SLIDE 1
Oracle Database Communication Protocol
Roman Bazhin ZeroNights E.0x04 @nezlooy
a pentester’s view, or rude Oracle experiments
Who am I
Security researcher at Digital Security r.bazhin@dsec.ru @nezlooy
Communication Protocol a pentesters view, or rude Oracle experiments - - PowerPoint PPT Presentation
Communication Protocol a pentesters view, or rude Oracle experiments - - PowerPoint PPT Presentation
Oracle Database Communication Protocol a pentesters view, or rude Oracle experiments Roman Bazhin ZeroNights E.0x04 @nezlooy Who am I Security researcher at Digital Security r.bazhin@dsec.ru @nezlooy Agenda Motivation Oracle
SLIDE 2
SLIDE 3
Agenda
- Motivation
- Oracle Client Drivers
- Oracle Net Architecture
- Oracle Database Protocol
- TNSIntruder
- Limitations and defense
SLIDE 4
Motivation
Всё началось с задачи
SLIDE 5
Interaction Scheme
RAC Node 1 RAC Node 2 Oracle Client
SLIDE 6
Interaction Scheme
RAC Node 1 RAC Node 2 Oracle Client Over 50 requests per module
SLIDE 7
Testing Scheme
Oracle Client N Proxy / Fuzzer
SLIDE 8
Reverse Fuzzing
Client Fuzz server
SYN ACK SYN-ACK
SLIDE 9
Reverse Fuzzing
Client Fuzz server
SYN ACK REQUEST SYN-ACK RESPONSE
SLIDE 10
Reverse Fuzzing
Client Fuzz server
SYN ACK REQUEST REQUEST SYN-ACK RESPONSE RESPONSE
SLIDE 11
Reverse Fuzzing
Client Fuzz server
SYN ACK REQUEST REQUEST SYN-ACK RESPONSE RESPONSE
Опа-опа… На на*!
SLIDE 12
Reverse Fuzzing
Client Fuzz server
SYN ACK REQUEST REQUEST SYN-ACK RESPONSE RESPONSE
Striped hat / Ethical gop-stopping
SLIDE 13
Pentester Requirements
Oracle Client MITM Proxy
Только давай без палева!
- Replaying
- Modifying
- Spoofing
- Injecting
- etc.
SLIDE 14
Hm, and what about protocol?
Oracle Client N Proxy / Fuzzer
? ?
Эу… Чё там с протоколом?
SLIDE 15
Googling
И чё есть в этих ваших интернетах?
- Oracle TNS Protocol
http://www.thesprawl.org/research/oracle-tns-protocol/ Basic information about headers, type of packets / For beginners / Outdated.
- Wireshark TNS data dissector.
http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/packet-tns.c Only headers, type of packets / Already have one.
- Presentations by Jonah Harris
http://oracle-internals.com/ Basic information about headers, TTC, server internals / Good.
- Oracle Protocol by Gwen Shapira
http://www.pythian.com/blog/repost-oracle-protocol/ Description of some types of messages, marshalling / Very good but outdated :(
SLIDE 16
Googling
И чё есть в этих ваших интернетах?
- pytnsproxy by László Tóth
http://soonerorlater.hu/index.khtml?article_id=515 Oracle 9i, 10g and 11g MITM-attack tool.
- pytnspoison by Joxean Koret
http://seclists.org/fulldisclosure/2012/Apr/204 Oracle 9i, 10g and 11g TNS Listener Poison exploitation tool.
- Amoeba
https://code.google.com/p/amoeba/ Amoeba is a Distributing database proxy / no longer supported.
SLIDE 17
Code
Ну норм, чё :/
pytnspoison
SLIDE 18
Code
Ваще норм, чё :/
pytnsproxy
SLIDE 19
Code
Тож норм :/
Amoeba
SLIDE 20
Client Drivers
Как проблему порешаем?
SLIDE 21
Oracle Client Drivers overview
OCI 10g, 11g, 12c JDBC .NET
SLIDE 22
Oracle Client Drivers overview
OCI 10g, 11g, 12c JDBC .NET Thin Thin
SLIDE 23
Oracle Net Architecture
Чё там в авторских доках?
