Oracle 'Worm' Exploit Modified

answers writes "Two months after an anonymous researcher released the first public example of an Oracle database worm, the exploit code has been advanced and republished, adding new techniques to attack databases. From the article: "It's still very theoretical right now, but I don't think any DBA should be underestimating the risk," said Alexander Kornbrust, CEO of Red-Database-Security GmbH. "If you're running a large company with hundreds of valuable databases, a worm can be very destructive. It is very possible to use this code to release a worm. I can do this right now if I wanted to.""

yeah.

[User 956]

It is very possible to use this code to release a worm. I can do this right now if I wanted to.""

That seems like an odd quote. Did the author of the article like Double-Dog dare him, or something?

Re:yeah.

[NekoIan]

"It is very possible to use this code to release a worm. I can do this right now if I wanted to." And I could walk right into a bank and hold it up right now if I wanted to.

Re:yeah.

[daikokatana]

And I could walk right into a bank and hold it up right now if I wanted to.

You posted this on a Saturday at 4:46PM - sorry, 'fraid not, the banks are all closed...

Re:yeah.

[Too many errors, bai]

Not so strange given he's from a database security company. "Now, it'd be a shame if something happened to your database, wouldn't it?"

Re:yeah.

[hey!]

Odd? Nah, it must sounds awkward because it was edited for brevity. The full quote was:

  It is very possible to use this code to release a worm. I can do this right now if I wanted to. Mwahahaha!

Re:yeah.

[NewKimAll]

Did the author of the article like Double-Dog dare him, or something?

Perhaps a slight breach of etiquette occurred by skipping the triple dare and going right for the coup de grace of all dares, the sinister triple-dog-dare. But I can't be certain.

Re:yeah.

[drpimp]

Possibly triple-dog by those words!

firewalls?

[mtenhagen]

How many oracle db's are connected directly to the internet? Even within most company's their isnt a direct connection option to the db but only thru an application.

Of course this is an exploit but the impact shouldn't be overrated.

Re:firewalls?

[AndroidCat]

In a perfect world, yes. But in this one, people even leave their Electric Bong [computerworld.com] directly connected to the internet. (So they can switch the bong off remotely while having an out-of-body experience??)

The Realm of the Professional Cracker

[mosel-saar-ruwer]

How many oracle db's are connected directly to the internet? Even within most company's their isnt a direct connection option to the db but only thru an application.

Here you begin to enter the realm of the professional cracker [apologies to chef [southparkstudios.com]], my little padawan novitiate.

The professional employs something like the WMF vulnerability to crack the client OS, and then uses the client application to crack the DB.

And when he's seen what he needs to see, the professional tidies up and removes any evidence of his intrusion.

In all seriousness, the PRC Red Army's "TITAN RAIN" operation is more than a little troubling in this regard:

The Invasion of the Chinese Cyberspies
(And the Man Who Tried to Stop Them)

...The hackers he was stalking, part of a cyberespionage ring that federal investigators code-named Titan Rain, first caught Carpenter's eye a year earlier when he helped investigate a network break-in at Lockheed Martin in September 2003. A strikingly similar attack hit Sandia several months later, but it wasn't until Carpenter compared notes with a counterpart in Army cyberintelligence that he suspected the scope of the threat...

http://www.securityteam.us/article.php/20050829200 849601/print [securityteam.us]

http://it.slashdot.org/article.pl?sid=05/08/28/174 5245 [slashdot.org]

Re:The Realm of the Professional Cracker

[mtenhagen]

You are right, this is a security hole which should be fixed asap. But in the article their are talking about a worm.

I still need to see the first worm who uses such techniques.

Re:firewalls?

[dancallaghan]

within most company's their isnt a direct

*head explodes*

Re:firewalls?

[KarmaPolice]

How many oracle db's are connected directly to the internet? Even within most company's their isnt a direct connection option to the db but only thru an application.

Of course this is an exploit but the impact shouldn't be overrated.

