Scribd
Upload
89 views

Oracle Database Vault en

The document discusses design failures in Oracle Database Vault related to privileged database users being able to circumvent its protections. It notes that the database administrator runs as a single operating system user, allowing trojanization of database components. It also points out that the database administrator has full file system access and can copy the entire database. The document concludes that Database Vault provides no real privilege separation and a privileged user can always subvert its behavior.

Uploaded by

Jeevan Hm
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
89 views

Oracle Database Vault en

The document discusses design failures in Oracle Database Vault related to privileged database users being able to circumvent its protections. It notes that the database administrator runs as a single operating system user, allowing trojanization of database components. It also points out that the database administrator has full file system access and can copy the entire database. The document concludes that Database Vault provides no real privilege separation and a privileged user can always subvert its behavior.

Uploaded by

Jeevan Hm
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

OracleDatabaseVault:Design Failures

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

JoxeanKoret

WhatisDatabaseVault?

Helpsprotectingagainstinsiderthreatseven whenthesecomesfromprivilegeddatabase users(SYS) Mandatoryincertaincountries:laws Canbeconsideredasawardeclarationagainst manyDBAs...

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

JoxeanKoret

DesignFailures

DatabaseVaultadministratorandauditor OperativeSystemLevel FileSystemLevel RDBMSlevel TheTNSprotocol

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

JoxeanKoret

DatabaseVault'sadministratorand auditor

Themostobviousfailure(ifitcanbeconsidered afailure...)

Whocontrolsthepolice? Whoshouldbetheresponsable?

Andwhocontrolstheonewhocontrolstheauditorsand administrators Anotherdepartmentwhocontrolsthedepartamentthat controlsthedepartmentwhocontrolsthedepartment...?

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

JoxeanKoret

Failures:OperativeSystemLevel

Fact:Databasesystemrunsasonlyone operativesystemuser

OracleunderUnix/Linux LocalSystemunderWindows

DatabaseVault'sauditor,administrator, database'sadministratorandfinalusers,allof they,runstheirqueriesinthesameuserspace ownedbytheuserwhorunsthedatabase


OracleDatabaseVault:TheworldisnotpinkandI'mroot! JoxeanKoret

Failures:OperativeSystemLevel

Fact:Databaseadministratorcantrojanizethe databaseatoperativesystemlevel

libclntsh.so(or.dll) AtrojanversionoftheTNSListeneror,quicker,a proxybetweentheenduserandtherealTNS Listener AtrojanizedOcilibrary AnyOraclecomponentcanbetrojanized

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

JoxeanKoret

Failures:OperativeSystemLevel

Fact:DBAhasOracleorLocalSystem privilegesintheoperativesystem

(S)hecanattachwithadebuggertoanyoracle processandrecordalloperations Setfunctionand/oraddressbreakpointsandmodify thecommonwaythedatabasesystemworks Canchangelocalorglobalvariables,theuidofa runningSQLsession,etc... Candowhatever(s)hewants...


JoxeanKoret

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

Failure:FilesystemLevel

Fact:DBAhasfilesystemaccess

Abletoreadorwritedatafilesinrawmode Therearemanylibrariesandtoolstodoit

DataUnloader

Oracle'sowntool http://www.ora600.nl/introduction.htm

DUDE(DatabaseUnloadingbyDataExtraction)

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

JoxeanKoret

Failures:FilesystemLevel

Fact:DBAcandoabackup.(S)hecancopythe completedatabasetoanyotherdiskormachine

RMAN ALTERTABLESPACEXXXBEGINBACKUP
EXP/IMPdoesn'tworkasexpectedbut... (S)hecanuseRMAN Doamanualrecover:damageonedatafileandputthe manipulatedversiontorecover

Canreimportcompletedatabase

Hardbutpossible
JoxeanKoret

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

Failures:FilesystemLevel

Problems

Recoveringand/oreditingalargedatafilecanbe veryhardandwouldbeareasontoauditthe completedatabase(bythepolice,ofcourse) Thedatastoredinthedatafilesmaybeencrypted

