Oracle 'Worm' Exploit Modified

answers writes "Two months after an anonymous researcher released the first public example of an Oracle database worm, the exploit code has been advanced and republished, adding new techniques to attack databases. From the article: "It's still very theoretical right now, but I don't think any DBA should be underestimating the risk," said Alexander Kornbrust, CEO of Red-Database-Security GmbH. "If you're running a large company with hundreds of valuable databases, a worm can be very destructive. It is very possible to use this code to release a worm. I can do this right now if I wanted to.""

yeah.

[User+956]

It is very possible to use this code to release a worm. I can do this right now if I wanted to.""

That seems like an odd quote. Did the author of the article like Double-Dog dare him, or something?

Re:yeah.

[NekoIan]

"It is very possible to use this code to release a worm. I can do this right now if I wanted to." And I could walk right into a bank and hold it up right now if I wanted to.

Re:yeah.

[Too+many+errors,+bai]

Not so strange given he's from a database security company. "Now, it'd be a shame if something happened to your database, wouldn't it?"

Re:yeah.

[hey!]

Odd? Nah, it must sounds awkward because it was edited for brevity. The full quote was:

  It is very possible to use this code to release a worm. I can do this right now if I wanted to. Mwahahaha!

Re:yeah.

[NewKimAll]

Did the author of the article like Double-Dog dare him, or something?

Perhaps a slight breach of etiquette occurred by skipping the triple dare and going right for the coup de grace of all dares, the sinister triple-dog-dare. But I can't be certain.

Re:yeah.

[drpimp]

Possibly triple-dog by those words!

Re:yeah.

[daikokatana]

And I could walk right into a bank and hold it up right now if I wanted to.

You posted this on a Saturday at 4:46PM - sorry, 'fraid not, the banks are all closed...

firewalls?

[mtenhagen]

How many oracle db's are connected directly to the internet? Even within most company's their isnt a direct connection option to the db but only thru an application.

Of course this is an exploit but the impact shouldn't be overrated.

Re:firewalls?

[AndroidCat]

In a perfect world, yes. But in this one, people even leave their Electric Bong directly connected to the internet. (So they can switch the bong off remotely while having an out-of-body experience??)

Re:firewalls?

[dancallaghan]

within most company's their isnt a direct

*head explodes*

Re:firewalls?

[KarmaPolice]

How many oracle db's are connected directly to the internet? Even within most company's their isnt a direct connection option to the db but only thru an application.

Of course this is an exploit but the impact shouldn't be overrated.

First, it's not an exploit but merely a try-8-default-accounts code. Poor coding style too, I have to say...but someone seems very proud of it???

What's really interesting about this worm is that it's written in PL/SQL, i.e. it runs on an ORACLE server itself. If it was really clever, it would replace a common PL/SQL function with itself...But since it doesn't, is it really a worm??

Re:firewalls?

[legirons]

"How many oracle db's are connected directly to the internet?"

Shouldn't that be "how many oracle db's are connected directly to computers which might get infected with a virus"?

e.g. plenty of firewalled LANs got CodeRed, Sasser, etc. (including that nuclear power station which nobody thought was internet-connected)

Re:firewalls?

[jrockway]

> including that nuclear power station which nobody thought was internet-connected

It wasn't internet-connected. Some IT dude brought the virus in on his laptop. (Not that this doesn't make the incident less dangerous. A determined attacker could infect an employee at home, and then undermine the security of the corporate network / nuclear power plant as an insider. Difficult, but scary!)

Re:firewalls?

[NutscrapeSucks]

> e.g. plenty of firewalled LANs got CodeRed, Sasser, etc.

Sasser (the MS-SQL worm) also targetted a lot of desktop configurations, due to the fact that certain versions of MS-Office come MSDE, a cut-down MSSQL. I don't know how many people run "deskop Oracle", but I suspect it's pretty tiny compared to MSDE.

Also, unlike MS-SQL, Oracle is pretty much non-existant in the small business space where networks and patching are haphazard. Your typical Enterprise Oracle install is firewalled up the wazoo.

Re:firewalls?

[legirons]

It [power station] wasn't internet-connected. Some IT dude brought the virus in on his laptop.

I suspect we may be arguing similar things here, but:

"Internet connected" in the virus-containment sense, means things which process data which originated on the internet. Whether that happens via a router, or ethernet cable, or firewall, or laptop, or USB key, or someone typing it in, is somewhat irrelevant, so long as data can travel from one to the other.

Maybe "indirectly internet-connected" would be a better term.

And as for it being "difficult", well that's exactly the type of problem which viruses/worms are designed to solve. Travelling from the internet to a LAN to a laptop to another LAN to a target, is trivial for a worm. The only obvious difference, is that viruses which rely on direct internet connectivity (e.g. IRC) to transmit their payload, will be stopped when someone transfers it manually from network to network.

Re:firewalls?

[toadlife]

"Sasser (the MS-SQL worm) "

You're thinking of "slammer", but....

"Also, unlike MS-SQL, Oracle is pretty much non-existant in the small business space where networks and patching are haphazard. Your typical Enterprise Oracle install is firewalled up the wazoo."

...you're right.

Oracle's crap security record isn't a good thing, but I seriously doubt if there will be any huge outbreaks of Oracle worms. I think the hole the SQL Slammer took advantage of an eight-months-patched vulnerability. I actually had a couple of SQL servers that were unpatched, and a third SQL server on our network that was being maintained by an outside contractor got infected. My servers didn't get touched because I had an IPSEC policy enabled that limited SQL communication to the two machines that they needed to talk to. It turns out the contrator had done a full public>nat translation on the firewall top the box, so the server was, in effect, sitting wide open on the net. That stupid worm DoS'd our internal network to the point of outside requests for our website being ignored. But it's not even in the "Small Business" area where Microsoft products tend to go unpatched. I've visited large organizations where their MS SQL servers have SA passwords of "SA". CNN and SBC got hosed by Sasser (or whatever the last worm was).

Re:firewalls?

[NutscrapeSucks]

> MS SQL servers have SA passwords of "SA"

Heh, that's two more characters than a lot of MSSQL passwords I've seen. :)

Backup Data?

[Artie+Dent]

It seems that any "valuable database" would be sufficiently backed up in non-attackable media. So while it probably could create a lot of hassle, I'd have a hard time seeing this worm bringing down companies.

Re:Backup Data?

[QuietLagoon]

It seems that any "valuable database" would be sufficiently backed up in non-attackable media. So while it probably could create a lot of hassle,

Oracle databases can get rather large, and are used in real-time transactional environments. Do you have an idea how long it would take to restore, say, 900GB of data from backups, and how much money would be lost while the Oracle database would not be able to process transactions for the company?

Re:Backup Data?

[KiloByte]

You're assuming that they are run by competent people -- and this is a thoroughly false assumption.

If I combine everyone from my company and all companies we cooperate with, I can name only two people who consider backups to be anything but an annoying waste of time some pessimists are blabbing about in order to suck in some of their money.
Redundant hardware runs against the principle of cutting costs; no bean counter would even consider investing in data integrity.

When I tell people that I installed a script that will back up the most valuable part of the data and dump them to a remote location, the reaction is like: uh, cool, but what if it breaks things?

Re:Backup Data?

[Trevin]

Around 2-4 hours for the restoration itself, plus an hour to shut down the applications that are using the database during the restore and to restart them afterward, plus up to 8 hours for the discovery of the attack and to organize the restoration procedures, and if the attack were discovered at night or on a weekend you'd need even more time to wake up or track down the DBA, CTO, and/or VP of IS.

Just a rough estimate.

Re:Backup Data?

[DrSkwid]

how would you know if it's been changed ?

Re:Backup Data?

[Godeke]

It seems that any "valuable operating system" would be sufficiently backed up in non-attackable media. So while it probably could create a lot of hassle, I'd have a hard time seeing this worm bringing down companies.

I changed that one quoted term to make a point: if we aren't going to be concerned here, why be concerned about all those other worms. Oh, I know... perhaps because having your servers in an unusable state while performing recovery is a bad thing which can cause serious financial and reputation difficulties for a company.