SLIDE 24
Oracle Net Architecture
Application OCI/JDBC/.NET Two-Task Common (TTC) Oracle Net Foundation Layer Oracle Protocol Support Oracle Net Client
SLIDE 25
Oracle Net Architecture
Application OCI/JDBC/.NET Two-Task Common (TTC) Oracle Net Foundation Layer Oracle Protocol Support Oracle Net TCP TCPS NP SDP TNS Network Session (NS) Network Transport (NT) Network Naming (NN)
SLIDE 26
Oracle Net Architecture (OSI view)
Application (OCI/JDBC/.NET) Two-Task Common (TTC) Oracle Net Transport layer Network layer Data link layer Physical layer
SLIDE 27
Oracle Net Architecture (Server)
Server OPI Two-Task Common (TTC) Oracle Net Foundation Layer Oracle Protocol Support Oracle Net RDBMS
SLIDE 28
Oracle Database Protocol
Айда поподробнее!
- Types and formats of messages
- Sequence of messages
- Fields
- Serialization (Marshalling)
SLIDE 29
Types and formats of messages
Transparent Network Substrate (TNS)
0000 00 00 00 9F 06 00 00 00 00 00 DE AD BE EF 00 95 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
SLIDE 30
Types and formats of messages
Transparent Network Substrate (TNS)
0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Packet Size Packet Checksum Packet Type Header Flags Header Checksum
SLIDE 31
Types and formats of messages
Transparent Network Substrate (TNS) in Oracle 12c
0000 00 00 00 9F 06 00 00 00 00 00 DE AD BE EF 00 95 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Packet Size Packet Type Header Flags Header Checksum
SLIDE 32
Types and formats of messages
TNS / Packet Types:
- CONNECT = 0x01
- ACCEPT = 0x02
- ACKNOWLEDGE = 0x03
- REFUSE = 0x04
- REDIRECT = 0x05
- DATA = 0x06
- NULL = 0x07
- ABORT = 0x09
- RESEND = 0x0B
- MARKER = 0x0C
- ATTENTION = 0x0D
- CONTROL INFORMATION * = 0x0E
- DATA DESCRIPTOR * = 0x0F
* Observed in Oracle 12c
SLIDE 33
Types and formats of messages
TNS / Packet Types:
- CONNECT = 0x01
- ACCEPT = 0x02
- ACKNOWLEDGE = 0x03
- REFUSE = 0x04
- REDIRECT = 0x05
- DATA = 0x06
- NULL = 0x07
- ABORT = 0x09
- RESEND = 0x0B
- MARKER = 0x0C
- ATTENTION = 0x0D
- CONTROL INFORMATION * = 0x0E
- DATA DESCRIPTOR * = 0x0F
* Observed in Oracle 12c
SLIDE 34
Types and formats of messages
DATA Packet Type
0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Data flag DATA = 0x00 MORE * = 0x20 EOF = 0x40 * Observed in Oracle 12c
SLIDE 35
Types and formats of messages
Additional Network Options Negotiation (ANO)
Magic constant
0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
SLIDE 36
Types and formats of messages
Two-Task Interface (TTI)
0000 00 00 00 A7 06 20 00 00 00 00 03 76 01 01 01 07 0010 01 01 01 01 05 01 01 4F 52 41 55 53 45 52 01 0D 0020 0D 41 55 54 48 5F 54 45 52 4D 49 4E 41 4C 01 07 0030 07 75 6E 6B 6E 6F 77 6E 00 01 0F 0F 41 55 54 48 0040 5F 50 52 4F 47 52 41 4D 5F 4E 4D 01 10 10 4A 44 0050 42 43 20 54 68 69 6E 20 43 6C 69 65 6E 74 00 01 0060 0C 0C 41 55 54 48 5F 4D 41 43 48 49 4E 45 01 0B 0070 0B 41 42 43 41 42 43 44 45 2D 70 63 00 01 08 08 0080 41 55 54 48 5F 50 49 44 01 04 04 31 32 33 34 00 0090 01 08 08 41 55 54 48 5F 53 49 44 01 08 08 72 2E
Function ID Subfunction ID Sequence number * * Used only in the client request
SLIDE 37
Types and formats of messages
TTC / TTI commands:
- TTIPRO # Set protocol
- TTIDTY # Set datatypes
- TTIFUN # Start of user function
- TTIOER # Error / Selecting completed
- TTIRXH # Row transfer header
- TTIRXD # Row transfer data
- …
- TTIRPA
# Return OPI Parameter
- TTISTA # Oracle func complete
- TTIIOV # I/O vector
- TTILOBD # LOB/FILE data follows
- TTIDCB # Describe information
