Professional Documents
Culture Documents
WITH
FULL CAPTURE
White Paper
Full Capture sees activity inside the Oracle SQL engine
INTRODUCTION and is not affected by any type of encryption whether
The Full Capture technology developed by Blue Core built into Oracle or otherwise.
Research provides effective monitoring of database
activity. OBFUSCATION
Full Capture is comprised of two important features – The next simplest means of bypassing a SQL*Net
capturing everything that happens inside the database monitoring tool is by sending a network message that
engine, and being able to do so on a continuous basis contains a hidden message inside it. The idea is that a
with extremely low overhead. simple piece of PL/SQL will decrypt the message inside
This paper will discuss various types of attacks that the database and execute it.
attempt to hide from database auditing tools, and how These types of attacks rely on the PL/SQL execute
they appear when using the Full Capture technology. immediate function that parses a string as a SQL.
All the attacks in this paper attempt to change salary Examples
amounts using a SQL like:
The first example shows breaking the SQL into multiple
update hr.emp set salary = salary*2 where pieces and then putting it back together with PL/SQL:
id=2
execute immediate 'upd'||'ate h'||'r.em'
Some examples are simple yet effective, while others are ||'p set sal'||'ary = sa'||'lary*2 where
much more sophisticated. For each attack we will id=2';
describe its objective, how it's done, and what to do to
A slightly smarter example replaces the letters a,e,h with
catch it.
@,3,4 respectively, rendering the text unreadable:
ENCRYPTION execute immediate translate ('upd@t3 4r.3mp
s3t s@l@ry = s@l@ry*2 w43r3 id=2', '@34',
The easiest way to bypass any SQL*Net monitoring tool
'aeh');
is by encrypting the network traffic. If the network is
encrypted no one can tap it. You can create more complex substitution keys that
replace every character and make the string look like
But how can an attacker change your Oracle
gibberish. You can also use any other string manipulation
configuration to turn on encryption? Simple – there's no
function in PL/SQL.
need to change anything in Oracle. The default Oracle
configuration will encrypt network traffic if the Oracle Our last example is to use loops to generate the SQL.
client asks for it. All you need to do is ask. This is an attempt at bypassing smarter monitors that
have some understanding of PL/SQL function like
Example translate.
In your Oracle client machine, edit the sqlnet.ora file in This examples reverses the text using a loop:
$ORACLE_HOME/network/admin, and add these lines:
declare
SQLNET.ENCRYPTION_CLIENT = required s1 varchar2(50);
SQLNET.ENCRYPTION_TYPES_CLIENT = AES128 s2 varchar2(50);
From now on, all your Oracle network traffic will be begin
encrypted and no one can listen in. It might seem like s1 := '2=di erehw 2*yralas = yralas tes
breaching a million dollar security system with a hairpin, pme.rh etadpu';
but if it works... while length(s1)>0
From a licensing standpoint, network encryption used to loop
require the Oracle Advanced Security (OAS) option. s2 := substr(s1,1,1) || s2;
However, Oracle changed their licensing and network s1 := substr(s1,2);
encryption can now be used with any Oracle database end loop;
license. execute immediate(s2);
end;
Full Capture
This example also uses very simple PL/SQL string
When using encryption with Full Capture you see exactly functions so it will not raise any red flags.
what you'd see without encryption:
Full Capture
The first example looks like this in Full Capture:
create or replace and resolve java source To make matters worse, APEX configuration and
named java1 as programming is also done through the APEX console
import java.sql.*; which uses APEX. That means that all changes to APEX
import oracle.jdbc.*; go over HTTP directly to the database without any SQL.
public class java1 { Full Capture
public static void run(int i, int s) Since Full Capture can see all the SQL activity inside the
throws SQLException { database engine it can see all the SQLs generated
Connection conn = internally by APEX. That includes both the SQLs used to
DriverManager.getConnection("jdbc:default:c fetch the screens, and the SQLs used to access the data.
onnection:");
PreparedStatement stmt = The only difference is that APEX activity is seen at
conn.prepareStatement("update hr.emp set deeper depths than most other activity, but a rule
salary="+s+" where id="+i); monitoring table access will show that access even when
stmt.executeUpdate(); done through APEX.
stmt.close();
}
}
SUMMARY
Oracle is a very powerful database, but consequently
offers many ways to bypass security tools. Individuals
who possess high skill levels like DBAs and hackers
pose a credible threat to database security.
This knowledge is out there and the internet provides
ample information along with detailed recipes on how to
breach security.
Database security threats are real and security personnel
must be equipped with both the technologies and the
education needed to help prevent serious and costly data
breaches.
Blue Core Research' Full Capture technology and the
Core Audit suite are the most advanced technologies in
the market, and we are complementing those by
educating customers about the threats they face and how
to combat them.