Oracle Database Communication Protocol a pentester’s view, or rude Oracle experiments Roman Bazhin ZeroNights E.0x04 @nezlooy
Who am I Security researcher at Digital Security r.bazhin@dsec.ru @nezlooy
Agenda • Motivation • Oracle Client Drivers • Oracle Net Architecture • Oracle Database Protocol • TNSIntruder • Limitations and defense
Motivation Всё началось с задачи
Interaction Scheme RAC Node 1 Client Oracle RAC Node 2
Interaction Scheme RAC Node 1 Client Over 50 requests Oracle per module RAC Node 2
Testing Scheme Proxy / Fuzzer Client N Oracle
Reverse Fuzzing Fuzz SYN Client ACK server SYN-ACK
Reverse Fuzzing Fuzz SYN Client ACK server SYN-ACK REQUEST RESPONSE
Reverse Fuzzing Fuzz SYN Client ACK server SYN-ACK REQUEST RESPONSE REQUEST RESPONSE
Reverse Fuzzing Опа - опа… На на *! Fuzz SYN Client ACK server SYN-ACK REQUEST RESPONSE REQUEST RESPONSE
Reverse Fuzzing Striped hat / Ethical gop-stopping Fuzz SYN Client ACK server SYN-ACK REQUEST RESPONSE REQUEST RESPONSE
Pentester Requirements Только давай без палева ! MITM Proxy Client Oracle Replaying Spoofing • • Modifying Injecting • • etc. •
Hm, and what about protocol? Эу… Чё там с протоколом ? ? ? Proxy / Fuzzer Client N Oracle
Googling И чё есть в этих ваших интернетах ? • Oracle TNS Protocol http://www.thesprawl.org/research/oracle-tns-protocol/ Basic information about headers, type of packets / For beginners / Outdated. • Wireshark TNS data dissector. http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/packet-tns.c Only headers, type of packets / Already have one. • Presentations by Jonah Harris http://oracle-internals.com/ Basic information about headers, TTC, server internals / Good. • Oracle Protocol by Gwen Shapira http://www.pythian.com/blog/repost-oracle-protocol/ Description of some types of messages, marshalling / Very good but outdated :(
Googling И чё есть в этих ваших интернетах ? • pytnsproxy by László Tóth http://soonerorlater.hu/index.khtml?article_id=515 Oracle 9i, 10g and 11g MITM-attack tool. • pytnspoison by Joxean Koret http://seclists.org/fulldisclosure/2012/Apr/204 Oracle 9i, 10g and 11g TNS Listener Poison exploitation tool. • Amoeba https://code.google.com/p/amoeba/ Amoeba is a Distributing database proxy / no longer supported.
Code Ну норм, чё :/ pytnspoison
Code Ваще норм, чё :/ pytnsproxy
Code Тож норм :/ Amoeba
Client Drivers Как проблему порешаем?
Oracle Client Drivers overview JDBC OCI .NET 10g, 11g, 12c
Oracle Client Drivers overview Thin JDBC OCI .NET Thin 10g, 11g, 12c
Oracle Net Architecture Чё там в авторских доках?
Oracle Net Architecture Application Client OCI/JDBC/.NET Two-Task Common (TTC) Oracle Net Foundation Layer Oracle Net Oracle Protocol Support
Oracle Net Architecture Application OCI/JDBC/.NET Network Naming (NN) Network Transport (NT) Two-Task Common (TTC) Network Session (NS) TNS Oracle Net Foundation Layer Oracle Net TCP TCPS NP SDP Oracle Protocol Support
Oracle Net Architecture (OSI view) Application (OCI/JDBC/.NET) Two-Task Common (TTC) Oracle Net Transport layer Network layer Data link layer Physical layer
Oracle Net Architecture (Server) Server RDBMS OPI Two-Task Common (TTC) Oracle Net Foundation Layer Oracle Net Oracle Protocol Support
Oracle Database Protocol Айда поподробнее! • Types and formats of messages • Sequence of messages • Fields • Serialization (Marshalling)
Types and formats of messages Transparent Network Substrate (TNS) 0000 00 00 00 9F 06 00 00 00 00 00 DE AD BE EF 00 95 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Types and formats of messages Transparent Network Substrate (TNS) Packet Size 0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95 Packet Checksum 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 Packet Type 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 Header Flags 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 Header Checksum 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Types and formats of messages Transparent Network Substrate (TNS) in Oracle 12c Packet Size 0000 00 00 00 9F 06 00 00 00 00 00 DE AD BE EF 00 95 Packet Type 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 Header Flags 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 Header Checksum 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Types and formats of messages TNS / Packet Types: • CONNECT = 0x01 • ABORT = 0x09 • ACCEPT = 0x02 • RESEND = 0x0B • ACKNOWLEDGE = 0x03 • MARKER = 0x0C • REFUSE = 0x04 • ATTENTION = 0x0D • REDIRECT = 0x05 • CONTROL INFORMATION * = 0x0E • DATA = 0x06 • DATA DESCRIPTOR * = 0x0F • NULL = 0x07 * Observed in Oracle 12c
Types and formats of messages TNS / Packet Types: • CONNECT = 0x01 • ABORT = 0x09 • ACCEPT = 0x02 • RESEND = 0x0B • ACKNOWLEDGE = 0x03 • MARKER = 0x0C • REFUSE = 0x04 • ATTENTION = 0x0D • REDIRECT = 0x05 • CONTROL INFORMATION * = 0x0E • DATA = 0x06 • DATA DESCRIPTOR * = 0x0F • NULL = 0x07 * Observed in Oracle 12c
Types and formats of messages DATA Packet Type Data flag 0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95 DATA = 0x00 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 MORE * = 0x20 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 EOF = 0x40 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00 * Observed in Oracle 12c
Types and formats of messages Additional Network Options Negotiation (ANO) Magic constant 0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Types and formats of messages Two-Task Interface (TTI) Function ID 0000 00 00 00 A7 06 20 00 00 00 00 03 76 01 01 01 07 Subfunction ID 0010 01 01 01 01 05 01 01 4F 52 41 55 53 45 52 01 0D Sequence number * 0020 0D 41 55 54 48 5F 54 45 52 4D 49 4E 41 4C 01 07 0030 07 75 6E 6B 6E 6F 77 6E 00 01 0F 0F 41 55 54 48 0040 5F 50 52 4F 47 52 41 4D 5F 4E 4D 01 10 10 4A 44 0050 42 43 20 54 68 69 6E 20 43 6C 69 65 6E 74 00 01 0060 0C 0C 41 55 54 48 5F 4D 41 43 48 49 4E 45 01 0B 0070 0B 41 42 43 41 42 43 44 45 2D 70 63 00 01 08 08 0080 41 55 54 48 5F 50 49 44 01 04 04 31 32 33 34 00 0090 01 08 08 41 55 54 48 5F 53 49 44 01 08 08 72 2E * Used only in the client request
Types and formats of messages TTC / TTI commands: • TTIPRO # Set protocol • TTIRPA # Return OPI Parameter • TTIDTY # Set datatypes • TTISTA # Oracle func complete • TTIFUN # Start of user function • TTIIOV # I/O vector • TTIOER # Error / Selecting completed • TTILOBD # LOB/FILE data follows • TTIRXH # Row transfer header • TTIDCB # Describe information • TTIRXD # Row transfer data • TTIPFN # Piggyback func follows • … • …
Recommend
More recommend