oracle database communication protocol -...
TRANSCRIPT
Oracle Database Communication Protocol
Roman BazhinZeroNights E.0x04@nezlooy
a pentester’s view, or rude Oracle experiments
Who am ISecurity researcher at Digital Security
[email protected]@nezlooy
Agenda• Motivation• Oracle Client Drivers• Oracle Net Architecture• Oracle Database Protocol• TNSIntruder• Limitations and defense
MotivationВсё началось с задачи
Interaction Scheme
RAC Node 1
RAC Node 2
OracleClient
Interaction Scheme
RAC Node 1
RAC Node 2
OracleClient Over 50 requests
per module
Testing Scheme
Oracle Client NProxy / Fuzzer
Reverse Fuzzing
Client Fuzzserver
SYN
ACK
SYN-ACK
Reverse Fuzzing
Client Fuzzserver
SYN
ACK
REQUESTSYN-ACK
RESPONSE
Reverse Fuzzing
Client Fuzzserver
SYN
ACK
REQUEST
REQUEST
SYN-ACK
RESPONSE
RESPONSE
Reverse Fuzzing
Client Fuzzserver
SYN
ACK
REQUEST
REQUEST
SYN-ACK
RESPONSE
RESPONSE
Опа-опа… На на*!
Reverse Fuzzing
Client Fuzzserver
SYN
ACK
REQUEST
REQUEST
SYN-ACK
RESPONSE
RESPONSE
Striped hat / Ethical gop-stopping
Pentester Requirements
OracleClientMITM Proxy
Только давай без палева!
• Replaying• Modifying
• Spoofing• Injecting• etc.
Hm, and what about protocol?
Oracle Client NProxy / Fuzzer
? ?
Эу… Чё там с протоколом?
GooglingИ чё есть в этих ваших интернетах?
• Oracle TNS Protocolhttp://www.thesprawl.org/research/oracle-tns-protocol/Basic information about headers, type of packets / For beginners / Outdated.
• Wireshark TNS data dissector.http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/packet-tns.cOnly headers, type of packets / Already have one.
• Presentations by Jonah Harrishttp://oracle-internals.com/Basic information about headers, TTC, server internals / Good.
• Oracle Protocol by Gwen Shapirahttp://www.pythian.com/blog/repost-oracle-protocol/Description of some types of messages, marshalling / Very good but outdated :(
GooglingИ чё есть в этих ваших интернетах?
• pytnsproxy by László Tóthhttp://soonerorlater.hu/index.khtml?article_id=515Oracle 9i, 10g and 11g MITM-attack tool.
• pytnspoison by Joxean Korethttp://seclists.org/fulldisclosure/2012/Apr/204Oracle 9i, 10g and 11g TNS Listener Poison exploitation tool.
• Amoebahttps://code.google.com/p/amoeba/Amoeba is a Distributing database proxy / no longer supported.
CodeНу норм, чё :/
pytnspoison
CodeВаще норм, чё :/
pytnsproxy
CodeТож норм :/
Amoeba
Client DriversКак проблему порешаем?
Oracle Client Drivers overview
OCI
10g, 11g, 12c
JDBC .NET
Oracle Client Drivers overview
OCI
10g, 11g, 12c
JDBC .NET ThinThin
Oracle Net ArchitectureЧё там в авторских доках?
Oracle Net Architecture
Application
OCI/JDBC/.NET
Two-Task Common (TTC)
Oracle Net Foundation Layer
Oracle Protocol SupportOracle Net
Client
Oracle Net Architecture
Application
OCI/JDBC/.NET
Two-Task Common (TTC)
Oracle Net Foundation Layer
Oracle Protocol SupportOracle Net TCP TCPS NP SDP
TNSNetwork Session (NS)
Network Transport (NT)
Network Naming (NN)
Oracle Net Architecture (OSI view)Application (OCI/JDBC/.NET)
Two-Task Common (TTC)
Oracle Net
Transport layer
Network layer
Data link layer
Physical layer
Oracle Net Architecture (Server)
Server
OPI
Two-Task Common (TTC)
Oracle Net Foundation Layer
Oracle Protocol SupportOracle Net
RDBMS
Oracle Database ProtocolАйда поподробнее!
