Oracle 'Worm' Exploit Modified

answers writes "Two months after an anonymous researcher released the first public example of an Oracle database worm, the exploit code has been advanced and republished, adding new techniques to attack databases. From the article: "It's still very theoretical right now, but I don't think any DBA should be underestimating the risk," said Alexander Kornbrust, CEO of Red-Database-Security GmbH. "If you're running a large company with hundreds of valuable databases, a worm can be very destructive. It is very possible to use this code to release a worm. I can do this right now if I wanted to.""

yeah.

[User+956]

It is very possible to use this code to release a worm. I can do this right now if I wanted to.""

That seems like an odd quote. Did the author of the article like Double-Dog dare him, or something?

Re:yeah.

[hey!]

Odd? Nah, it must sounds awkward because it was edited for brevity. The full quote was:

  It is very possible to use this code to release a worm. I can do this right now if I wanted to. Mwahahaha!

Re:yeah.

[daikokatana]

And I could walk right into a bank and hold it up right now if I wanted to.

You posted this on a Saturday at 4:46PM - sorry, 'fraid not, the banks are all closed...

firewalls?

[mtenhagen]

How many oracle db's are connected directly to the internet? Even within most company's their isnt a direct connection option to the db but only thru an application.

Of course this is an exploit but the impact shouldn't be overrated.

Re:firewalls?

[legirons]

"How many oracle db's are connected directly to the internet?"

Shouldn't that be "how many oracle db's are connected directly to computers which might get infected with a virus"?

e.g. plenty of firewalled LANs got CodeRed, Sasser, etc. (including that nuclear power station which nobody thought was internet-connected)

Backup Data?

[Artie+Dent]

It seems that any "valuable database" would be sufficiently backed up in non-attackable media. So while it probably could create a lot of hassle, I'd have a hard time seeing this worm bringing down companies.

Re:Backup Data?

[KiloByte]

You're assuming that they are run by competent people -- and this is a thoroughly false assumption.

If I combine everyone from my company and all companies we cooperate with, I can name only two people who consider backups to be anything but an annoying waste of time some pessimists are blabbing about in order to suck in some of their money.
Redundant hardware runs against the principle of cutting costs; no bean counter would even consider investing in data integrity.

When I tell people that I installed a script that will back up the most valuable part of the data and dump them to a remote location, the reaction is like: uh, cool, but what if it breaks things?

Re:Backup Data?

[DrSkwid]

how would you know if it's been changed ?

Re:Backup Data?

[Godeke]

It seems that any "valuable operating system" would be sufficiently backed up in non-attackable media. So while it probably could create a lot of hassle, I'd have a hard time seeing this worm bringing down companies.

I changed that one quoted term to make a point: if we aren't going to be concerned here, why be concerned about all those other worms. Oh, I know... perhaps because having your servers in an unusable state while performing recovery is a bad thing which can cause serious financial and reputation difficulties for a company.

While you might say "but Oracle admins are smarter than windows admins" and I would have to agree, you seriously overestimate how seriously many Oracle admins take threats, including data loss. My experience has been that they are an order of magnitude better than the typical windows OS admin about backups (actually, most DBAs are) and yet I continue to visit companies where they haven't *tested* the recovery procedures in over a year nor do they implement off-site backups. In more extreme cases, the Oracle system was installed by a DBA who was later downsized and so the duties were transfered to the main IT group... who wouldn't know how to restore the database on a dare.

While I doubt an Oracle worm would be anywhere as bad as the SQL Slammer (which mostly preyed on MSDE [i.e., unadminstered] and poorly administered SQL Standard installs) in terms of disruption I could see it being significant. More significant than the repuation of Oracle admins would indicate.

Re:Backup Data?

As a consultant, I once nearly destroyed 2 years worth of a companies research data my first week on the job.

