Pete Finnigan's Oracle Security Weblog

I found a nice blog the other week called oraganism and added to my list of things to blog about; so in visiting it again at the weekend I saw a nice post by Pawel Krol about spoofing the osuser and the program. Pawel shows an example output for a program he has written in Java using the thin Java client (It would have been nice to also see the code of course) that allows the user to enter the OSUSER and the PROGRAM to spoof them in the V$SESSION views. As Pawel points out these columns and many more in V$SESSION are important often for security as security solutions such as auditing, VPD, Label Security, secure application roles, security based triggers scuh as logon/logoff and many more use these values to control access or to record access. These values are stored in SYS.AUD$ if database auditing is enabled. Pawels blog entry is called "Spoofing V$SESSION.OSUSER".

This is not a new subject; spoofing client details that is; it is accepted that all values except the database username can be spoofed. Some are much harder to spoof than others such as the client IP Address but most are easy. There are at least three easy routes to do the spoofing; either do as Pawel has done and create a Java interface and use the java provided calls simply to set these values. Some values are also settable via the thick client by doing the spoofing in an OCI program; Slavik had a good post 12 days ago titled "Oracle client â€" changing the program name in the session" that discussed how to change the client program name reported in V$SESSION (X$KSUSE) in an OCI program. Slavik included the C source code for two programs to demonstrate this by manipulating LD_PRELOAD. It is also possible to manipulate the client session values using a proxy that allows to edit values as they pass on their way to the server. This is possible to write simply in Perl; I wrote three years ago about René Nyffenegger's code in a blog post here titled "exploit code released for the DB18 AUTH_ALTER_SESSION bug - how to make any user a DBA" which of course was showing how to exploit the DB18 bug. http://www.adp-gmbh.ch/blog/2006/01/24.php - (broken link) René showed a simple Perl proxy that just as easily could be used for spoofing client values. My own solution to the DB18 bug exploit which was much simpler to do was to edit the Oracle client lib directly in a hex editor and modify the embedded code to do the same; of course this route is also possible for spoofing.

Finally on the subject of spoofing Steve Kost also wrote a nice paper some three or so years ago titled "Spoofing Oracle Database Session Information" which discusses this problem in detail and is still worth a read.

I have added the ORAganism blog feed to my Oracle blogs aggregator.

Finally I am also speaking tomorrow evening in Leeds (North of England) at the first OWASP Leeds chapter meeting. The agenda is here although Jason asked me to swap time slots with Justin so the agenda is slightly wrong only in terms of timing. Myself and Justin Clarke (SQLBrute) are both speaking. If you are in the area, please come along.