• Types and formats of messages• Sequence of messages• Fields• Serialization (Marshalling)
Types and formats of messagesTransparent Network Substrate (TNS)
0000 00 00 00 9F 06 00 00 00 00 00 DE AD BE EF 00 95
0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00
0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09
0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00
0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00
0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Types and formats of messagesTransparent Network Substrate (TNS)
0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95
0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00
0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09
0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00
0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00
0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Packet Size
Packet Checksum
Packet Type
Header Flags
Header Checksum
Types and formats of messagesTransparent Network Substrate (TNS) in Oracle 12c
0000 00 00 00 9F 06 00 00 00 00 00 DE AD BE EF 00 95
0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00
0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09
0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00
0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00
0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Packet Size
Packet Type
Header Flags
Header Checksum
Types and formats of messagesTNS / Packet Types:
• CONNECT = 0x01• ACCEPT = 0x02• ACKNOWLEDGE = 0x03• REFUSE = 0x04• REDIRECT = 0x05• DATA = 0x06• NULL = 0x07
• ABORT = 0x09• RESEND = 0x0B• MARKER = 0x0C• ATTENTION = 0x0D• CONTROL INFORMATION * = 0x0E• DATA DESCRIPTOR * = 0x0F
* Observed in Oracle 12c
Types and formats of messagesTNS / Packet Types:
• CONNECT = 0x01• ACCEPT = 0x02• ACKNOWLEDGE = 0x03• REFUSE = 0x04• REDIRECT = 0x05• DATA = 0x06• NULL = 0x07
• ABORT = 0x09• RESEND = 0x0B• MARKER = 0x0C• ATTENTION = 0x0D• CONTROL INFORMATION * = 0x0E• DATA DESCRIPTOR * = 0x0F
* Observed in Oracle 12c
Types and formats of messagesDATA Packet Type
0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95
0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00
0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09
0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00
0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00
0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Data flag
DATA = 0x00MORE * = 0x20EOF = 0x40
* Observed in Oracle 12c
Types and formats of messagesAdditional Network Options Negotiation (ANO)
Magic constant0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95
0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00
0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09
0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00
0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00
0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Types and formats of messagesTwo-Task Interface (TTI)
0000 00 00 00 A7 06 20 00 00 00 00 03 76 01 01 01 07
0010 01 01 01 01 05 01 01 4F 52 41 55 53 45 52 01 0D
0020 0D 41 55 54 48 5F 54 45 52 4D 49 4E 41 4C 01 07
0030 07 75 6E 6B 6E 6F 77 6E 00 01 0F 0F 41 55 54 48
0040 5F 50 52 4F 47 52 41 4D 5F 4E 4D 01 10 10 4A 44
0050 42 43 20 54 68 69 6E 20 43 6C 69 65 6E 74 00 01
0060 0C 0C 41 55 54 48 5F 4D 41 43 48 49 4E 45 01 0B
0070 0B 41 42 43 41 42 43 44 45 2D 70 63 00 01 08 08
0080 41 55 54 48 5F 50 49 44 01 04 04 31 32 33 34 00
0090 01 08 08 41 55 54 48 5F 53 49 44 01 08 08 72 2E
