front end, however, we will touch briefly upon the database as well. A
more in-depth look at the database security will be reserved for another paper.
This approach has been taken, as the web server is the first port of call for an
attacker. This paper will show how an attacker can break into an Oracle-based
site, gaining control of the web front end and from there the database server.
With each attack explained, the defense against it will be covered. Whilst some
of the issues discussed in this paper require only a tweak to a configuration file,
where security patches are required to resolve a problem they may be accessed
from the Oracle Metalink site: http://metalink.oracle.com/.
3
 NGSSoftware Insight Security Research
Oracle Architecture
A typical Oracle site will comprise of a firewall protecting the Oracle web server
and database server. The Oracle web server will be running a bespoke
application written in house by the organization that owns the site and will take
advantage of one of the feature rich application environments provided with
Oracle Application Server. It may be a PL/SQL application, JSP, XSQL, a java
servlet or a SOAP based application. (Whilst perl, fastcgi and others are
supported these are not often found being used 'in the wild' and so will not be
covered.) On receiving a client request the web server application dispatches it
and if necessary connects to the database server to be furnished with dynamic
content.
Communication between the web server and the database server is first
channelled through the Listener. This Listener is responsible for setting up
connections to the oracle database instance and once joined the listener steps
out of the picture. As we shall see further into this paper the Listener does have
more to do than just this. The Listener plays a key role in executing external
procedures for the database server.
4
 NGSSoftware Insight Security Research
Oracle Web Front Ends
Oracle used to produce their own web server known as the Oracle Web Listener
but now uses Apache as its web server software of choice. The Oracle Web
Listener was riddled with security holes and by default the Apache server
distributed with Oracle Application Server is not much better. It is vulnerable to
multiple buffer overflow problems, denial of service attacks and comes with far
too many dangerous sample pages and the apache defaults leave much to be
desired. Each application environment has its own unique problems that expose
the server to risk but they can be protected against.
5
Â
[ Pobierz całość w formacie PDF ]