First, it's not an exploit but merely a try-8-default-accounts code. Poor coding style too, I have to say...but someone seems very proud of it???

What's really interesting about this worm is that it's written in PL/SQL, i.e. it runs on an ORACLE server itself. If it was really cle

Re:firewalls?

[legirons]

"How many oracle db's are connected directly to the internet?"

Shouldn't that be "how many oracle db's are connected directly to computers which might get infected with a virus"?

e.g. plenty of firewalled LANs got CodeRed, Sasser, etc. (including that nuclear power station which nobody thought was internet-connected)

Re:firewalls?

[jrockway]

> including that nuclear power station which nobody thought was internet-connected

It wasn't internet-connected. Some IT dude brought the virus in on his laptop. (Not that this doesn't make the incident less dangerous. A determined attacker could infect an employee at home, and then undermine the security of the corporate network / nuclear power plant as an insider. Difficult, but scary!)

Re:firewalls?

[legirons]

It [power station] wasn't internet-connected. Some IT dude brought the virus in on his laptop.

I suspect we may be arguing similar things here, but:

"Internet connected" in the virus-containment sense, means things which process data which originated on the internet. Whether that happens via a router, or ethernet cable, or firewall, or laptop, or USB key, or someone typing it in, is somewhat irrelevant, so long as data can travel from one to the other.

Maybe "indirectly internet-connected" would be a better

Re:firewalls?

[NutscrapeSucks]

> e.g. plenty of firewalled LANs got CodeRed, Sasser, etc.

Sasser (the MS-SQL worm) also targetted a lot of desktop configurations, due to the fact that certain versions of MS-Office come MSDE, a cut-down MSSQL. I don't know how many people run "deskop Oracle", but I suspect it's pretty tiny compared to MSDE.

Also, unlike MS-SQL, Oracle is pretty much non-existant in the small business space where networks and patching are haphazard. Your typical Enterprise Oracle install is firewalled up the wazoo.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:firewalls?

[NutscrapeSucks]

> MS SQL servers have SA passwords of "SA"

Heh, that's two more characters than a lot of MSSQL passwords I've seen. :)

Backup Data?

[Artie Dent]

It seems that any "valuable database" would be sufficiently backed up in non-attackable media. So while it probably could create a lot of hassle, I'd have a hard time seeing this worm bringing down companies.

Re:Backup Data?

[QuietLagoon]

It seems that any "valuable database" would be sufficiently backed up in non-attackable media. So while it probably could create a lot of hassle,

Oracle databases can get rather large, and are used in real-time transactional environments. Do you have an idea how long it would take to restore, say, 900GB of data from backups, and how much money would be lost while the Oracle database would not be able to process transactions for the company?

Re:Backup Data?

[Trevin]

Around 2-4 hours for the restoration itself, plus an hour to shut down the applications that are using the database during the restore and to restart them afterward, plus up to 8 hours for the discovery of the attack and to organize the restoration procedures, and if the attack were discovered at night or on a weekend you'd need even more time to wake up or track down the DBA, CTO, and/or VP of IS.

Just a rough estimate.

Re:Backup Data?

[Kaemaril]

2-4 hours for a restore of a 900 gigabyte database? From my experience I'd say that sounds overly optimistic, but of course the time taken to restore is highly dependent upon your database architecture, infrastructure and backup plan.

Is that from tape? optical media? cartridge? Disk? Is that a hot or a cold backup? Is it rman, or some other backup tool, or just a copy of the underlying file systems?

Re:Backup Data?

[Short Circuit]

900GB at 4 hours would require a data transfer rate of 512 Mb/s. I'm guessing he spouted off the numbers for his system.

Re:Backup Data?

[TheRaven64]

900GB can fairly easily be split across two hard disks these days. I would probably set up such a system using a hardware RAID-1 system. Every night, you plug in two more disks, tell it to re-build the array. You remove the old disks to a fire safe somewhere else. You have enough disks to do this on a rolling program over a week (at an absolute bare minimum. You should also keep at least one drive a week for a month or two).