Function ID
Subfunction ID
Sequence number *
* Used only in the client request
Types and formats of messagesTTC / TTI commands:
• TTIPRO # Set protocol• TTIDTY # Set datatypes• TTIFUN # Start of user function• TTIOER # Error / Selecting completed• TTIRXH # Row transfer header• TTIRXD # Row transfer data• …
• TTIRPA # Return OPI Parameter• TTISTA # Oracle func complete• TTIIOV # I/O vector• TTILOBD # LOB/FILE data follows• TTIDCB # Describe information• TTIPFN # Piggyback func follows• …
Types and formats of messagesTTC / TTI commands:
• TTIPRO # Set protocol• TTIDTY # Set datatypes• TTIFUN # Start of user function• TTIOER # Error / Selecting completed• TTIRXH # Row transfer header• TTIRXD # Row transfer data• …
• TTIRPA # Return OPI Parameter• TTISTA # Oracle func complete• TTIIOV # I/O vector• TTILOBD # LOB/FILE data follows• TTIDCB # Describe information• TTIPFN # Piggyback func follows• …
Types and formats of messagesTTC / TTI commands:
• TTIPRO # Set protocol• TTIDTY # Set datatypes• TTIFUN # Start of user function• TTIOER # Error / Selecting completed• TTIRXH # Row transfer header• TTIRXD # Row transfer data• …
• TTIRPA # Return OPI Parameter• TTISTA # Oracle func complete• TTIIOV # I/O vector• TTILOBD # LOB/FILE data follows• TTIDCB # Describe information• TTIPFN # Piggyback func follows• …
Types and formats of messagesTTC / TTI commands:
• TTIPRO # Set protocol• TTIDTY # Set datatypes• TTIFUN # Start of user function• TTIOER # Error / Selecting completed• TTIRXH # Row transfer header• TTIRXD # Row transfer data• …
• TTIRPA # Return OPI Parameter• TTISTA # Oracle func complete• TTIIOV # I/O vector• TTILOBD # LOB/FILE data follows• TTIDCB # Describe information• TTIPFN # Piggyback func follows• …
Types and formats of messagesTTC / TTI commands:
• TTIPRO # Set protocol• TTIDTY # Set datatypes• TTIFUN # Start of user function• TTIOER # Error / Selecting completed• TTIRXH # Row transfer header• TTIRXD # Row transfer data• …
• TTIRPA # Return OPI Parameter• TTISTA # Oracle func complete• TTIIOV # I/O vector• TTILOBD # LOB/FILE data follows• TTIDCB # Describe information• TTIPFN # Piggyback func follows• …
Client data requests
Types and formats of messagesTTC / TTI subfunction:
• TTIFUN• OSESSKEY• OAUTH• OVERSION• OALL8• OFETCH• OLOBOPS• OCOMMIT• OROLLBACK• OPING• OCLOSE
• TTIPFN• O80SES• OCCA
• …
Types and formats of messagesTTC / TTI subfunction:
• TTIFUN• OSESSKEY• OAUTH• OVERSION• OALL8• OFETCH• OLOBOPS• OCOMMIT• OROLLBACK• OPING• OCLOSE
• TTIPFN• O80SES• OCCA
• …
Types and formats of messagesTTC / TTI commands:
• TTIPRO # Set protocol• TTIDTY # Set datatypes• TTIFUN # Start of user function• TTIOER # Error / Selecting completed• TTIRXH # Row transfer header• TTIRXD # Row transfer data• …
• TTIRPA # Return OPI Parameter• TTISTA # Oracle func complete• TTIIOV # I/O vector• TTILOBD # LOB/FILE data follows• TTIDCB # Describe information• TTIPFN # Piggyback func follows• …
Server data responses
Sequence of messagesAuthentication
Client Server
CONNECT
ANO
TTIPROACCEPT
ANO
TTIPROTTIDTY
TTIDTYTTIFUN -> OSESSKEY
TTIRPATTIFUN -> OAUTH
TTIRPATTIFUN -> OVERSION *
TTIRPA* Thin client, OCI use TTIPFN -> O80SES or not used at all
Sequence of messagesSelecting
Client Server
TTIFUN -> OALL8
TTIFUN -> OFETCHTTIDCB
TTIRXH
Sequence of messagesSelecting
Client Server
TTIPFN -> OCCA
TTIDCBTTIFUN -> OFETCH
TTIOER
Sequence of messagesSelecting
Client Server
TTIFUN -> OALL8
TTIDCBTTIFUN -> OFETCH
TTIRXHTTIFUN -> OLOBOPS
