Thursday, August 9, 2012

Book Review: The Oracle Hacker's Handbook

Due to the proprietary nature of the Oracle beast, offensive security information relating to Oracle databases is difficult to obtain at the best of times. Where this information is available, it’s usually in dribs and drabs and rarely consolidated. The Oracle Hacker’s Handbook is one reference which aims to fill this gap.

The Oracle Hacker’s Handbook (TOHH) is written by one of the foremost respected commentators on Oracle database security, David Litchfield. The book is comprised of 12 chapters, each containing a myriad of attack methods and exploit examples on how to compromise Oracle databases. Whilst this book is certainly great as a reference guide, I feel several shortcomings make this book fall well short of the Oracle hackers “bible”.

The biggest issue I have with this book is the lack of background information for certain topics. One such example can be seen in chapter 7 Indirect Privilege Escalation. By the end of this chapter, one would expect the reader to have the knowledge and skills to perform some type of privilege escalation within a database. However, due to the lack of background knowledge given in proceeding chapters, it would be very difficult for someone to mimic any of the attacks described. I will discuss three such examples from chapter 7.

The first method given to escalate privileges uses an account which has access to particular privileges and a particular trigger on the system. The author introduces the chapter by providing a scenario whereby you (the reader) have an account with this privilege and trigger. The problem: nowhere in the book does it describe how one can list privileges or triggers for a particular user. Without this, it is not possible to mimic the method described.

Following on from this, the reader is told they need to determine all DBA accounts on the system and which tables/views they own. However, nowhere does the book provide any information on how to accomplish this.

The final paragraph begins with “We’ve found an SQL injection flaw in a package owned by a user who has very few privileges.” However, at no point in this book is there any information on how to view the privileges of other accounts, how to find/look through packages, or how to see who owns a particular package – all paramount to achieving this attack vector.

This theme continues throughout the book.

Another major gripe I have with this book is that the author omits key information in certain chapters and instead refers the reader to his other book (The Database Hackers Handbook). I found this particularly frustrating considering I bought this book under the impression I was buying a complete Oracle reference. Unfortunately, it falls well short of this.

Published in 2007, TOHH covered all major flavors of Oracle (7, 8i, 9i and 10g) which were then popular. At the time of publishing the author also released code for vulnerabilities that had not yet been seen. However, four years on and most (if not all) of these vulnerabilities have since been patched and versions of Oracle prior to 10gR2 are seldom seen. With 11g having been around since 2007, TOHH I fear is quickly becoming antiquated.

From a penetration tester’s perspective, I (initially) found this book a difficult read. I feel with large gaps in introductory topics that many of the attacks described will be lost on beginners. The best suited audience I feel for this book is an Oracle DBA who is interested in learning about offensive security methods. Someone well versed in Oracle databases would certainly find this book an interesting read.

Based on what I had read about this book my expectations were quite high. Many people I respect in the industry have endorsed this book and the author is very well respected on these topics. I think this is a good book to have on the shelf as a reference but it should certainly be supplemented with other readings and materials. If you are new to Oracle I would recommend covering the basics before delving into this book. Because resources that consolidate offensive Oracle security information are few and far between, this book certainly has a place on anyone’s bookshelf who is concerned with Oracle database security.
Reactions:

1 comments:

  1. Thanks for sharing your thoughts on Montaz sprzedaz komputerow na zamowienie eBusiness zarabianie w Internecie.
    Regards
    Also visit my web-site :: Montaz sprzedaz komputerow na zamowienie eBusiness zarabianie w Internecie

    ReplyDelete