While you might say "but Oracle admins are smarter than windows admins" and I would have to agree, you seriously overestimate how seriously many Oracle admins take threats, including data loss. My experience has been that they are an order of magnitude better than the typical windows OS admin about backups (actually, most DBAs are) and yet I continue to visit companies where they haven't *tested* the recovery procedures in over a year nor do they implement off-site backups. In more extreme cases, the Oracle system was installed by a DBA who was later downsized and so the duties were transfered to the main IT group... who wouldn't know how to restore the database on a dare.

While I doubt an Oracle worm would be anywhere as bad as the SQL Slammer (which mostly preyed on MSDE [i.e., unadminstered] and poorly administered SQL Standard installs) in terms of disruption I could see it being significant. More significant than the repuation of Oracle admins would indicate.

Re:Backup Data?

[Kaemaril]

2-4 hours for a restore of a 900 gigabyte database? From my experience I'd say that sounds overly optimistic, but of course the time taken to restore is highly dependent upon your database architecture, infrastructure and backup plan.

Is that from tape? optical media? cartridge? Disk? Is that a hot or a cold backup? Is it rman, or some other backup tool, or just a copy of the underlying file systems?

Re:Backup Data?

[hywel_ap_ieuan]

[To restore a 900GB database] Around 2-4 hours for the restoration itself, plus an hour to shut down the applications that are using the database during the restore and to restart them afterward

I think you underestimate the restore time. I've been involved in some Oracle restore tests recently, and there are some twists you're not considering. First, what's the backup strategy? Many databases are not backed up 100% every day; more typical is a full backup every 14 days with incremental backups in between. On average, a restore will require six or seven days of incrementals. Those backups, being smaller, will be on tapes that have other backup material mixed in. Oh, and unless you're terribly cheap and/or overconfident, you should have most of the tapes except the latest stored off-site. So the sequence goes more like this:

1) Discover problem and determine when it hit and what the restore point is. 2) Identify tapes needed. 3) Call off-site storage to get tapes delivered. 4) Add tapes to library. 5) Restore from tape. I would not be surprised to see this process taking 24 hours, even if everything works properly.

Additionally, I recently encountered a situation where the DB was backed up using archive files rather than the "live" directories. This can be convenient for backup, but the restore requires additional steps to rebuild the DB from the archives. That procedure can run several hours by itself.

Now consider that the attack, if it's a worm, is probably hitting many databases in your shop. The problem gets gets insanely complicated very fast. If you have a big datacenter with many, many Oracle databases, you'd better deal with this threat pronto.

Re:Backup Data?

[Short+Circuit]

900GB at 4 hours would require a data transfer rate of 512 Mb/s. I'm guessing he spouted off the numbers for his system.

Re:Backup Data?

As a consultant, I once nearly destroyed 2 years worth of a companies research data my first week on the job.

I ran some perl script that they had written against a test database to update some stuff. Unfortunately, it turns out that the real database address was hardcoded deep in the Perl, and I hadn't understood this. The DB admin complained after it had run about 5 minutes updating (incorrectly) their multi-gigabyte database that access to the database was slow. So I immediately hit ^C and said, "OK, let's get the backup tapes!" I had actually asked previously whether there were backups, so I was pretty confident I was going to get out of this one. The response elicted sheer terror: "Oh, we don't back up the database!" Transaction logging wasn't turned on, either. They thought they might have a 6-month-old CD burn of the data somewhere, but they couldn't really find it IIRC.

Fortunately, the script had been written to do its transaction atomically, so the database changes got rolled back before any damage was done. You can guess what my first project was after changing my pants.

Some of my friends have stories in this vein also. Companies are less careful with their databases than you would think.

Re:Backup Data?

[legirons]

It seems that any "valuable database" would be sufficiently backed up in non-attackable media.

Unless the worm modified some data which got backed-up. A week later, the untainted backups would be history.

(And even if you kept monthly backups, who's going to try restoring them without losing a month's work for the whole company?)

Re:Backup Data?

[kpharmer]

> Those who are incompetent, in their vast majority, do not back up OR pay attention to exploit bulletins.
> These will either get fired, killed or their companies will fail. Either way, they do not need to be worried
> because they are hopeless.

That *might* make sense if only 1-5% of the dbas out their were incompetent. Unfortunately, that number is probably more like 50-60%. And those databases that do fortunately have a competent dba often don't have competent management - that would pay to test out the backup strategy. So your recovery is going to depend on an *untested* backup process.