- TTIPFN # Piggyback func follows
- …
SLIDE 38
Types and formats of messages
TTC / TTI commands:
- TTIPRO # Set protocol
- TTIDTY # Set datatypes
- TTIFUN # Start of user function
- TTIOER # Error / Selecting completed
- TTIRXH # Row transfer header
- TTIRXD # Row transfer data
- …
- TTIRPA
# Return OPI Parameter
- TTISTA # Oracle func complete
- TTIIOV # I/O vector
- TTILOBD # LOB/FILE data follows
- TTIDCB # Describe information
- TTIPFN # Piggyback func follows
- …
SLIDE 39
Types and formats of messages
TTC / TTI commands:
- TTIPRO # Set protocol
- TTIDTY # Set datatypes
- TTIFUN # Start of user function
- TTIOER # Error / Selecting completed
- TTIRXH # Row transfer header
- TTIRXD # Row transfer data
- …
- TTIRPA
# Return OPI Parameter
- TTISTA # Oracle func complete
- TTIIOV # I/O vector
- TTILOBD # LOB/FILE data follows
- TTIDCB # Describe information
- TTIPFN # Piggyback func follows
- …
SLIDE 40
Types and formats of messages
TTC / TTI commands:
- TTIPRO # Set protocol
- TTIDTY # Set datatypes
- TTIFUN # Start of user function
- TTIOER # Error / Selecting completed
- TTIRXH # Row transfer header
- TTIRXD # Row transfer data
- …
- TTIRPA
# Return OPI Parameter
- TTISTA # Oracle func complete
- TTIIOV # I/O vector
- TTILOBD # LOB/FILE data follows
- TTIDCB # Describe information
- TTIPFN # Piggyback func follows
- …
SLIDE 41
Types and formats of messages
TTC / TTI commands:
- TTIPRO # Set protocol
- TTIDTY # Set datatypes
- TTIFUN # Start of user function
- TTIOER # Error / Selecting completed
- TTIRXH # Row transfer header
- TTIRXD # Row transfer data
- …
- TTIRPA
# Return OPI Parameter
- TTISTA # Oracle func complete
- TTIIOV # I/O vector
- TTILOBD # LOB/FILE data follows
- TTIDCB # Describe information
- TTIPFN
# Piggyback func follows
- …
Client data requests
SLIDE 42
Types and formats of messages
TTC / TTI subfunction:
- TTIFUN
- OSESSKEY
- OAUTH
- OVERSION
- OALL8
- OFETCH
- OLOBOPS
- OCOMMIT
- OROLLBACK
- OPING
- OCLOSE
- TTIPFN
- O80SES
- OCCA
- …
SLIDE 43
Types and formats of messages
TTC / TTI subfunction:
- TTIFUN
- OSESSKEY
- OAUTH
- OVERSION
- OALL8
- OFETCH
- OLOBOPS
- OCOMMIT
- OROLLBACK
- OPING
- OCLOSE
- TTIPFN
- O80SES
- OCCA
- …
SLIDE 44
Types and formats of messages
TTC / TTI commands:
- TTIPRO # Set protocol
- TTIDTY # Set datatypes
- TTIFUN # Start of user function
- TTIOER # Error / Selecting completed
- TTIRXH # Row transfer header
- TTIRXD # Row transfer data
- …
- TTIRPA
# Return OPI Parameter
- TTISTA
# Oracle func complete
- TTIIOV
# I/O vector
- TTILOBD # LOB/FILE data follows
- TTIDCB
# Describe information
- TTIPFN # Piggyback func follows
- …
Server data responses
SLIDE 45
Sequence of messages
Authentication
Client Server
CONNECT ANO TTIPRO ACCEPT ANO TTIPRO TTIDTY TTIDTY TTIFUN -> OSESSKEY TTIRPA TTIFUN -> OAUTH TTIRPA TTIFUN -> OVERSION * TTIRPA
* Thin client, OCI use TTIPFN -> O80SES or not used at all
SLIDE 46
Sequence of messages
Selecting
Client Server
TTIFUN -> OALL8 TTIFUN -> OFETCH TTIDCB TTIRXH
SLIDE 47
Sequence of messages
Selecting
Client Server
TTIPFN -> OCCA TTIDCB TTIFUN -> OFETCH TTIOER
SLIDE 48
Sequence of messages
Selecting
Client Server
TTIFUN -> OALL8 TTIDCB TTIFUN -> OFETCH TTIRXH TTIFUN -> OLOBOPS TTILOBD DATA * DATA DATA
* Observed in Oracle 10g and 11g
TTIFUN -> OLOBOPS TTIRPA
SLIDE 49
Sequence of messages
Logging Off
Client Server
TTIFUN -> OLOGOFF * EOF TTISTA
* OCI, Thin client use TTIPFN -> OCCA
TTIFUN -> OROLLBACK TTISTA TTIFUN -> OCOMMIT TTISTA
SLIDE 50
Fields