I ran some perl script that they had written against a test database to update some stuff. Unfortunately, it turns out that the real database address was hardcoded deep in the Perl, and I hadn't understood this. The DB admin complained after it had run about 5 minutes updating (incorrectly) their multi-gigabyte database that access to the database was slow. So I immediately hit ^C and said, "OK, let's get the backup tapes!" I had actually asked previously whether there were backups, so I was pretty confident I was going to get out of this one. The response elicted sheer terror: "Oh, we don't back up the database!" Transaction logging wasn't turned on, either. They thought they might have a 6-month-old CD burn of the data somewhere, but they couldn't really find it IIRC.

Fortunately, the script had been written to do its transaction atomically, so the database changes got rolled back before any damage was done. You can guess what my first project was after changing my pants.

Some of my friends have stories in this vein also. Companies are less careful with their databases than you would think.

doesn't exploit a vulnerability

[kpharmer]

This attack relies on default userids & passwords, not on any vulnerability. Oracle used to use default scott/tiger userid/passwd. I think it still does in 10g, but I'm not positive.

Given enough databases, someone will forget to change these. For that reason any shop with more than a half-dozen databases should be using some kind of application policy-checker that will automatically test for this kind of a policy violation.

Re:doesn't exploit a vulnerability

[Zathrus]

Oracle used to use default scott/tiger userid/passwd. I think it still does in 10g, but I'm not positive.

Nope, scott/tiger is deprecated -- the current sample schemas are separated into multiple users, and they are all disabled by default. These users are installed by default, but it's not hard to tell Oracle to not install them.

Of course, there's a lot of non-10g databases out there. Heck, there's a lot of pre-8i databases out there still even though you have to pay an arm, leg, and torso for support, if you can get it at all. And scott/tiger (as well as some other default users/passwords) certainly did exist in them.

The Realm of the Professional Cracker

[mosel-saar-ruwer]

How many oracle db's are connected directly to the internet? Even within most company's their isnt a direct connection option to the db but only thru an application.

Here you begin to enter the realm of the professional cracker [apologies to chef], my little padawan novitiate.

The professional employs something like the WMF vulnerability to crack the client OS, and then uses the client application to crack the DB.

And when he's seen what he needs to see, the professional tidies up and removes any evidence of his intrusion.

In all seriousness, the PRC Red Army's "TITAN RAIN" operation is more than a little troubling in this regard:

The Invasion of the Chinese Cyberspies
(And the Man Who Tried to Stop Them)

...The hackers he was stalking, part of a cyberespionage ring that federal investigators code-named Titan Rain, first caught Carpenter's eye a year earlier when he helped investigate a network break-in at Lockheed Martin in September 2003. A strikingly similar attack hit Sandia several months later, but it wasn't until Carpenter compared notes with a counterpart in Army cyberintelligence that he suspected the scope of the threat...

http://www.securityteam.us/article.php/20050829200 849601/print

http://it.slashdot.org/article.pl?sid=05/08/28/174 5245

Human's Love To Catagorize

[Doomedsnowball]

What would be the difference between a website displaying a "security bulletin" versus a website asking for "opensource virus collaboration"? I think there is a fine line between warning the public and informing virus authors. said Alexander Kornbrust, CEO of Red-Database-Security GmbH. "If you're running a large company with hundreds of valuable databases, a worm can be very destructive. It is very possible to use this code to release a worm. I can do this right now if I wanted to." The easier a bug is to exploit, the more carefully it should be handled in the press. IMHO.

Blackmailing Oracle

[Xemu]

Alexander Kornbrust, CEO of Red-Database-Security GmbH. "...It is very possible to use this code to release a worm. I can do this right now if I wanted to." (emphasis mine)

Doesn't this sound very much like something a blackmailer would say?

Alexander is an ex-Oracle employee. I wonder if he was let go because of his poor judgement.

This sounds so familiar.

[DeltaHat]

It is very possible to use this code to release a worm. I can do this right now if I wanted to.

MICHAEL
I'm gonna find out the hard way that I'm not a pussy if they don't start treating us software people better.

SAMIR
That's right.

MICHAEL
They don't understand. I could come up with a program that could rip that place off big time...big time.

PETER
Yeah.