Tue 28 Jul 2009
Well, this was bound to happen at one point or another. Chris Gates is going to present at BlackHat some of the work he and others were doing as part of the Metasploit framework. The Metasploit framework now contains some auxiliary modules for doing nasty things to Oracle.
The modules includes detection, version finding, sid enumeration, password bruteforce attacks, privilege escalation, OS escaping and IDS evasion. All of the goodies in one single place. Talk about leveling the playing ground!
With this, pen testers and even smaller companies can test their Oracle installations for vulnerabilities. Of course, the black hats out there can also abuse these modules to attack Oracle databases in a structured, methodical way. All a hacker has to do now is load a USB key with a nice Linux distro of his choice pre-configured with Metasploit and hack away. Even if right now, the modules include known, public vulnerabilities, it’s fairly easy to add new attacks to the arsenal.
The interesting thing about these modules (as well as in some other frameworks like Ingume) is the use of evasion techniques like randomizing the strings (package names, variable names, etc.) and encoding the attacks (base64, translate, etc.). This was always the Achilles’ heel of tools that try to analyze net traffic to identify attacks on the database. If the attack does not match a known pattern and is obfuscated – how can they tell that this is indeed an attack?
I believe that the only true way to protect the database is by viewing the attack from the database point of view. If you see the parsed statements as they happen in memory and see the actual accessed objects from the execution plan, you are not affected by these evasion techniques.
For example – what does the following do?
l_stmt := utl_encode.text_decode(‘
KCd8fGxfY3J8fCcpfHwnJycsJ3gnKTsKZW5kOw==’, ‘WE8ISO8859P1’, utl_encode.base64);
EXECUTE IMMEDIATE l_stmt;
WHEN OTHERS THEN NULL;
Hmmm… I leave it up to the reader to find out what this attack does.