Hardly a week goes by that we do not see a news report about a major web-based application being hacked.  Since most of these system use Oracle, the savvy DBA must be on the alert for attempts to hack into the database server.  As we will see, a hacker who can get onto your database server can change the UNIX file permission on the Oracle data files, and completely bypass Oracle security.

Trick 1 – Hacking your Oracle server from the web 

I recently had an Oracle client "hacked" from a foreign country, and this is the trick that they used to find my client over the web and access their server.

 Internet hackers are constantly cruising the web looking for servers to attack. To do this, hackers will write simple scripts that generate random IP addresses randomly "ping IP addresses, looking for a server that responds "I'm here". The response is called a "ping acknowledgement", and is a standard feature of the ping utility:

 Here is the output from a ping command: 

The acknowledgement packet (called an "ack" in Netguru jargon) tells the hacker that there is an active server at this IP address.  The hacker will then telnet to your server and begin a series of attempts to hack the "root" or the oracle" user password.  The best way to foil this type of attack is to disable all server accounts after three password attempts. 

Below is the pseudocode for a UNIX shell script to prove the Internet for vulnerable servers. Hackers run this script as a daemon process, and scan hundred of thousands of IP addresses every hour. 

 Please note that I have deliberately introduced syntax errors into the pseudocode routine.  This script has been made unusable in order to prevent evil people who see this article from possessing a dangerous tool.

The attack_routine is a standard tool using random user/password generation, and after several million attempts, the routine can almost always gain access to the database server.  I recently hired a "white hat" hacker to see how easy this was, and their attack script was able to gain entry to the server in less than 3 hours!

As we can see, even a novice computer person can write an attack program and locate opportunities for server attack. While the main method of attack is directly from the IP address, some creating hackers gain entry with I/O-enabled Java applets, and other programs that compromise the writing of cookies. To prevent these types of external attack, savvy companies employ some of the following techniques: 

-          Trusted IP addresses - UNIX servers can be configured to only answer pings from a list of "trusted" hosts.  In UNIX, this is done by configuring the .rhosts file.  The .rhosts file restricts server access to a list of specific users. 

-          Server account disabling – If you suspend the server ID after three password attempts, you thwart attackers.  Without user ID suspension, an attacker can write a program that runs millions of passwords until it guesses a user and password combination. 

-          Special Tools – There are products such a Zone Alarm that sends an alert when an external server is attempting to breach your firewall security.

As we have noted, once the hacker gets access to the Oracle server, they can use tricks to bypass Oracle and read the data files directly from disk.

Trick 2 – Bypassing Oracle security

One trick commonly used by UNIX hackers is to leverage the UNIX operating system to probe into the Oracle data blocks.  With some knowledge of UNIX and Oracle, the nasty hacker can use UNIX to verify the contents of Oracle data rows. 

 This technique is also useful if a data corruption is causing a data file to go offline, or if Oracle data is suspect.  Let's see how this is done.

 We start by running a SQL query to locate the ROWID of the data block that contains the row we want to investigate. Here we rely on the dbms_rowid package, and use the row_block_number procedure to return the data block corresponding to our desired row.

Here we see that the customer information for Burleson resides on the 141st block in the data file.  We can now go to UNIX and display the contents of this row. 

This is a great tool because we can display Oracle data even if the database is shut down.  Of course, hackers can also use these tools to bypass the security of the Oracle database, hacking directly into the Oracle data files.

To display block 141, we can use the UNIX dd command.  The dd command accepts a skip parameter that tells it how far into a file to travel. To get to block 141 we must allow for nine blocks in the datafile header.  We must also remember that the skip statement should take us to the block immediately before our data block.

 Hence, our data block is on block 150 (141+9) and the skip parameter for block 141 will be:  141+9-1 = 149.  We also need to specify the blocksize for the dd command in the ibs parameter.

Once we run the UNIX dd command to read the Oracle data block, we can filter the output by piping it to the UNIX strings command to only show printable information. Here is the UNIX command and the output showing the displayable data inside the data block:

While this technique is most useful in emergency situation when you cannot start the Oracle database, it is important to understand how a UNIX hacker can bypass Oracle and read information directly from your Oracle database files.

See my related notes on Oracle web security:

Please note that Donald Keith Burleson is not related to Donald Gene Burleson, a person charged in Texas computer-related crimes.