Database Reference
In-Depth Information
insert into PACKAGESTATESNEW values(OWNERIN,USER$NAME,OBJ$OWNER,NAMEIN,SOURCE$OBJID,OBJ$TYPE,COUNTOU
T,CTIMEOUT,STIMEOUT,LASTDDLOUT,HASH);
EXIT WHEN CV%NOTFOUND;
END LOOP;
CLOSE CV;
END;
/
show errors
Once the procedure is compiled you need to run the package on the chosen schema:
SET SERVEROUTPUT ON
EXEC PACKAGESTATEPRO('SYS');
SELECT * FROM PACKAGESTATESNEW;
Now that the checksums have been collected to create a first baseline, we can install the patch and create the
second baseline in similar way:
ALTER TABLE PACKAGESTATESNEW RENAME TO PACKAGESTATESOLD;
EXEC PACKAGESTATEPRO('SYS'); --run the procedure and then use the queries below to compare states.
Now let's see the difference between the old and the new states:
((SELECT * FROM PACKAGESTATESOLD) MINUS
(SELECT * FROM PACKAGESTATESNEW));
((SELECT * FROM PACKAGESTATESNEW) MINUS
(SELECT * FROM PACKAGESTATESOLD));
However, what is needed in order to make this query of greater forensic value is to check the checksummer itself
(
dbms_utility
). The reason for this is that an attacker with SYS privilege may have tampered the checksummer in
order to hide their back door, and done so in a way that creates a collision (same checksum but different contents)
with the original
dbms_utility
. The best way of verifying the code of
dbms_utility
is to read the code directly, which
requires the code to be decompiled. So there
is
a justification for a PL/SQL unwrapper. In the absence of a public 9i
unwrapper an alternative is to verify the wrapped text as being identical to the known-good.
The following query will compare the wrapped source code of dbms_utility to a known good value.
SELECT sys.obj$.owner#, sys.obj$.NAME, sys.source$.obj#, ctime, mtime, stime,
AVG(dbms_utility.get_hash_value(source,1000000000,power(2,30))) as sum
from sys.source$ inner join sys.obj$
ON sys.source$.obj#=sys.obj$.obj#
where sys.obj$.name = 'DBMS_UTILITY'
AND source like
'%Xw1m3H8IJU4RaGW47mwmJDetjZWzHqJCCsW4Nx1o08/8le+WWf7Gyk3XUd7zBCEOtZjhSZF
0U63xvlZDbDCK3fCByRp9IWjcXM3VQVqzyAqVFGjJbPHnoFmD5Kv/rv+ooybeTgVH1Okg+V9
2LRPFmG+Ht++JtOJd7osYmtkRDToKzAkrGW5X2kPouwsI7W6xzCAfVIHnqAcuU4qA1Z1tlFi
dXinleLqDrm44l0sH/798Ub1CdKKIRXvL+9xIdIOMte02L7hUCrdBI79UNJ0KwoNqTRNe/8F
2zF/wY1eWEnNzO5HfQkT5dvOkApQh9lQeHECX4FnKdLJeejmFTOH/B4KlLTEaTi1+IlU8P/m
TIbPHT098q2NoMh/6p2zdkNEUV619evSDBcpgc+CqtqdcgVy6wbbNY6wk+E5CzArIo3DnSyR
Cl4X4f3paSWmhjif+9RsoODZrqGTCvXyoF03TIRS4MTJqi0Uben2AD3sVwd8HIfIQ2OEi8ty
C6f2yft539gX/5X+e/ujyH7YTXWjx1vohgUTaAluPrjg9K+B9PgJEWBSSFbHxoa0DNNSZa6+
jwaihylwowEKSvctON8ABsHjgt5Vg1Jk3xkw5yAeuQ5MIhWxvO3Uar/Nq3ePsmIGQWwk1xv/
