 |
|
Packages with Non-Vulnerable
Checksums
Oracle Forensics tips by Paul Wright
|
In order to
describe a package as non-vulnerable a non-vulnerable signature
should be created and when the non-vulnerable signature returns with
a positive resultset then a positive affirmation that the package is
not vulnerable can be made with reasonable certainty. A signature
for a non-vulnerable PLSQL package can be seen below.
Query 3 on January 2005 CPU installed Solaris:
Version 10.1.0.2.0
SQL>
select owner,name from dba_source where owner = 'DMSYS' and name = 'DMP_SYS'
and text like
'%9bb1 2fc3%';
OWNER
NAME
------------------------------ ------------------------------
DMSYS
DMP_SYS
A non-vulnerable checksum is useful in that it
positively identifies a known good package and can assist in
ascertaining the state profile of the server i.e. what state all the
packages are in. This can be used as a further verification of patch
activity.
If a DBA or attacker had signatures for all
possible vulnerable packages then the profile would give a close
indicator of the CPU that was installed barring the errors
mentioned. By grouping the checks into CPU level related cohorts we
could infer the CPU level of the server. Of course the DBA might
have “DROPped” the PLSQL packages rather than install a CPU to fix
them so this method is not a sure way of ascertaining CPU level.
9i_solaris 9.2.0.1.0 without any CPU’s would hit positive on the SYS
packages listed below as long as they were installed and had not
been “DROPped”.
|
SYS |
DBMS_DBUPGRADE |
|
|
|
|
|
|
|
|
SYS |
DBMS_XRWMV |
|
|
|
|
|
|
|
|
SYS |
OWA_OPT_LOCK |
|
fixed |
|
|
|
|
|
|
SYS |
DBMS_CDC_DPUTIL |
|
fixed |
|
|
|
|
|
|
SYS |
DBMS_CDC_SUBSCRIBE |
|
|
|
|
fixed |
|
|
|
SYS |
DBMS_DEFER_REPCAT |
|
|
fixed |
|
|
|
|
|
SYS |
DBMS_REPCAT_ADMIN |
|
|
|
|
|
|
|
|
SYS |
DBMS_SYSTEM |
|
|
fixed |
|
|
|
|
|
SYS |
LTUTIL |
|
|
fixed |
|
|
|
|
|
SYS |
OUTLN_PKG |
|
|
|
|
|
fixed |
|
|
SYS |
DBMS_APPLY_ADM_INTERNAL |
|
|
|
|
|
fixed |
|
|
SYS |
DBMS_AQADM_SYS |
|
|
|
|
|
fixed |
|
|
SYS |
DBMS_CDC_UTILITY |
|
|
|
|
|
fixed |
|
|
SYS |
DBMS_DDL |
|
|
|
|
|
|
|
|
SYS |
DBMS_METADATA |
|
|
|
|
|
fixed |
|
|
SYS |
DBMS_REPUTIL |
|
|
|
|
|
|
fixed |
|
SYS |
DBMS_SNAPSHOT_UTL |
|
|
|
|
|
|
fixed |
|
SYS |
DBMS_STATS |
|
|
|
|
|
|
|
This concept could be extended to other versions but it is the
Author’s experience that DBA’s will tend to drop many of the
vulnerable packages which would identify a CPU level by their
checksum. What is needed is the ability to collect all checksums
including known non-vulnerable and unknown vulnerability status
packages as well as the known vulnerable. This requires automation.
This is an excerpt from the book "Oracle
Forensics: Oracle Security Best Practices", by Paul M. Wright,
the father of Oracle Forensics.