> They do not need to be worried because they can easily recover.

Right, so long as:
  - their experienced dba is available, not the junior guy - remember, the company may have hundreds of databases to fix
  - so long as they're media turns out to be valid
  - so long as the attack didn't take a while to be noticed, and contaminate all backups
  - so long as the application can roll back its other persisted data stored within XML, etc to the
      same point in time as the database (don't count on it)
  - so long as the backups actually backed *everything* in the database up - remember, this recovery was probably never tested!

Re:Backup Data?

[daikokatana]

First of all, your estimate sounds VERY optimistic.

Second of all, the fact that you're thinking in terms of "oh, it's only a few hours" suggests to me that you've never worked for a company where every minute costs an incredible amount of money. Multiply each hour you need with a few million dollars, and you'll be starting to see why this can be a big deal.

Re:Backup Data?

[The+Notorious+ASP]

I agree, but I do think you missed one of the most important elements here... Oracle is obscenely expensive.

Typically if a company has shelled out the cash for Oracle, they'll also have a handful of competent DBAs on staff. Were this Access or MSSQL it would be one thing - I've known plenty of terrible DBAs, but they typically weren't on the Oracle side of the curve.

That being said, I am in complete agreement (and fear) about the competence of most administrators out there.

Re:Backup Data?

[TheRaven64]

900GB can fairly easily be split across two hard disks these days. I would probably set up such a system using a hardware RAID-1 system. Every night, you plug in two more disks, tell it to re-build the array. You remove the old disks to a fire safe somewhere else. You have enough disks to do this on a rolling program over a week (at an absolute bare minimum. You should also keep at least one drive a week for a month or two).

As the database runs, you write a copy of the transaction log to a DVD-R (or other WORM disk) array (linear write - seek time is not an issue, and the throughput should be enough), so you can re-play all transactions from any given point in the past. That way, if one or two of your complete backups fails, you can still recover.

After the worm hits, you pop in the last backup set, replay the transaction log, and go.

doesn't exploit a vulnerability

[kpharmer]

This attack relies on default userids & passwords, not on any vulnerability. Oracle used to use default scott/tiger userid/passwd. I think it still does in 10g, but I'm not positive.

Given enough databases, someone will forget to change these. For that reason any shop with more than a half-dozen databases should be using some kind of application policy-checker that will automatically test for this kind of a policy violation.

Re:doesn't exploit a vulnerability

[Zathrus]

Oracle used to use default scott/tiger userid/passwd. I think it still does in 10g, but I'm not positive.

Nope, scott/tiger is deprecated -- the current sample schemas are separated into multiple users, and they are all disabled by default. These users are installed by default, but it's not hard to tell Oracle to not install them.

Of course, there's a lot of non-10g databases out there. Heck, there's a lot of pre-8i databases out there still even though you have to pay an arm, leg, and torso for support, if you can get it at all. And scott/tiger (as well as some other default users/passwords) certainly did exist in them.

Re:doesn't exploit a vulnerability

[Stone316]

I haven't taken a close look at this version of the worm but I know the last version could not propagate itself. You would need a 'cracker' on the inside of your network to launch the code. Oracle 10g has a built-in policy checker which notifies you of a host of problems such as grants to public, default passwords, etc. Also, in any good application design, the database is not accessible to the public. In a 3 tier application the only server the db should accept database connections from is the app server.

Re:doesn't exploit a vulnerability

[recharged95]

If you were a Sr. DBA or DB architect being paid triple figures. Deleting those accounts would be done with [i]your[/i] schema setup/install scripts. It would be second nature to secure the DB at the install (as taught in many Oracle adv. DBA classes).

"[i]"It's still very theoretical right now"[/i]

I'm sorry for possibly flaming now, but this is FUD from GmbH firm to a US firm. Informational yes, serious not really (for enterprises that is).

Re:doesn't exploit a vulnerability

So which is more probable, from a 'cracker' or from "the DBA workstation through a Windows vulnerability, gain access to that local machine and use the Oracle worm as a payload to cause damage?"

Since when does a windows vulnerability (or other network security failure) qualify as a weekness in Oracle?

If the System administrators don't do their job, you don't have a system anyway.