As the database runs, you write a copy of the transaction log to a DVD-R (or o

Re:Backup Data?

[hywel_ap_ieuan]

[To restore a 900GB database] Around 2-4 hours for the restoration itself, plus an hour to shut down the applications that are using the database during the restore and to restart them afterward

I think you underestimate the restore time. I've been involved in some Oracle restore tests recently, and there are some twists you're not considering. First, what's the backup strategy? Many databases are not backed up 100% every day; more typical is a full backup every 14 days with incremental backups in betwee

Re:Backup Data?

[daikokatana]

First of all, your estimate sounds VERY optimistic.

Second of all, the fact that you're thinking in terms of "oh, it's only a few hours" suggests to me that you've never worked for a company where every minute costs an incredible amount of money. Multiply each hour you need with a few million dollars, and you'll be starting to see why this can be a big deal.

Re:Backup Data?

[KiloByte]

You're assuming that they are run by competent people -- and this is a thoroughly false assumption.

If I combine everyone from my company and all companies we cooperate with, I can name only two people who consider backups to be anything but an annoying waste of time some pessimists are blabbing about in order to suck in some of their money.
Redundant hardware runs against the principle of cutting costs; no bean counter would even consider investing in data integrity.

When I tell people that I installed a script that will back up the most valuable part of the data and dump them to a remote location, the reaction is like: uh, cool, but what if it breaks things?

Re:Backup Data?

[kpharmer]

> Those who are incompetent, in their vast majority, do not back up OR pay attention to exploit bulletins.
> These will either get fired, killed or their companies will fail. Either way, they do not need to be worried
> because they are hopeless.

That *might* make sense if only 1-5% of the dbas out their were incompetent. Unfortunately, that number is probably more like 50-60%. And those databases that do fortunately have a competent dba often don't have competent management - that would pay to test

Re:Backup Data?

[The Notorious ASP]

I agree, but I do think you missed one of the most important elements here... Oracle is obscenely expensive.

Typically if a company has shelled out the cash for Oracle, they'll also have a handful of competent DBAs on staff. Were this Access or MSSQL it would be one thing - I've known plenty of terrible DBAs, but they typically weren't on the Oracle side of the curve.

That being said, I am in complete agreement (and fear) about the competence of most administrators out there.

Re:Backup Data?

[Anonymous Coward]

As a consultant, I once nearly destroyed 2 years worth of a companies research data my first week on the job.

I ran some perl script that they had written against a test database to update some stuff. Unfortunately, it turns out that the real database address was hardcoded deep in the Perl, and I hadn't understood this. The DB admin complained after it had run about 5 minutes updating (incorrectly) their multi-gigabyte database that access to the database was slow. So I immediately hit ^C and said, "OK,

Re:Backup Data?

[DrSkwid]

how would you know if it's been changed ?

Re:Backup Data?

[Godeke]

It seems that any "valuable operating system" would be sufficiently backed up in non-attackable media. So while it probably could create a lot of hassle, I'd have a hard time seeing this worm bringing down companies.

I changed that one quoted term to make a point: if we aren't going to be concerned here, why be concerned about all those other worms. Oh, I know... perhaps because having your servers in an unusable state while performing recovery is a bad thing which can cause serious financial and reputation

Re:Backup Data?

[legirons]

It seems that any "valuable database" would be sufficiently backed up in non-attackable media.

Unless the worm modified some data which got backed-up. A week later, the untainted backups would be history.

(And even if you kept monthly backups, who's going to try restoring them without losing a month's work for the whole company?)

doesn't exploit a vulnerability

[kpharmer]

This attack relies on default userids & passwords, not on any vulnerability. Oracle used to use default scott/tiger userid/passwd. I think it still does in 10g, but I'm not positive.

Given enough databases, someone will forget to change these. For that reason any shop with more than a half-dozen databases should be using some kind of application policy-checker that will automatically test for this kind of a policy violation.

