Re: Oracle 9i on Windows 2003 -- Vulnerability Question
- From: David Litchfield <dwlitchfield@xxxxxxxxxxx>
- To: EPanosian@xxxxxx
- Date: Fri, 1 Dec 2006 08:57:40 +0000 (GMT)
"Panosian, Estifan" <EPanosian@xxxxxx> wrote:
Hello,
> I am trying to make our database more
> secure, one of the scenarios we
> came up is: 'what if an internal hacker
> (somehow) gets to our database server?'
> 1) what kind of damages he/she could cause, and
> 2) what we need to do to protect our databases?
> 3) Could hacker be able to browse data?
> Any article in this regard?
> OS is Windows 2003, Oracle is 9.2.0.7.
> The hacker has admin rights on the server.
The oracle.exe process and thread objects on Windows have not been secured
properly and have NULL DACLs - this means that *anyone* (as part of the
Everyone special group) that has local access to the server or (remote access
and the ability to run code) can exploit this to gain local system/admin
privileges. (OpenThread() -> SetThreadContext() -> Set EIP to shellcode)
Regardless of the operating system, though, (unless your running a well
configured CMW/B1 system like Virtual Vault or Pitbull) there's not much you
can do to stop a hacker that has root or administrator/local system privileges.
Without even going through the database server an attacker with this level of
privilege can go straight after the datafiles.
Encryption of data is the best solution - of course you'll need to ensure
that the attacker doesn't have access to the keys, though!
For more information on Oracle and database security see
http://www.databasesecurity.com/
Cheers,
David Litchfield
p.s. The NULL Dacl problems are not Microsoft's fault before anyone blames
them...
Send instant messages to your online friends http://uk.messenger.yahoo.com
Other related posts:
