Oracle Security.docx
《Oracle Security.docx》由会员分享,可在线阅读,更多相关《Oracle Security.docx(36页珍藏版)》请在冰点文库上搜索。
OracleSecurity
OracleSecurity
Topics
Password
DBLink
PasswordCracking
TrackObjectsChanged
SQL/CursorInjection
StartupFiles
ChangePasswordwithBBED
VulnerablePackages
Network
Note:
AlltestcasesaredoneonOracle92040or92080or10203or11106underRHELAS4withoutCPUapplied.
?
Password
Themainpasswordencryptionprinciplesare:
1.EnforcementofComplexPasswords
2.UseofSaltedPasswords
3.SlowOne-wayAlgorithm
Weshouldconsidertoforciblyusecomplexpasswordandpasswordlifetime,thisprinciplecanbedefinedwithinthesystem.Atthesametime,wealsoshouldconsidertoadoptpasswordmanagementtools,suchaspassword2000,tomangepasswordconveniently.
Itwillbehardtocrackthepasswordifsaltedvalueisused,eventhoughthissaltedvalueiscleartextorknown.
Slowone-wayalgorithmmakesencryptslowly,itneedmoretimetogetthefinalcipher.Andwecanchangetheencryptalgorithmatthemid-way,itwillbemoredifficulttocrackthisalgorithm.
Assumethatitcancalculate1millionfinalcipherseveryonesecondifitusesonepasstoencryptpassword.It’llbejust10thousandfinalciphersifusethecalculatedvaluetorepeatencrypt1hundredtimes.Thismeansitneedsonedaytocrackthepasswordbefore,nowitneeds100days.Ifthepasswordlifetimeis30days,thispasswordhasbeenchangedbeforetheoldpasswordiscracked.
OraclePasswordMechanism:
1.Concatenatetheusernameandthepasswordtoproduceaplaintextstring;
2.Converttheplaintextstringtouppercasecharacters;
3.Converttheplaintextstringtomulti-bytestorageformat;ASCIIcharactershavethehighbytesetto0x00;
4.Encrypttheplaintextstring(paddedwith0sifnecessarytothenextevenblocklength,80byteslength)usingtheDESalgorithmincipherblockchaining(CBC)modewithafixedkeyvalueof0x0123456789ABCDEF;
5.EncrypttheplaintextstringagainwithDES-CBC,butusingthelastblockoftheoutputofthepreviousstep(ignoringparitybits)astheencryptionkey.Thelastblockoftheoutputisconvertedintoaprintablestringtoproducethepasswordhashvalue.
WeakSaltSelection
Oraclepasswordhashesuseanon-conventionaltechniqueforsaltselectionbyprependingtheusernametothepasswordbeforecalculatingthehash.
Firstly,itisquitepossibletoobtaininformationaboutauserpasswordbasedsolelyonitshashvalueandtheknowncredentialsofanotheruser.
Asecondweaknessistheuseofnon-randomsaltvalues.Althoughthesaltusedcanstillreducetheeffectivenessofaprecomputeddictionaryattackagainstalargepasswordhashtable,anattackercouldstillprecomputeatableofpossiblepasswordsusingacommonusername(e.g.SYSTEM),anduseittoattempttorecoverthepasswordforthisparticularuserinmanydifferentsystems.
@>alterusersystemidentifiedbyp1;
Useraltered.
@>alterusersysidentifiedbytemp1;
Useraltered.
@>selectusername,passwordfromdba_userswhereusernamelike'SYS%';
USERNAMEPASSWORD
------------------------------------------------------------
SYS2E1168309B5B9B7A
SYSTEM2E1168309B5B9B7A
LackofCasePreservation
AnotherweaknessintheOraclepasswordhashingmechanismisthelackofalphabeticcasepreservation.Beforethepasswordhashiscalculated,theuser'spasswordisconvertedtoalluppercasecharacters,regardlessoftheinputcaseselection.
Thisbehaviourrepresentsasignificantweaknessinthepasswordhashingalgorithm,asitreducesthenumberofpossiblepasswords,
@>alterusersystemidentifiedbyP1;
Useraltered.
@>selectusername,passwordfromdba_userswhereusername='SYSTEM';
USERNAMEPASSWORD
------------------------------------------------------------
SYSTEM2E1168309B5B9B7A
Recommends
1.Forcecomplexpassword&length
Forceusecomplexpassword.Referto?
/rdbms/admin/utlpwdmg.sql.
WemustspecifyastandalonefunctionownedbySYS,butcanusesubprocedures/functions/packageinthisfunction.
Wecanusedoublequotationmarkstoinvolvedspecialsymbol,increasesthechoiceofcharacters.Butinsomelogontools,itmaybeencounterissues.
2.Forcepasswordlifetime
Specifyprofileattributetolimitpasswordlifetime.Ifthispasswordpolicyhasbeenintroduced,passwordchangedwillberecordedinuser_history$table.
3.Lockunusedaccounts,changedefaultpassword
4.Restrictaccesstopasswordhashes&Audit
@>auditSELECTondba_users;
Auditsucceeded.
@>auditselectonsys.user$;
auditselectonsys.user$
*
ERRORatline1:
ORA-00701:
objectnecessaryforwarmstarting(热启动)databasecannotbealtered
User$isaspecifictable,usedwhendatabasebootstrap,youcan’tauditit.
Changepasswordthroughpasswordcommand,thepasswordwillbeencryptedandthenbesentthroughnetwork.
WhilealteruserXXXidentifiedbycommandwillbesentwithcleartext.
@>password
ChangingpasswordforTEST
Oldpassword:
****
Newpassword:
****
Retypenewpassword:
****
Passwordchanged
Changedin11g
@>alterusersystemidentifiedbyp1;
Useraltered.