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

JoxeanKoret

Failures:FilesystemLevel

Solutions

Trojanizethedatabaseiftheencryptionmechanism isinthedatabase(i.e.,PL/SQL) Anattacker(DBA)canwaitforasystemfailureto applythechangesmadeinadatafilewithout makingitasuspiciousthink

Youwilalwaysfoundasystemfailure

Youwillalwaysfoundasolution,ifyou'rethe DBAorthesystemadministratoryou'regod:)
OracleDatabaseVault:TheworldisnotpinkandI'mroot! JoxeanKoret

Fallas:DatabaseSystem

IshardtoinstallatrojanizedPL/SQLpackage whendatabasevaultisinstalled Installthetrojanpriortoinstalldatabasevault option:)

WhileDBAisdoingthetesting

But...Whatcanbetrojanized?

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

JoxeanKoret

Failures:Whattotrojanize?

DBMS_OBFUSCATION_TOOLKIT *_USERS,*_PRIVSViews DBMS_STANDARD,inexample... Theinstallerandinstaller'sscripts

Databasevault'sownscripts;)

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

JoxeanKoret

Failures:Backdoors

Awrapped(tohidethecode)PL/SQL packageduringdatabasevaultinstall

Toescalateprivileges Toremoveanyevidenceofanattack TosimplysubvertDatabaseVault'sbehaviour

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

JoxeanKoret

Failures:Again,trojanizeatOSlevel

WecantrojanizeatOSlevel

Asexplainedinotherchapter

libclntsh.(so|dll) oracle[.exe] libocci.[so|dll] libnnzXX.[so|dll] extjob[.exe] sqlplus[.exe]

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

JoxeanKoret

Failures:Hooks

Everytimeyouappliesapatchyoushould reapplythetrojan

Butyoucantrojanizetherebuildscript...

Isbettertowriteatooltohookinteresting Oraclefunctions

oci_prepare_stmt,inexample? Anyofthekk*internalfunctions

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

JoxeanKoret

Failures:TNSProtocol

Therearevariousrulesetsthatallowsor deniestheprivilegetodosomethingifyou connectfromsomedomainoripaddress:

IPAddress,OSusername,program,machine,etc... Arefullyusercontrollable NVstrings Nottrusted


JoxeanKoret

TheyaresimplystringsinaTNSPacket

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

Failures:TNSProtocol

AnexampleTNSpacket'sNVstring:

(CONNECT_DATA=(CID=(PROGRAM=himom.exe)(H OST=192.168.1.5)(USER=oracle))(COMMAND=connec t)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION =169869568))

OSusernameandipaddressarefullycontrollableby anattacker

Aswellasmanyotheroptions...
TheyarefieldsofaTNSpacket

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

JoxeanKoret

Conclusions

Interestingproductbut...

Ithinkthatisunreal Hasnoprivilegeseparationatoslevel RootorSystemcandowhatevers(he)wants Youcan'thidenothingtothekernelandthe root/systemmayalterthekernelbehaviourwithout beingnoticedbyfinalusers

Tosubvertdatabase'sbehaviour,i.e.

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

JoxeanKoret

Possiblesolutions

Administratororrootshouldn'thaveprivilegestodo whatever(s)hewant,otherwise,(s)heisableto attackthedatabasesystem


Notethequotes(rootattackingthesystem...) Googlelikequestion:WhatisbrokeninUnix?

Privilegeseparationatoslevel,bycreatingdifferent usersandgroupsfordifferenttaskisfundamental

Remember:Allruninthesameuserspace

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

JoxeanKoret

End

Sendcomments,questions,criticisms,insults, threats,invitationsforsexorforadrinkto: [email protected]

OracleDatabaseVault:TheworldisnotpinkandI'mroot!

JoxeanKoret

You might also like