Академический Документы
Профессиональный Документы
Культура Документы
in
June2013 | Page - 1
www.chmag.in
June2013 | Page - 2
Oracle Hardening
Part-1
Introduction
Oracle and SQL databases are one the most
used databases in enterprises. I will be
taking you through Oracle Hardening to
make it hard for malicious users to break it
the system. Focus will be on the parameters
you need to consider and explanation on
what the parameter does; why it should be
changed; and how it can be done. This will
be covered in multiple parts as its a huge
topic.
Abstract
Following template will be used for each
parameter
WHAT: This will explain what the
parameter is used for and where it
can be found.
WHY: The reason you should
consider changing it
VERSION: Versions of Oracle it is
applicable for;
COMMAND: The command to help
you make the changes (wherever
applicable)
www.chmag.in
Solution
Firstly, a general but very important check:
June2013 | Page - 3
File/Directory/
Permission/
Parameter
Value
$ORACLE_HOME
rwxr-x---
directory
and/or
File/Directory/
Permissio
Parameter
n/ Value
$ORACLE_HOME/rdbms/a
No access to
udit directory
others
everyone
$ORACLE_HOME/rdbms/lo
No access to
g directory
others
non-
$ORACLE_HOME/network/
No access to
trace directory
others
everyone
or
rwxr-xr-x
directory
$ORACLE_HOME
or
everyone
world writable
$ORACLE_HOME/bin/*
or
File/Directory/
Permission/
Parameter
Value
System
Files/executable
GID
permissions
www.chmag.in
June2013 | Page - 4
And again
File/Directory/
Permission/
Parameter
Value
Files/executable
owned
by GID
oracle:oinstall
& root
permissions
oracle users
File/Directory/
Parameter
Data
file
(owner: -rw-------
oracle:oinstall)
Control file (owner: -rw-r----oracle:oinstall)
Redo
log
File/Directory/
Permission/
(owner:
Parameter
Value
oracle:oinstall)
Scheduled scripts
Not
readable
Permission/ Value
files -rw-------
to
group or others
Scheduled scripts of
www.chmag.in
Owned by oracle
June2013 | Page - 5
Ajinkya Patil
http://avsecurity.in
Ajinkya is an Information Security
professional
with
experience
in
conducting Web application security, IT
governance reviews, Network security,
Database and OS security reviews of
approximately 500 servers.
He holds a CISA (Associate of ISACA)
certification,
Information
Security
Management certification and has a
Bachelors degree in Information
Technology from Mumbai University.
He also listed in Hall of Fame of
Blackberry (RIM).
www.chmag.in
June2013 | Page - 6
www.chmag.in
June2013 | Page - 7
Auditors Opinion
Management Assertion
System Description
Control Objectives and Activities
(SOC 1)/ Trust Service Principles
and Criteria (SOC 2)
Test Procedures
Testing results
www.chmag.in
June2013 | Page - 8
NeelimaRao
CISSP, CISA, CCNA
neelima.rao.g@gmail.com
www.chmag.in
June2013 | Page - 9
www.chmag.in
www.chmag.in
June2013 | Page - 11
Confidential
documents
of
Organizations across the globe.
All types of user credentials from all
PC, Mobile, Tablet or another device
which will come into existence
tomorrow
Documents like: PDF, DOC, XLS,
PPT,
Source
code,
personal
documents, Images of your family,
etc.
All financial related documents,
credentials to login to bank, credit
card information, trading account,
where do you stay, your digital
certificates, organization digital
certificate etc.
www.chmag.in
June2013 | Page - 12
Yash K. S.
yashks@gmail.com
www.chmag.in
June2013 | Page - 13
Android Framework
for Exploitation
Android is a mobile operating system
platform developed by Andy Rubin, Rich
Miner, Nich Sears and Chris White, which
was later acquired by Google Inc. and is
right now developed and maintained by
Google itself. In the smartphone share,
Android covers more than 50% of the
market share, much more than iOS and
other mobile platforms such as Blackberry,
Windows and Symbian.
www.chmag.in
June2013 | Page - 14
www.chmag.in
Afe/menu/modules$
get_content_provider
run
forward
tcp:8899
www.chmag.in
June2013 | Page - 16
*Afe/menu$
query
"get
--url
content://com.threebanana.notes.
provider.NotePad/notes"
You would be getting a similar kind of
screen like the one shown below.
www.chmag.in
June2013 | Page - 17
"get
--url
content://com.threebanana.notes.
provider.NotePad/notes"
</query>
So, my final exploit looks like this:-
www.chmag.in
June2013 | Page - 18
Conclusion
In this article, we saw how to find and
exploit basic content provider vulnerability
and even write an exploit for it. A lot of
famous applications are vulnerable to this
particular vulnerability; the only drawback
is very few people are looking into android
application based vulnerabilities right now.
So, its a great time to start looking into appvulnerabilities and write exploits for it. To
prevent these kinds of vulnerabilities all the
application developer needs to do, is set the
permissions for the content provider in
AndroidManifest.xml
and
also
set
android:exported value to false. Thats all
for this article guys. Hope you enjoyed it.
www.chmag.in
Aditya Gupta
adityagupta1991@gmail.com
Aditya Gupta is the co-founder of XY
Securities, an information security firm
based in India. His main expertise
includes Exploiting Web Applications,
Evading Firewalls, Breaking Mobile
Security and Exploit Research. Aditya
has been a frequent speaker to many
conferences
including
Clubhack,
Nullcon, BlackHat, ToorCon.
June2013 | Page - 19
Network Security
Basics Part-1
Introduction
From this article we will go through network
security as whole from basic to expert level.
It will help you get better idea of Network
Security. It's just the reference for people
who are interested in network security but
don't know from where to start there is
more to do by own.
Always remember that "Defense in Depth" is
Key of NETWORK SECURITY.
www.chmag.in
June2013 | Page - 20
www.chmag.in
Application
Layer:
The
Application Layer provides the user
with the interface to communication.
This could be your web browser, email client (Outlook, Eudora or
Thunderbird), or a file transfer
client. The Application Layer is
where your web browser, a telnet,
ftp, e-mail or other client application
runs. Basically, any application that
rides on top of TCP and/or UDP that
uses a pair of virtual network sockets
and a pair of IP addresses. The
Application Layer sends to, and
receives data from, the Transport
Layer.
www.chmag.in
June2013 | Page - 22
www.chmag.in
June2013 | Page - 23
www.chmag.in
Anagha Devale-Vartak
http://avsecurity.in
Anagha is an Information Security
professional
with
experience
in
Vulnerability
Assessment,
Web
Application Audit, Database Audit,
Antivirus Review, and Compliance
Audit. She holdsCCNA and CEH
certification.
June2013 | Page - 24
aq