Re:doesn't exploit a vulnerability

[kpharmer]

> If you were a Sr. DBA or DB architect being paid triple figures. Deleting those accounts would be done
> with [i]your[/i] schema setup/install scripts. It would be second nature to secure the DB at the
> install (as taught in many Oracle adv. DBA classes).

Sure, but many databases are installed by extremely junior personnel. Sometimes somewhat-embedded within an application, at other times stand-alone.

I've found as a sr. dba that setting up a dozen secure databases to be a challenge without tools to help automate some of the inspections.

Re:doesn't exploit a vulnerability

[VitaminB52]

Oh, hey! Anybody notice the M$ SQLServer add running beside the article? Say, didn't M$ have some security related article recently? I can't remember...

I remember a recent M$ security releated article - it came with a M$ security add running beside it "we don't give Trojan horses a change". Bwahahaha ROFLOL.

The Realm of the Professional Cracker

[mosel-saar-ruwer]

How many oracle db's are connected directly to the internet? Even within most company's their isnt a direct connection option to the db but only thru an application.

Here you begin to enter the realm of the professional cracker [apologies to chef], my little padawan novitiate.

The professional employs something like the WMF vulnerability to crack the client OS, and then uses the client application to crack the DB.

And when he's seen what he needs to see, the professional tidies up and removes any evidence of his intrusion.

In all seriousness, the PRC Red Army's "TITAN RAIN" operation is more than a little troubling in this regard:

The Invasion of the Chinese Cyberspies
(And the Man Who Tried to Stop Them)

...The hackers he was stalking, part of a cyberespionage ring that federal investigators code-named Titan Rain, first caught Carpenter's eye a year earlier when he helped investigate a network break-in at Lockheed Martin in September 2003. A strikingly similar attack hit Sandia several months later, but it wasn't until Carpenter compared notes with a counterpart in Army cyberintelligence that he suspected the scope of the threat...

http://www.securityteam.us/article.php/20050829200 849601/print

http://it.slashdot.org/article.pl?sid=05/08/28/174 5245

Re:The Realm of the Professional Cracker

[mtenhagen]

You are right, this is a security hole which should be fixed asap. But in the article their are talking about a worm.

I still need to see the first worm who uses such techniques.

Human's Love To Catagorize

[Doomedsnowball]

What would be the difference between a website displaying a "security bulletin" versus a website asking for "opensource virus collaboration"? I think there is a fine line between warning the public and informing virus authors. said Alexander Kornbrust, CEO of Red-Database-Security GmbH. "If you're running a large company with hundreds of valuable databases, a worm can be very destructive. It is very possible to use this code to release a worm. I can do this right now if I wanted to." The easier a bug is to exploit, the more carefully it should be handled in the press. IMHO.

Re:Human's Love To Catagorize

[Short+Circuit]

The problem comes when software vendors don't take heed of your warning that their product has vulnerabilities. The longer they sit on the information without producing a patch, the greater the chances for a zero-day exploit.

Do you really think there aren't organizations out there with similar resources to this company whose aims are finding vulnerabilities like these for the purposes of exploiting them?

If he can find it, someone else can. Informing the public that an exploit exists increases pressure on a vendor to get things patched. Joe CTO is now going to want to know why Oracle hasn't released a patch yet, and he's got millions of dollars in digital assets to protect.

Blackmailing Oracle

[Xemu]

Alexander Kornbrust, CEO of Red-Database-Security GmbH. "...It is very possible to use this code to release a worm. I can do this right now if I wanted to." (emphasis mine)

Doesn't this sound very much like something a blackmailer would say?

Alexander is an ex-Oracle employee. I wonder if he was let go because of his poor judgement.

Re:Blackmailing Oracle

[Tablizer]

Doesn't this sound very much like something a blackmailer would say?

Apparently we are dealing with Milton from Office Space: http://www.lostandfrowned.com/miltoncd.gif

Re:Blackmailing Oracle

[99luftballon]

It's a statement of fact, not a threat. The fact is Oracle has a lousy record at dealing with flaws, waiting up to two years in some cases. Sometimes they need a kick up the backside to get them moving.

Re:obZealotry

[JackDW]

No they should switch to *BSD. No wait, I mean Linux. Err, GNU/Linux. No, hang on, they should switch to a Beowulf cluster of Soviet Russia, no-one will ever manage to crack that.

