Database Reference
In-Depth Information
SQL> select fsv.KSMFSNAM,sga.*
from x$ksmfsv fsv, x$ksmmem sga
where sga.addr=fsv.KSMFSADR
and fsv.ksmfsnam like 'kzaflg_%'; 2 3 4
KSMFSNAM
----------------------------------------------------------------
ADDR INDX INST_ID KSMMMVAL
---------------- ---------- ---------- ----------------
kzaflg_
0000000060031BB0 25462 1
00
This same concept can be extended to authentication and audit settings on 12.1 GA if you know the correct
memory addresses. Oradebug is a powerful tool and can also be used locally, for dumping otherwise encrypted
network sessions in plaintext dump files. For example:
oradebug event 10079 trace name context forever, level 2
It is good that oradebug can be controlled, as shown in Chapter 13.
Meterpreter-Style in Memory Backdoor
Meterpreter is an option in a pentesting tool called metasploit, which used to be free but now is more commercialized.
Meterpreter hooks into the memory of the Windows operating system, thus providing a permanent staging post in
that OS. Meterpreter needs an initial vulnerability to start running code, but once it is there it is resident until reboot.
The same concept was used to demonstrate how a database rootkit could be made to run in memory. David
Litchfield termed this a third-generation database rootkit. The presentation is at this YouTube link and is well
worth a watch:
This is interesting when we look at how database security has evolved since that presentation. Sentrigo, a
company I was involved with at the time, had already developed an in-memory state checker called Hedgehog for
relational databases. This memory agent is able to read directly from the memory of the OS without depending on the
Oracle executable, so it is able to identify in-memory backdoors. Sentrigo was successfully bought out by McAfee, and
this product is now part of the database security establishment.
Looking at advances in offensive IT security, we can see that one of the most prolific threats has been malware
that reads from memory, as that area is not usually encrypted by the defending system. Malware scrapers have been
used to defraud millions during incidents. One example is the recent attack against the retailer Target in the United
States.
For Oracle database specifically, the ability to read memory does open up a password issue, as the passwords for
the Java OS account, for SYSDG, and for self-referencing PUBLIC DBLinks are all kept in memory in plaintext. There
are also plaintext copies of the crypto keys in memory.
Being able to read memory does depend on the permissions of the memory segments themselves. This can be
verified using the following command:
root@orlin $ ipcs -a
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status
0x00000000 163840 oracle 600 393216 2 dest
0x00000000 196609 oracle 600 393216 2 dest
0x00000000 229378 oracle 600 393216 2 dest
0x00000000 262147 oracle 600 393216 2 dest
