Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

Free Oracle Tips

HTML Text

 Home
 E-mail Us
 Oracle Articles


 Oracle Training
 Oracle Tips
 Oracle Forum
 Class Catalog


 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Analysis
 Design
 Implementation
 Oracle Support


 SQL Tuning
 Security
 Oracle UNIX
 Oracle Linux
 Monitoring
 Remote support
 Remote plans
 Remote services
 Application Server
 Applications
 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support
 Remote Support  
 Development  
 Implementation


 Consulting Staff
 Consulting Prices
 Help Wanted!

 


  Oracle Posters
 Oracle Books
  Oracle Scripts
 Ion
 Excel-DB   


 

Privacy Policy

Blog

Golf Travel
 

 
 

 

 


Finding the Source of Views

Oracle Forensics tips by Paul Wright

So let's play the role of the attacker that is going to utilize this concept of a rootkit. Firstly we need to know how to find the source to view. The VIEW that gives us the source of VIEWs is DBA_VIEWS.

SQL> desc dba_views;

 Name                                      Null?     Type
 ----------------------------------------- -------- ---------------------------
 OWNER                                     NOT NULL  VARCHAR2(30)
 VIEW_NAME                                 NOT NULL  VARCHAR2(30)
 TEXT_LENGTH                                         NUMBER
 TEXT                                                LONG
 TYPE_TEXT_LENGTH                                    NUMBER
 TYPE_TEXT                                           VARCHAR2(4000)
 OID_TEXT_LENGTH                                     NUMBER
 OID_TEXT                                            VARCHAR2(4000)
 VIEW_TYPE_OWNER                                     VARCHAR2(30)
 VIEW_TYPE                                           VARCHAR2(30)
 SUPERVIEW_NAME                                      VARCHAR2(30)
 
Of course we have already said that the VIEW may have been tampered with so where does DBA_VIEWS get its data from i.e. where is the source of views kept?

We can find this out by selecting the text from  

select owner, view_name, text from dba_views where view_name ='DBA_SOURCE';

(assuming of course this VIEW hasn’t been tampered with already).

SQL> set long 100000
SQL> set pages 0
SQL> select owner, view_name, text from dba_views where view_name ='DBA_SOURCE';
SYS                            DBA_SOURCE
select u.name, o.name,
decode(o.type#, 7, 'PROCEDURE', 8, 'FUNCTION', 9, 'PACKAGE',
               11, 'PACKAGE BODY', 12, 'TRIGGER', 13, 'TYPE', 14, 'TYPE BODY',
               'UNDEFINED'),
s.line, s.source
from sys.obj$ o, sys.source$ s, sys.user$ u
where o.obj# = s.obj#
  and o.owner# = u.user#
  and ( o.type# in (7, 8, 9, 11, 12, 14) OR
       ( o.type# = 13 AND o.subname is null))
union all
select u.name, o.name, 'JAVA SOURCE', s.joxftlno, s.joxftsrc
from sys.obj$ o, x$joxfs s, sys.user$ u
where o.obj# = s.joxftobn
  and o.owner# = u.user#
  and o.type# = 28

We can see that the information for dba_source comes from obj$, source$, sys.user$ and x$joxfs. The text source itself is in source$.

SQL> DESC SYS.SOURCE$;

 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 OBJ#                                      NOT NULL NUMBER
 LINE                                      NOT NULL NUMBER
 SOURCE                                             VARCHAR2(4000)

SQL> DESC SYS.OBJ$

 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 OBJ#                                      NOT NULL NUMBER
 DATAOBJ#                                           NUMBER
 OWNER#                                    NOT NULL NUMBER
 NAME                                      NOT NULL VARCHAR2(30)
 NAMESPACE                                 NOT NULL NUMBER
 SUBNAME                                            VARCHAR2(30)
 TYPE#                                     NOT NULL NUMBER
 CTIME                                     NOT NULL DATE
 MTIME                                     NOT NULL DATE
 STIME                                     NOT NULL DATE
 STATUS                                    NOT NULL NUMBER
 REMOTEOWNER                                        VARCHAR2(30)
 LINKNAME                                           VARCHAR2(128)
 FLAGS                                              NUMBER
 OID$                                               RAW(16)
 SPARE1                                             NUMBER
 SPARE2                                             NUMBER
 SPARE3                                             NUMBER
 SPARE4                                             VARCHAR2(1000)
 SPARE5                                             VARCHAR2(1000)
 SPARE6                                             DATE 

SQL> DESC SYS.USER$;

 Name                                      Null?    Type
 ----------------------------------------- -------- ---------------------------
 USER#                                     NOT NULL NUMBER
 NAME                                      NOT NULL VARCHAR2(30)
 TYPE#                                     NOT NULL NUMBER
 PASSWORD                                           VARCHAR2(30)
 DATATS#                                   NOT NULL NUMBER
 TEMPTS#                                   NOT NULL NUMBER
 CTIME                                     NOT NULL DATE
 PTIME                                              DATE
 EXPTIME                                            DATE
 LTIME                                              DATE
 RESOURCE$                                 NOT NULL NUMBER
 AUDIT$                                             VARCHAR2(38)
 DEFROLE                                   NOT NULL NUMBER
 DEFGRP#                                            NUMBER
 DEFGRP_SEQ#                                        NUMBER
 ASTATUS                                   NOT NULL NUMBER
 LCOUNT                                    NOT NULL NUMBER
 DEFSCHCLASS                                        VARCHAR2(30)
 EXT_USERNAME                                       VARCHAR2(4000)
 SPARE1                                             NUMBER
 SPARE2                                             NUMBER
 SPARE3                                             NUMBER
 SPARE4                                             VARCHAR2(1000)
 SPARE5                                             VARCHAR2(1000)
 SPARE6                                             DATE

So imagine the attacker has gained DBA through SQL injection in the SYS.LT package and now they wish to give themselves future access. The classic example of an Oracle rootkit would be to add a user to the SYS.USER$ table above but deliberately omit this user from the DBA_USERS VIEW. The omitted user would be the attacker's backdoor account for future forays. This is a bit too simplistic though. Firstly most DBA's use the SYS.USER table directly and secondly the base table and VIEW can be checked by using a query like this:

((select name from sys.user$ where type#=1) minus 

(select username from SYS.dba_users)
union

(select username from SYS.dba_users) minus
(select name from sys.user$ where type#=1))
/
 

The concept of a Rootkit may not be as usefully applied to databases as it is for the OS but the idea of changing the source to a VIEW is interesting. Why create a new hacker DBA account that you then want to hide, if you are able to gain the password of the DBA account at any stage in the future?  Let me show you how.


This is an excerpt from the book "Oracle Forensics: Oracle Security Best Practices", by Paul M. Wright, the father of Oracle Forensics.

 

 
 
  
 

 
 
 
 
Oracle performance tuning software
 
 

 

 
 
 
Oracle performance Tuning 10g reference poster
 
 
 
Oracle training in Linux commands
 
Oracle training Excel
 
Oracle training & performance tuning books
 

 

Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  and include the URL for the page.


                    









Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


 

Copyright © 1996 -  2010 by Burleson Enterprises, Inc.

All rights reserved.

Oracle © is the registered trademark of Oracle Corporation.