Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Conferences, webinars, trainings, new training dates....."] [Next entry: "The Oracle listener password algorithm"]

Two new Oracle root kits

Dennis has made two great posts about Oracle rootkits on his blog. The first is about creating a backdoor into the Oracle binaries and logon process/function by replacing the C library function kziaia() so that if the user presented is "root" - this is meant to be a database username not the Unix user root. Dennis has modified kziaia() so that if "root" is the username you get logged in as SYSDBA by setting the SYSDBA bit in the PGA (Tanel showed how to do this quite some time ago with a debugger) and also importantly the user does not need a password and even more importantly there is little or no evidence that the connection has been made. Also testing for this root kit becomes harder as its traditional modified binaries.

This root kit idea is much more in the style of old school root kits rather than something like modifiying data dictionary views to hide the user.

The first post is titled - (broken link) My Oracle rootkit experiment and is a great read.

Today Dennis has posted a second installment on his blog titled - (broken link) My Oracle TNS Listener rootkit experiment. This post looks at this time modifying the TNS listener binary by intercepting the function snttread() which is like a wrapper around recv() on Unix. This time the magic word is not the username "root" but the string for the command "/bin/sh" - the borne shell. The packet shoulkd include the "magic word" and then the shell is launched instead!!

To exploit this Dennis simply used netcat to connect to the listener port number and he immediately had a shell!, again very interestingly there is nothing written to the log files except that a TNS-12502 is written. This is not totally uncommon so analysing whether this root kit is installed via this error is difficult. Also because if you are clever enough to implement these modifications you can very easily change the C and make it harder to detect. These are traditional rootkit techniques and traditional methods to detect them are needed.

Remember these are backdoors not exploits, you need access to modify the libraries in the first place.

Also its nice to see that Dennis has automated some of the install with pythin scripts. Great posts Dennis!!