Re:doesn't exploit a vulnerability

[Zathrus]

Oracle used to use default scott/tiger userid/passwd. I think it still does in 10g, but I'm not positive.

Nope, scott/tiger is deprecated -- the current sample schemas are separated into multiple users, and they are all disabled by default. These users are installed by default, but it's not hard to tell Oracle to not install them.

Of course, there's a lot of non-10g databases out there. Heck, there's a lot of pre-8i databases out there still even though you have to pay an arm, leg, and torso for support, if y

Re:doesn't exploit a vulnerability

[Stone316]

I haven't taken a close look at this version of the worm but I know the last version could not propagate itself. You would need a 'cracker' on the inside of your network to launch the code. Oracle 10g has a built-in policy checker which notifies you of a host of problems such as grants to public, default passwords, etc. Also, in any good application design, the database is not accessible to the public. In a 3 tier application the only server the db should accept database connections from is the app ser

Re:doesn't exploit a vulnerability

[Anonymous Coward]

So which is more probable, from a 'cracker' or from "the DBA workstation through a Windows vulnerability, gain access to that local machine and use the Oracle worm as a payload to cause damage?"

Since when does a windows vulnerability (or other network security failure) qualify as a weekness in Oracle?

If the System administrators don't do their job, you don't have a system anyway.

Re:doesn't exploit a vulnerability

[recharged95]

If you were a Sr. DBA or DB architect being paid triple figures. Deleting those accounts would be done with [i]your[/i] schema setup/install scripts. It would be second nature to secure the DB at the install (as taught in many Oracle adv. DBA classes).

"[i]"It's still very theoretical right now"[/i]

I'm sorry for possibly flaming now, but this is FUD from GmbH firm to a US firm. Informational yes, serious not really (for enterprises that is).

Re:doesn't exploit a vulnerability

[kpharmer]

> If you were a Sr. DBA or DB architect being paid triple figures. Deleting those accounts would be done
> with [i]your[/i] schema setup/install scripts. It would be second nature to secure the DB at the
> install (as taught in many Oracle adv. DBA classes).

Sure, but many databases are installed by extremely junior personnel. Sometimes somewhat-embedded within an application, at other times stand-alone.

I've found as a sr. dba that setting up a dozen secure databases to be a challenge without tools t

Re:doesn't exploit a vulnerability

[VitaminB52]

Oh, hey! Anybody notice the M$ SQLServer add running beside the article? Say, didn't M$ have some security related article recently? I can't remember...

I remember a recent M$ security releated article - it came with a M$ security add running beside it "we don't give Trojan horses a change". Bwahahaha ROFLOL.

Article summary

[mangu]

Either change the "tiger" password or use an account other than "scott" to do any important job. TFA doesn't say much about the worm, they only mention that it uses the default usernames and passwords. Nothing to see around here, next story, please...

Human's Love To Catagorize

[Doomedsnowball]

What would be the difference between a website displaying a "security bulletin" versus a website asking for "opensource virus collaboration"? I think there is a fine line between warning the public and informing virus authors. said Alexander Kornbrust, CEO of Red-Database-Security GmbH. "If you're running a large company with hundreds of valuable databases, a worm can be very destructive. It is very possible to use this code to release a worm. I can do this right now if I wanted to." The easier a bug is to

Re:Human's Love To Catagorize

[Short Circuit]

The problem comes when software vendors don't take heed of your warning that their product has vulnerabilities. The longer they sit on the information without producing a patch, the greater the chances for a zero-day exploit.

Do you really think there aren't organizations out there with similar resources to this company whose aims are finding vulnerabilities like these for the purposes of exploiting them?

If he can find it, someone else can. Informing the public that an exploit exists increases pressure on

Blackmailing Oracle

[Xemu]

Alexander Kornbrust, CEO of Red-Database-Security GmbH. "...It is very possible to use this code to release a worm. I can do this right now if I wanted to." (emphasis mine)

Doesn't this sound very much like something a blackmailer would say?

