Recently, I read a very interesting paper by Alexandr Polyakov talking about how an unprivileged user can get OS access to the database machine by stealing NTLM challenge-response authentication strings.
I really liked the way it was written and the fact that it uses automated metasploit plug-ins that will try to evade detection by using obfuscation techniques.

Since the paper mentioned Hedgehog, I took it as a challenge to protect against such an attack :-). One obvious solution is to monitor the CREATE INDEX with INDEXTYPE of ctxsys.context. The way Hedgehog monitors transactional information, using evasion techniques like base64, translate, etc. is not effective as we read the command directly from the memory when it’s being parsed.

The rule I’ve created is – “cmdtype = ‘create index’ and statement contains ‘ctxsys.context'”. Now, although this is a somewhat simplistic version of the rule, I believe it will still be effective. One other option is to catch ‘create index’ with accessed objects including ODCI stuff. Next, I’m going to try this with metasploit.

Here is the screenshot of the rule:

Hedgehog CTXSYS rule

Hedgehog CTXSYS rule

Running the clear text version of the attack produces the following:

Alert on ctxsys index

Alert on ctxsys index

Any other ideas out there?