length pkt_checksum type flag hdr_checksum data_flag data_flag data_id data_id sig data_id ano
- verall_data_size
version_int_1 version_str_1 service
- ptions_flag_or_service_to_be_used
service_sv timeout seqNumber packetVersion lowestVersion
- ptions
sduSize tduSize protocolCharacteristics undefined1 HWByteOrder dataLen dataOff maxReceivedData anoFlags anoEnabled b4padding largeSDU sduSize tduSize func lag0 flag1 noAnoServices noAnoServices extended timeout tick timeout reconnectAddrLen reconnectAddrOff largeSDU sduSize tduSize session poolEnabled timestampLastIO sduSize tduSize isBreak A_MAGIC1 dataLen intVersion strVersion Supervisor
- ptions
serviceSv serviceSvSub serviceSvMarker serviceSvShortVer1 serviceSvShortVer2 serviceSvIntVersion serviceSvStrVersion drivers driversType curPID junk
- bjLen
- bjType
SLIDE 51
Fields
length pkt_checksum type flag hdr_checksum data_flag data_flag data_id data_id sig data_id ano
- verall_data_size
version_int_1 version_str_1 service
- ptions_flag_or_service_to_be_used
service_sv timeout seqNumber packetVersion lowestVersion
- ptions
sduSize tduSize protocolCharacteristics undefined1 HWByteOrder dataLen dataOff maxReceivedData anoFlags anoEnabled b4padding largeSDU sduSize tduSize func lag0 flag1 noAnoServices noAnoServices extended timeout tick timeout reconnectAddrLen reconnectAddrOff largeSDU sduSize tduSize session poolEnabled timestampLastIO sduSize tduSize isBreak A_MAGIC1 dataLen intVersion strVersion Supervisor
- ptions
serviceSv serviceSvSub serviceSvMarker serviceSvShortVer1 serviceSvShortVer2 serviceSvIntVersion serviceSvStrVersion drivers driversType curPID junk
- bjLen
- bjType
SLIDE 52
Serialization (Marshalling)
Data Types:
- UB1, SB1 (UBInt8, SBInt8)
- UB2, SB2 (UBInt16, SBInt16)
- UB4, SB4 (UBInt32, SBInt32)
- SB8 (SBInt64)
- UWORD, SWORD (UBInt32, SBInt32)
- B1Array (UB1 Array)
- B4Array (UB4 Array)
- O2U (B1/B4Array)
- NULLPTR (O2U(False))
- PTR (O2U(True))
- CLR (B1Array[64])
- CHR (UB1Array)
- TEXT (CString)
- DALC (SB4, CLR)
- KEYVAL (DALC, DALC, UB4)
- KPDKV (DALC, DALC, UB2)
- UCS2 (UB2)
- RefCursor (SB4)
- BFILE / BLOB / CLOB
SLIDE 53
Serialization (Marshalling)
Some magic
SLIDE 54
TNSIntruder
Зацени, братюня!
SLIDE 55
TNSIntruder
Utility written in Python, works as a database proxy. Support Oracle Databases 10g, 11g, 12c Features:
- Classes and marshalling engine
- Collector of sequences
- Injecting arbitrary SQL queries (Session hijacking)
SLIDE 56
Demo
Эу… пацанчик, гони видео!
SLIDE 57
TNSIntruder
Necessary to implement:
- PL/SQL support
- Network Data Encryption and Integrity Checks support
Whish list:
- SQL-parser
- Java-backdoors uploader in hijacked session *
* And ODAT (Oracle Database Attacking Tool) features supporting
SLIDE 58
TNSIntruder
https://github.com/nezlooy
SLIDE 59
Limitations and defense
Гопай аккуратнее!
SLIDE 60
Limitations and defense
- Channel
- Network Data Encryption and Integrity Checks
- PKI (Oracle wallets)
- Data protection
- Authentication
- Database attacks
- Oracle Database Firewall
- Antifraud solutions
SLIDE 61
Bonus
Пацанчики из Оракла жгут!
SLIDE 62
Gop-stopping of Instant Clients
10.2.0.5.0 11.2.0.4.0 12.1.0.2.0
Fuzzing with pyZZUF and Radamsa
- OCI
- Was fuzzed only 6 server responses
SLIDE 63
Gop-stopping of Instant Clients
Fuzzing with pyZZUF and Radamsa
(9) (7) (9) 10.2.0.5.0 11.2.0.4.0 12.1.0.2.0
- OCI
- Was fuzzed only 6 server responses
- Unique faults
AV_READ, AV_WRITE, AV_EXEC, HEAP_CORRUPTS
SLIDE 64
Questions?
Вопросы есть? А если найду?
SLIDE 65
Thank You
nezlooy
От души, братюни!