Alexander is an ex-Oracle employee. I wonder if he was let go because of his poor judgement.

Re:Blackmailing Oracle

[Tablizer]

Doesn't this sound very much like something a blackmailer would say?

Apparently we are dealing with Milton from Office Space: http://www.lostandfrowned.com/miltoncd.gif [lostandfrowned.com]
     

Re:Blackmailing Oracle

[99luftballon]

It's a statement of fact, not a threat. The fact is Oracle has a lousy record at dealing with flaws, waiting up to two years in some cases. Sometimes they need a kick up the backside to get them moving.

obZealotry

[sheldon]

This clearly means all Oracle users must switch to Apple Macintosh.

Re:obZealotry

[JackDW]

No they should switch to *BSD. No wait, I mean Linux. Err, GNU/Linux. No, hang on, they should switch to a Beowulf cluster of Soviet Russia, no-one will ever manage to crack that.

Re:obZealotry -- What?

[laffer1]

How do you get it to run on any *nix platform? Really? I've been trying to get it to run on freebsd 5 and 6 for some time.

This sounds so familiar.

[DeltaHat]

It is very possible to use this code to release a worm. I can do this right now if I wanted to.

MICHAEL
I'm gonna find out the hard way that I'm not a pussy if they don't start treating us software people better.

SAMIR
That's right.

MICHAEL
They don't understand. I could come up with a program that could rip that place off big time...big time.

PETER
Yeah.

Re:Really, really, really lame

[cimmer]

Queue the negative Karma, but...

Professional? We are in the middle of a $5 million Oracle Financials implementation. I have never met so many inept consultants in my life. Granted, IT consultants in general are oversold, but these guys and girls take the cake. I had a "Senior DBA" that required three conversations to be able to change her password at the CLI. When I bitched to the Oracle project manager about it (imagine this type of thing about 8 times a day), he said Oracle doesn't expect it's sen

Re:Really, really, really lame

[smooth1x]

I would be interested in hearing more...

Security

[michelcultivo]

If you were a serious Oracle DBA you have installed the database and do a check-up to see if the things is secure at a acceptable level (default passwords removed, logs enabled, firewall protected). I see a lot of amateur installing databases and when it is usable there's no need to update or do security checks.

Re:Security

[kpharmer]

> If you were a serious Oracle DBA you have

Sure, but look at all the non-skilled labor now doing this work. Whether due to outsourcing, attempts to save labor money, etc - I see a ton of very junior people doing installs. The major databases now have install wizards that are pretty good - and allow complete amateurs to install the product. This is great. But these folks have no idea how to lock down the database once they've installed it.

And think beyond oracle to mysql - where almost no dbas install

Re:Security

[michelcultivo]

Yes, it's all about money. Why I need to put a senior DBA to install a Database if there is a lot of juniors that only need to click "Next, Next and Finish".

My 2 Cents

[Anonymous Coward]

SQL injection [wikipedia.org] is a bigger issue against any DB.

Regardless of the exploit taken, if the DB is properly configured and secured the only "lost" of data should be against the schema being attacked. And then you can use Oracle's Flashback [oracle.com] technology to roll back that one transaction - if caught in time.

True loss of data means the DBA did not do their job. Of course, this is usually, in my experience anyway, the fault of managment and the business - budget/time/resources.

logon trigger aa blocked by Google?

[i_frame]

In the article by red database security [red-databa...curity.com] it's stated that Google has allready blocked the Full Disclosure mailing list article refering to the sploit, and a request to it, "http://www.google.de/search?hl=en&q=startc0GtJBi1 +full-disclosure&btnI=I%27m+Feeling+Lucky", results in a message by google stating "We're sorry... but we can't process your request right now. A computer virus ...", but if you change the request, eliminating the "hl=en" parameter you get the Full Disclosure mailing list article,