Pete Finnigan's Oracle Security Weblog

I was surfing this evening and came across a great paper by Graham Thornton that explains how to use the BBED Block Browser and EDitor utility to modify blocks in the database data files whether the database is up or down. I have known about this tool for a very long time and even reported its shipping on Windows as an executable and as an object file on *nix as a security bug to Oracle around 4 years ago.

This paper explains how to build the tool on Linux and how each command works. Quite clearly this is a useful tool to get you out of a hole in the case of corruption or incorrect deletions but its also an excellent hacker tool.

Graham shows 5 good examples of the use of BBED, these include "changing data", "recovering deleted rows", "uncorrupting a block", "file header reset" and "recovering deleted, damaged data".

For those of us who think like a hacker this tool has some awesome potential. The tool runs on the OS and doesnt need database authentication. A simple password is hard coded in the binary. If you can gain the possibility to run OS commands as a lowe level user then you can become a DBA, SYS or whatever, it is simple to change the SYS password hash. Remember there would be no audit trail generated no matter the type of database audit used. Or you could read data protected via VPD or OLS, you could change or read critical data in the database without detection, you could install root kits, the possibilities are endless.

This is a dangerous tool in the wrong hands, remove the binary if its there; also remove the object files if they exist so it cannot be rebuilt. If Oracle support or you need to use it, then Oracle will not support you afterwards anyway so there is no impetus to keep the tool.

Graham Thornton's great paper is called "Disassembling the Oracle Data Block - A Guide to the BBED Block Browser and Editor"