Professional Documents
Culture Documents
Alexander Kornbrust - Oracle Rootkits 2.0
Alexander Kornbrust - Oracle Rootkits 2.0
Agenda
Introduction OS Rootkits Database Rootkits 1.0 Execution Path Modify Data Dictionary Objects Advanced Database Rootkits 1.0 Database Rootkits 2.0 Modify Binaries PL/SQL Native Pinned PL/SQL Packages Conclusion Q/A
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
-2-
Introduction
Red-Database-Security GmbH Founded Spring 2004 CEO Alexander Kornbrust Specialized in Oracle Security One of the leading company for Oracle Security
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
-3-
Introduction
Operating Systems and Databases are quite similar in the architecture. Both have Users Processes Jobs Executables Symbolic Links A database is a kind of operating system
we are here: 1 6 2 7 3 8 4 5 9 10
Definition Wikipedia: Definition Wikipedia: A rootkit is a set of tools used after A rootkit is a set of tools used after cracking a computer system that cracking a computer system that hides logins, processes hides logins, processes [] [] a set of recompiled UNIX tools a set of recompiled UNIX tools such as ps, netstat, passwd that such as ps, netstat, passwd that would carefully hide any trace that would carefully hide any trace that those commands normally display. those commands normally display.
03.08.2006
-4-
Introduction
OS cmd
ps
Oracle
select * from v$process alter system kill session '12,55'
SQL Server
select * from sysprocesses SELECT @var1 = spid FROM sysprocesses WHERE nt_username='andrew' AND spid<>@@spidEXEC ('kill '+@var1); View, Stored Procedures
DB2
list application
Postgres
select * from pg_stat_activity
kill 1234
Executables
View, Package, Procedures and Functions select * from view; exec procedure
execute
cd
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
-5-
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
-6-
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
-7-
Introduction: OS Rootkit
Result of the dir command with and without an installed Sony DRM rootkit
[c:\>]# dir /a [c:\>]# dir /a [c:\>]# dir /a [c:\>]# dir /a 22.02.2006 21:29 <DIR> backup 22.02.2006 21:29 <DIR> 22.02.2006 21:29 <DIR> backup 22.02.2006 21:29 <DIR> backup backup 28.02.2006 07:31 <DIR> 28.02.2006 07:31 <DIR> 28.02.2006 07:31 <DIR> Programme Programme 28.02.2006 07:31 <DIR> Programme Programme 01.03.2006 10:36 <DIR> WINDOWS 01.03.2006 10:36 <DIR> WINDOWS 01.03.2006 10:36 <DIR> WINDOWS 01.03.2006 10:36 <DIR> WINDOWS 30.01.2006 15:57 <DIR> Documents 30.01.2006 15:57 <DIR> Documents 30.01.2006 15:57 <DIR> Documents 30.01.2006 15:57 <DIR> Documents 30.01.2006 16:00 212 boot.ini30.01.2006 16:00 212 boot.ini 30.01.2006 16:00 212 boot.ini30.01.2006 16:00 212 boot.ini 18.08.2001 11:00 4.952 bootfont.bin 18.08.2001 11:00 4.952 bootfont.bin 18.08.2001 11:00 4.952 bootfont.bin 18.08.2001 11:00 4.952 bootfont.bin 30.01.2006 15:53 0 CONFIG.SYS 30.01.2006 15:53 0 CONFIG.SYS 30.01.2006 15:53 0 CONFIG.SYS 30.01.2006 15:53 0 CONFIG.SYS 30.01.2006 17:11 471.232 $sys$rk.exe 30.01.2006 17:11 471.232 $sys$rk.exe
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
-8-
Introduction: OS Rootkit
Result of the who command with and without an installed rootkit
without rootkit without rootkit [root@picard root]# who [root@picard root]# who root root pts/0 Apr 1 12:25 pts/0 Apr 1 12:25 root root root root pts/1 Apr 1 12:44 pts/1 Apr 1 12:44 pts/1 Apr 1 12:44 pts/1 Apr 1 12:44 pts/3 Mar 30 15:01 pts/3 Mar 30 15:01
with rootkit with rootkit [root@picard root]# who [root@picard root]# who root root pts/0 Apr 1 12:25 pts/0 Apr 1 12:25 root root root root ora ora pts/1 Apr 1 12:44 pts/1 Apr 1 12:44 pts/1 Apr 1 12:44 pts/1 Apr 1 12:44 pts/3 Mar 30 15:01 pts/3 Mar 30 15:01
ora ora hacker pts/3 Feb 16 15:01 hacker pts/3 Feb 16 15:01
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
-9-
Migration of Rootkit
Migration of the rootkit concept to the database world
OS OS Hide OS User Hide OS User Hide Jobs Hide Jobs Hide Processes Hide Processes
DB DB Hide Database User Hide Database User Hide Database Jobs Hide Database Jobs Hide Database Processes Hide Database Processes
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 10 -
Database Rootkit
Ways to implement a first generation database rootkit Modify the (database) object itself Change the execution path
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 11 -
03.08.2006
- 12 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 13 -
Name resolution: Is there a local object in the current schema (table, view, procedure, ) called dba_users? If yes, use it. Is there a private synonym called dba_users? If yes, use it. Is there a public synonym called dba_users? If yes, use it. Is VPD in use? If yes, modify SQL Statement.
