Pete Finnigan's Oracle Security Weblog

Alex Kornbrust of Red Database Security Gmbh has made a presentation at Blackhat 2005 Amsterdam last Friday, April 1st. Alex talked about database rootkits, and Oracle rootkits in particular. The presentation is available in English and also in German.

This is a great presentation and is probably the first place that Oracle rootkits have been talked about publicly. Alex first talks about what a rootkit is, giving a wikipedia definition and then relates the OS equivalent components to the database. He then talks about how Oracle resolves the paths to views and code and discusses how a rootkit may be created for Oracle. He then looks at specific examples to hide a database user created by a hacker and also to hide processes and jobs. He then talks about how PL/SQL packages may also be modified. Finally Alex talks about a new product released by his compant called "repscan". Repscan is a repository integrity scanner for Oracle and can be used to check if any components of an installed Oracle database have been modified. You can download a limited trial version of repscan that will scan up to three databases.

Rootkits for Oracle are an interesting concept and will become more prevalent as database hackers become more sophisticated. A true rootkit for an Oracle database would need to be quite huge because there are a lot of views and packages that can expose a hacker user and processes. Creating a true rootkit would be a large task, also there are inherent problems with any DBA who accesses base tables such as SYS.USER$ as they would not be hidden via a rootkit created with hacked views. It may be possible to also hide users in dictionary base tables but this would be far more involved to achieve. A true rootkit for Oracle would also include other parts such as log cleaners and backdoors. Alex talks about some good ideas on how a root kit may be installed by exploiting the glogin.sql script. This is a script executed when a user connects to the database via SQL*Plus. If th file can be modified by a hacker then he can wait for a DBA to execute it for him thereby installing the rootkit (or indeed accomplishing any other hack such as granting DBA to any other user!!).

I have also talked about Oracle rootkits in detail in the new SANS Oracle security track that will be debuted in San Diego from April 7th to April 12th. The link gives details of the Securing Oracle track, a course overview, the authors statement (me) and also details of requirements and details for each day are included in the links on the right of the page. I will talk more about the course in a later blog entry.