TTILOBDDATA *DATADATA
* Observed in Oracle 10g and 11g
TTIFUN -> OLOBOPS
TTIRPA
Sequence of messagesLogging Off
Client ServerTTIFUN -> OLOGOFF *
EOFTTISTA
* OCI, Thin client use TTIPFN -> OCCA
TTIFUN -> OROLLBACK
TTISTA
TTIFUN -> OCOMMIT
TTISTA
Fieldslengthpkt_checksumtypeflaghdr_checksumdata_flagdata_flagdata_iddata_idsigdata_idanooverall_data_sizeversion_int_1version_str_1serviceoptions_flag_or_service_to_be_usedservice_svtimeout
seqNumberpacketVersionlowestVersionoptionssduSizetduSizeprotocolCharacteristicsundefined1HWByteOrderdataLendataOffmaxReceivedDataanoFlagsanoEnabledb4paddinglargeSDUsduSizetduSizefunc
lag0flag1noAnoServicesnoAnoServicesextendedtimeoutticktimeoutreconnectAddrLenreconnectAddrOfflargeSDUsduSizetduSizesessionpoolEnabledtimestampLastIOsduSizetduSizeisBreak
A_MAGIC1dataLenintVersionstrVersionSupervisoroptionsserviceSvserviceSvSubserviceSvMarkerserviceSvShortVer1serviceSvShortVer2serviceSvIntVersionserviceSvStrVersiondriversdriversTypecurPIDjunkobjLenobjType
Fieldslengthpkt_checksumtypeflaghdr_checksumdata_flagdata_flagdata_iddata_idsigdata_idanooverall_data_sizeversion_int_1version_str_1serviceoptions_flag_or_service_to_be_usedservice_svtimeout
seqNumberpacketVersionlowestVersionoptionssduSizetduSizeprotocolCharacteristicsundefined1HWByteOrderdataLendataOffmaxReceivedDataanoFlagsanoEnabledb4paddinglargeSDUsduSizetduSizefunc
lag0flag1noAnoServicesnoAnoServicesextendedtimeoutticktimeoutreconnectAddrLenreconnectAddrOfflargeSDUsduSizetduSizesessionpoolEnabledtimestampLastIOsduSizetduSizeisBreak
A_MAGIC1dataLenintVersionstrVersionSupervisoroptionsserviceSvserviceSvSubserviceSvMarkerserviceSvShortVer1serviceSvShortVer2serviceSvIntVersionserviceSvStrVersiondriversdriversTypecurPIDjunkobjLenobjType
Serialization (Marshalling)Data Types:
• UB1, SB1 (UBInt8, SBInt8)• UB2, SB2 (UBInt16, SBInt16)• UB4, SB4 (UBInt32, SBInt32)• SB8 (SBInt64)• UWORD, SWORD (UBInt32, SBInt32)• B1Array (UB1 Array)• B4Array (UB4 Array)• O2U (B1/B4Array)• NULLPTR (O2U(False))• PTR (O2U(True))
• CLR (B1Array[64])• CHR (UB1Array)• TEXT (CString)• DALC (SB4, CLR)• KEYVAL (DALC, DALC, UB4)• KPDKV (DALC, DALC, UB2)• UCS2 (UB2)• RefCursor (SB4)• BFILE / BLOB / CLOB
Serialization (Marshalling)Some magic
TNSIntruderЗацени, братюня!
TNSIntruderUtility written in Python, works as a database proxy.Support Oracle Databases 10g, 11g, 12c
Features:• Classes and marshalling engine• Collector of sequences• Injecting arbitrary SQL queries (Session hijacking)
DemoЭу… пацанчик, гони видео!
TNSIntruderNecessary to implement:
• PL/SQL support• Network Data Encryption and Integrity Checks support
Whish list:• SQL-parser• Java-backdoors uploader in hijacked session *
* And ODAT (Oracle Database Attacking Tool) features supporting
TNSIntruder
https://github.com/nezlooy
Limitations and defenseГопай аккуратнее!
Limitations and defense• Channel
• Network Data Encryption and Integrity Checks• PKI (Oracle wallets)
• Data protection• Authentication
• Database attacks• Oracle Database Firewall• Antifraud solutions
BonusПацанчики из Оракла жгут!
Gop-stopping of Instant Clients
10.2.0.5.0 11.2.0.4.0 12.1.0.2.0
Fuzzing with pyZZUF and Radamsa
• OCI• Was fuzzed only 6 server responses
Gop-stopping of Instant ClientsFuzzing with pyZZUF and Radamsa
(9) (7) (9)10.2.0.5.0 11.2.0.4.0 12.1.0.2.0
• OCI• Was fuzzed only 6 server responses• Unique faults
AV_READ, AV_WRITE, AV_EXEC, HEAP_CORRUPTS
Questions?Вопросы есть? А если найду?
Thank You
nezlooy
От души, братюни!