Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Where's Larry? Ellison calls out sick at RSA Conference"] [Next entry: "Oracle 0-day exploit to be released - Blackhat Washington DC database security presentations"]

Argeniss are now selling Oracle rootkits!

Alex pointed out a news item this evening titled "Oracle DB rootkit for sale in exploit pack" by Ryan Naraine

"A vulnerability research company in Argentina has fitted an Oracle database rootkit into its zero-day exploit pack, adding a stealthy new danger to enterprise systems.

The rootkit, which is available for sale in the Argeniss Ultimate 0day Exploits Pack, can be used to hide a malicious database user once a database server is compromised. The rootkit can also be used to hide activities that might set off alarm bells — running processes, opened connections, logins created, etc."

This is interesting. I can see how you may conclude that buying zero day exploits can be useful for manufactures of security tools so that they can test if their tools perform correctly in detecting any exploit that may occur, not just the known ones. A rootkit for Oracle though? I am not convinced there are any in the wild. I know Alex has talked about them at BlackHat and I have been aware of the idea of Oracle rootkits for much longer but I have not heard of one in the wild yet. There could be value for the same tool and product manufacturers in testing if audit tools can detect firstly a root kit and secondly a compromised system that includes a level of hiding using a root kit. The Oracle root kits that Alex has discussed are not honed and slick by any means (no disrespect to Alex intended) but I guess the security tools are also not honed to test for root kits yet. I have no idea of the complexity of the Argeniss rootkit but suspicions would be that it may fool some existing products but it would not fool someone who know how to check if one is installed.

Argeniss should share their research on this, or at least let us see the level of complexity of the rootkit. It would be useful in progressing free and commercial tools capabilities BUT it would also help develop more cunning Oracle root kits.

Interesting all the same!

There has been 3 Comments posted on this article

February 15th, 2007 at 04:25 pm

Pete Finnigan says:

The rootkit released by Argeniss is based on few tricky modifications of SYS database , which makes oracle NOT to show details as they really are (jobs for example). The way rootkit make oracle to so so is not complex at all, but it`s based on simple tricks like modifying informations which oracle relays on, for showing details to DBA. and all these happens with 3 queries smile. simple but effective.

February 15th, 2007 at 10:01 pm

Pete Finnigan says:

Hi Hamid,

I have not seen Argeniss root kit but i was involved in the first root kits created for Oracle. Alex Kornbrust and I discussed Oracle rootkits in detail quite a few years ago and before his BlackHat papers on the same subject. I suspect that they have simply shipped some code to modify built in views such as DBA_USERS or DBA_JOBS. The problem with this is its easy to detect a hacker simply by comparing SYS.USER$ with DBA_USERS for instance. Alex's ideas for secodn generation rootkits for Oracle are sound and have been tested limitedly, the issue for me is that key data that could be used to identify a database users is propogated to a huge amount of places in the database and this would need a huge amnount of modified views to be implemented. Also remember that a rootkits is not simply a hiding mechanism, but should include installation, backdoors (I suggested a variation on port knocking to Alex last year and he used it in his BlackHat paper on Oracle 2 rootkits), log and audit cleaning and much more.

I think we are a way from seeing real Oracle rootkits that are slick and really hide a user and what he is doing in the database.


February 16th, 2007 at 03:33 pm

Pete Finnigan says:

Hi Pete.
You`re right about your guess. Argeniss have also provided backdoors too, but as you said these are far away from a real-world rootkit and can be used only against DBAs with low level of knowledge. A sharp DBA can reveal these in matter of minutes. I have read Alex notes too, before Argeniss release it's version. I belive current state of database rootkits like user-land days of OS rootkits which never proved to be successful. I'm not a DB expert but I think as long as community is working on top level of DB, results would not be much effective. why not move to deeper level of modifications, like replacing or altering core components of DB? one-byte patch for ms-sql is a good old example but I'm sure there are many targets available to focus. stored procedures would be my choice for this. In Oracle for example, there are many ways to bypass protection mechanism and let attacker manipulate DB from OS level not DB level.