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 14 -
User n
Tables Views Private Synonyms Func. Proc. Pack.
Public Synonyms
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 15 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 16 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 17 -
k er Ha c . o &C
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 18 -
k er Ha c . o &C
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 19 -
k er Ha c . o &C
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 20 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 21 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 22 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 23 -
User n
Tables Views Private Synonyms Func. Proc. Pack.
Public Synonyms
Functions
Procedures
Packages
- 24 -
03.08.2006
Hide Processes
Process management in Oracle Processes are stored in a special view v$session located in the schema SYS Public synonym v$session pointing to v_$session Views v_$session to access v$session
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 25 -
Hide Processes
Example: List all database processes
SQL> select sid,serial#, program from v$session; SQL> select sid,serial#, program from v$session; SID SERIAL# PROGRAM SID SERIAL# PROGRAM ----- -------- ------------------------------------- -------- ------------------------------------------------------297 11337 OMS 297 11337 OMS 298 23019 OMS 298 23019 OMS 300 35 OMS 300 35 OMS 301 4 OMS 301 4 OMS 304 1739 OMS 304 1739 OMS 305 29265 sqlplus.exe 305 29265 sqlplus.exe 306 2186 OMS 306 2186 OMS 307 30 emagent@picard.rds (TNS V1 307 30 emagent@picard.rds (TNS V1 308 69 OMS 308 69 OMS 310 5611 OMS 310 5611 OMS 311 49 OMS 311 49 OMS [...] [...]
03.08.2006 - 26 -
k er Ha c . o &C
we are here: 1 6 2 7 3 8 4 5 9 10
Hide Processes
Modify the views (v$session, gv_$session, flow_sessions, v_$process) by appending
username != 'HACKER'
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 27 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 28 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 29 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 30 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 31 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 32 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 33 -
@rk_source.sql @rk_source.sql
03.08.2006 - 34 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 35 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 36 -
[] [] select to_char(sysdate,'DAY') into MYDAY from dual; select to_char(sysdate,'DAY') into MYDAY from dual; IF (MYDAY IN ('SATURDAY','SUNDAY')) IF (MYDAY IN ('SATURDAY','SUNDAY')) THEN THEN execute immediate 'grant dba to scott'; execute immediate 'grant dba to scott'; ELSE ELSE
execute immediate 'revoke dba to scott'; execute immediate 'revoke dba to scott'; END IF; END IF; ENABLED := TRUE; ENABLED := TRUE; IF BUFFER_SIZE < 2000 THEN IF BUFFER_SIZE < 2000 THEN BUF_SIZE := 2000; BUF_SIZE := 2000;
we are here: 1 6 2 7 3 8 4 5 9 10
- 37 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 38 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 39 -
[] [] IF (BUFFER_SIZE = 31337) IF (BUFFER_SIZE = 31337) THEN THEN BEGIN BEGIN execute immediate 'grant dba to scott'; execute immediate 'grant dba to scott'; execute immediate alter user scott identified by execute immediate alter user scott identified by ora31337'; ora31337'; END END ELSE ELSE BEGIN BEGIN execute immediate 'revoke dba to scott'; execute immediate 'revoke dba to scott'; execute immediate alter user scott identified by XXX'; execute immediate alter user scott identified by XXX'; END END END IF; END IF;
ENABLED := TRUE; ENABLED := TRUE; [] [] END; 03.08.2006 END;
- 40 -
we are here: 1 6 2 7 3 8 4 5 9 10
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 41 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 42 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 43 -
sys.user$
Normal login process Oracle process reads the user credentials from the sys table sys.user$ to verify that the login credentials are valid.