This sounds so familiar.

[DeltaHat]

It is very possible to use this code to release a worm. I can do this right now if I wanted to.

MICHAEL
I'm gonna find out the hard way that I'm not a pussy if they don't start treating us software people better.

SAMIR
That's right.

MICHAEL
They don't understand. I could come up with a program that could rip that place off big time...big time.

PETER
Yeah.

Re:Really, really, really lame

[cimmer]

Queue the negative Karma, but...

Professional? We are in the middle of a $5 million Oracle Financials implementation. I have never met so many inept consultants in my life. Granted, IT consultants in general are oversold, but these guys and girls take the cake. I had a "Senior DBA" that required three conversations to be able to change her password at the CLI. When I bitched to the Oracle project manager about it (imagine this type of thing about 8 times a day), he said Oracle doesn't expect it's senior DBA's to be UNIX literate. Ok, I'm expecting someone to configure my production systems in a UNIX environment that doesn't have to know ANYTHING about UNIX?

We are paying $255/hr for consultants that I've caught gathered around watching flash cartoons twice in as many days, claim 43 hours in a week of administrative work but only log into the environment four times for a total of 12 hours (a decent amount of which was spent issuing invalid commands) and that implement code in a production environment from their offshore developers with no QA testing. What?

We spent 2 weeks trying to get a bug identified by Oracle support (Oracle recommended we run Solaris 10 with 10g and we listened - brilliant.). After 2 weeks of being told to read TARs, one of our guys attached a debugger and managed to identify the actual source file and line number of the problem (they left debugging flags in when they compiled). We sent this to them. Three weeks later, still nothing. I'm no fan of MS, but when we call their support they at least act concerned.

I know our options are limited when it comes to integrated financials, but surely we can't be the only ones suffering the comedy that is Oracle consulting. Or maybe $5 million wasn't enough to warrant us getting the good consultants? I'd love to hear from people who have had better experiences, because I'm praying their product is better than the people they sent us.

Security

[michelcultivo]

If you were a serious Oracle DBA you have installed the database and do a check-up to see if the things is secure at a acceptable level (default passwords removed, logs enabled, firewall protected). I see a lot of amateur installing databases and when it is usable there's no need to update or do security checks.

Re:Security

[kpharmer]

> If you were a serious Oracle DBA you have

Sure, but look at all the non-skilled labor now doing this work. Whether due to outsourcing, attempts to save labor money, etc - I see a ton of very junior people doing installs. The major databases now have install wizards that are pretty good - and allow complete amateurs to install the product. This is great. But these folks have no idea how to lock down the database once they've installed it.

And think beyond oracle to mysql - where almost no dbas install the product, but rather junior programmers. I'm sure that if you looked you could find some very scary mysql installs!

Re:Security

[michelcultivo]

Yes, it's all about money. Why I need to put a senior DBA to install a Database if there is a lot of juniors that only need to click "Next, Next and Finish".

My 2 Cents

SQL injection is a bigger issue against any DB.

Regardless of the exploit taken, if the DB is properly configured and secured the only "lost" of data should be against the schema being attacked. And then you can use Oracle's Flashback technology to roll back that one transaction - if caught in time.

True loss of data means the DBA did not do their job. Of course, this is usually, in my experience anyway, the fault of managment and the business - budget/time/resources.

Re:obZealotry -- What?

[laffer1]

How do you get it to run on any *nix platform? Really? I've been trying to get it to run on freebsd 5 and 6 for some time.

logon trigger aa blocked by Google?

[i_frame]

In the article by red database security it's stated that Google has allready blocked the Full Disclosure mailing list article refering to the sploit, and a request to it, "http://www.google.de/search?hl=en&q=startc0GtJBi1 +full-disclosure&btnI=I%27m+Feeling+Lucky", results in a message by google stating "We're sorry... but we can't process your request right now. A computer virus ...", but if you change the request, eliminating the "hl=en" parameter you get the Full Disclosure mailing list article, thus making the source of the exploit easily accessible, perhaps should google find a way to better to block articles they don't want be accessible by their search engines.

Re:Really, really, really lame

[smooth1x]

I would be interested in hearing more...