@>selectUSERNAME,PASSWORDfromdba_userswhereUSERNAME='SYSTEM';
USERNAMEPASSWORD
------------------------------------------------------------
SYSTEM
@>selectNAME,PASSWORD,SPARE4fromuser$whereNAME='SYSTEM';
NAMEPASSWORDSPARE4
----------------------------------------------------------------------------------------------------------------------------------
SYSTEM2E1168309B5B9B7AS388CBF57687E6E8CF97BB672C2EDE394140FADE024E16329E8A2BF2E9BF
@>alterusersystemidentifiedbyp1;
Useraltered.
@>selectNAME,PASSWORD,SPARE4fromuser$whereNAME='SYSTEM';
NAMEPASSWORDSPARE4
----------------------------------------------------------------------------------------------------------------------------------
SYSTEM2E1168309B5B9B7AS:
09043B9ABFA366DF41DD16DE6768FDC04C57EF1374E0B04DAC8616716074
sys@DMS>getPar
Entervalueforparameter:
case
old6:
ksppinmlikelower('%¶meter%')
new6:
ksppinmlikelower('%case%')
NAMEVALUEDESCRIPTION
------------------------------------------------------------------------------------------------------------------------
_case_sensitive_logonTRUEcasesensitivelogonenabled
sec_case_sensitive_logonTRUEcasesensitivepasswordenabledforlogon
system@DMS>connsystem/P1
ERROR:
ORA-01017:
invalidusername/password;logondenied
Warning:
YouarenolongerconnectedtoORACLE.
[oracle@chen~]$echo-ne"p1\x74\xE0\xB0\x4D\xAC\x86\x16\x71\x60\x74"|sha1sum
09043b9abfa366df41dd16de6768fdc04c57ef13-
Youcanfindthatpasswordhashvaluedoesn’tdisplayindba_users.There’retwopasswordencryptionvaluesinuser$,oneisthesameasbefore,oneencryptedwithSHA-1,itchangeseverytimewhenchangedpassword,eventhoughthepasswordisthesame.There’soneinitialparametertocontrolpasswordcase-sensitive.
?
DBLink
Prior10g,passwordforDBlinkstoresinDBwithcleartext,ithasbeenchangedsince10g.
Prior10g
@>showuser
USERis"TEST"
@>createdatabaselinkl_testconnecttotestidentifiedbytestusing'test';
Databaselinkcreated.
@>selectcount(*)fromuser_objects@l_test;
COUNT(*)
----------
14
@>selectdbms_metadata.get_ddl('DB_LINK','L_TEST',user)fromdual;
DBMS_METADATA.GET_DDL('DB_LINK','L_TEST',USER)
--------------------------------------------------------------------------------
CREATEDATABASELINK"L_TEST"
CONNECTTO"TEST"IDENTIFIEDBY"TEST"
USING'test'
@>conn/assysdba
Connected.
@>selectNAME,USERID,PASSWORDfromlink$;
NAMEUSERIDPASSWORD
------------------------------------------------------------------------------------------
L_TESTTESTTEST
10g
test@TEST>showuser
USERis"TEST"
test@TEST>createdatabaselinkl_chenconnecttotestidentifiedbytestusing'chen';
Databaselinkcreated.
test@TEST>selectcount(*)fromtab@l_chen;
COUNT(*)
----------
1
test@TEST>selectDB_LINK,USERNAMEfromuser_db_links;
DB_LINKUSERNAME
--------------------------------------------------------------------------------
L_CHEN.REGRESS.RDBMS.DEV.US.ORACLE.COMTEST
test@TEST>selectdbms_metadata.get_ddl('DB_LINK','L_CHEN.REGRESS.RDBMS.DEV.US.ORACLE.COM',user)fromdual;
DBMS_METADATA.GET_DDL('DB_LINK','L_CHEN.REGRESS.RDBMS.DEV.US.ORACLE.COM',USER)
--------------------------------------------------------------------------------
CREATEDATABASELINK"L_CHEN.REGRESS.RDBMS.DEV.US.ORACLE.COM"
CONNECTTO"TEST"IDENTIFIEDBYVALUES'05C9398288555E95E498B33A68083EDD2E'
USING'chen'
test@TEST>conn/assysdba
Connected.
sys@TEST>selectNAME,USERID,PASSWORD,PASSWORDXfromlink$;
NAMEUSERIDPASSWORDPASSWORDX
----------------------------------------------------------------------------------------------------
L_CHEN.REGRESS.RDBMS.DEV.US.ORACLE.COMTEST05C9398288555E95E498B33A68083EDD2E
TheDBLINK_ENCRYPT_LOGINinitializationparameterisusedforconnectionsbetweentwoOracleservers(forexample,whenperformingdistributedqueries).
Wheneveryouattempttoconnecttoaserverusingapassword,Oracleencryptsthepasswordbeforesendingittotheserver.Iftheconnectionfailsandauditingisenabled,thefailureisnotedintheauditlog.OraclethencheckstheappropriateDBLINK_ENCRYPT_LOGIN.IfitsettoFALSE,Oracleattemptstheconnectionagainusinganunencryptedversionofthepassword.Iftheconnectionissuccessful,theconnectionreplacesthepreviousfailureintheauditlog,andtheconnectionproceeds.TopreventmalicioususersfromforcingOracletore-attemptaconnectionwithanunencryptedversionofthepassword,youmustsettheappropriatevaluestoTRUE.
?
PasswordCracking
There’remanytoolsusedtocrackpassword,suchasorabf,ononeP42.0GCPUmachine,itcancomputeaboutonemillionhashvaluepersecond.
Wecanalsostorepasswordanditshashvaluepairinfil
升级会员 