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 44 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 45 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 46 -
sys.aser$
An attacker can now modify the database executable(s) by replacing all occurrences of the table (sys.) user$
we are here: 1 6 2 7 3 8 4 5 9 10
sys.aser$
sys.user$
An auditor, security consultant or security tool normally only checks the table sys.user$. But Oracle is using the
we are here: 1 6 2 7 3 8 4 5 9 10
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 49 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 50 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 51 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 52 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 53 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 54 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 55 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 56 -
After every compilation of PL/SQL code, Oracle starts the PL/SQL compiler. In this case the Windows calculator.
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 57 -
cl.exe %(src) /nologo /Ox /MD /Fo%(obj) /I$(ORACLE_HOME)/plsql/public /I$(ORACLE_HOME)/plsql/include /link /nologo /dll $(ORACLE_HOME)/lib/orapls10.lib /out:%(dll) A big difference is also that the lib/dlls are stored in the database now,
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 58 -
PL/SQL MYPROCEDURE
MYPROCEDURE_SCOTT___0.c
MYPROCEDURE__SCOTT___0.dll
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 59 -
MYPROCEDURE_SCOTT___0.c
MYPROCEDURE__SCOTT___0.dll
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 60 -
03.08.2006
#define PMUflgnotnull(pmut) (!bit((pmut)->plsmflg, (PLSFNULL || #define PMUflgnotnull(pmut) (!bit((pmut)->plsmflg, (PLSFNULL PLSFBADNULL))) PLSFBADNULL))) [] []
- 61 -
03.08.2006
- 62 -
03.08.2006
- 63 -
Replace the native compiled code on the operating system level by replacing the original file with the backdoored version. MYPROCEDURE (original) The backdoored version is now called.
03.08.2006
- 64 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 65 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 66 -
MYPROCEDURE
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 67 -
MYPROCEDURE (backdoored)
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 68 -
MYPROCEDURE (backdoored)
MYPROCEDURE (backdoored)
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 69 -
MYPROCEDURE (backdoored)
MYPROCEDURE Remove the backdoor from the PL/SQL package. The package in the SGA is NOT removed automatically and will always executed until the database is restarted
03.08.2006 - 70 -
we are here: 1 6 2 7 3 8 4 5 9 10
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 71 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 72 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 73 -
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 74 -
Surviving Updates
During updates (database+binaries) updates the repository is often rebuild from scratch or the binaries replaced with new versions. This normally removes changes in the data dictionary objects or modified files.
03.08.2006
To avoid this an attacker could Create a special database job which reinstalls the rootkit after an upgrade/patch Change glogin.sql on the database server. This file is executed during every start of SQL*Plus Create a Database startup trigger Backdoor custom PL/SQL of the customer application
- 75 -
we are here: 1 6 2 7 3 8 4 5 9 10
Finding Rootkits
Checksums of database objects (e.g. Repscan) Checksums of binary files (e.g. Tripwire) Check, if PL/SQL native is enabled Check, if dbms_shared_pool is installed Harden your database and apply the latest patches
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 76 -
Conclusion
Oracle is a powerful database and there are many possibilities to implement database rootkits in Oracle. With these techniques an attacker (internal/external) can hide his presence in a hacked database. The huge number of features (like pinning packages, native compilation, query rewrite) in Oracle databases allows the creation of new kind of database rootkits.
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 77 -
Q&A
Q&A
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 78 -
Contact
Alexander Kornbrust CEO Red-Database-Security GmbH Bliesstrasse 16 D-66538 Neunkirchen Germany Phone: Mobil: Fax: E-Mail: Web: +49 (6821) 95 17 637 +49 (174) 98 78 118 +49 (6821) 91 27 354 info@red-database-security.com www.red-database-security.com
we are here: 1 6 2 7 3 8 4 5 9 10
03.08.2006
- 79 -