Oracle Database Communication Protocol

Transcript

1. Oracle Database Communication Protocol Roman Bazhin ZeroNights E.0x04 @nezlooy a

   pentester’s view, or rude Oracle experiments

2. Who am I Security researcher at Digital Security [email protected] @nezlooy

3. Agenda • Motivation • Oracle Client Drivers • Oracle Net

   Architecture • Oracle Database Protocol • TNSIntruder • Limitations and defense

4. Motivation Всё началось с задачи

5. Interaction Scheme RAC Node 1 RAC Node 2 Oracle Client

6. Interaction Scheme RAC Node 1 RAC Node 2 Oracle Client

   Over 50 requests per module

7. Testing Scheme Oracle Client N Proxy / Fuzzer

8. Reverse Fuzzing Client Fuzz server SYN ACK SYN-ACK

9. Reverse Fuzzing Client Fuzz server SYN ACK REQUEST SYN-ACK RESPONSE

10. Reverse Fuzzing Client Fuzz server SYN ACK REQUEST REQUEST SYN-ACK

    RESPONSE RESPONSE

11. Reverse Fuzzing Client Fuzz server SYN ACK REQUEST REQUEST SYN-ACK

    RESPONSE RESPONSE Опа-опа… На на*!

12. Reverse Fuzzing Client Fuzz server SYN ACK REQUEST REQUEST SYN-ACK

    RESPONSE RESPONSE Striped hat / Ethical gop-stopping

13. Pentester Requirements Oracle Client MITM Proxy Только давай без палева!

    • Replaying • Modifying • Spoofing • Injecting • etc.

14. Hm, and what about protocol? Oracle Client N Proxy /

    Fuzzer ? ? Эу… Чё там с протоколом?

15. Googling И чё есть в этих ваших интернетах? • Oracle

    TNS Protocol http://www.thesprawl.org/research/oracle-tns-protocol/ Basic information about headers, type of packets / For beginners / Outdated. • Wireshark TNS data dissector. http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/packet-tns.c Only headers, type of packets / Already have one. • Presentations by Jonah Harris http://oracle-internals.com/ Basic information about headers, TTC, server internals / Good. • Oracle Protocol by Gwen Shapira http://www.pythian.com/blog/repost-oracle-protocol/ Description of some types of messages, marshalling / Very good but outdated :(

16. Googling И чё есть в этих ваших интернетах? • pytnsproxy

    by László Tóth http://soonerorlater.hu/index.khtml?article_id=515 Oracle 9i, 10g and 11g MITM-attack tool. • pytnspoison by Joxean Koret http://seclists.org/fulldisclosure/2012/Apr/204 Oracle 9i, 10g and 11g TNS Listener Poison exploitation tool. • Amoeba https://code.google.com/p/amoeba/ Amoeba is a Distributing database proxy / no longer supported.

17. Code Ну норм, чё :/ pytnspoison

18. Code Ваще норм, чё :/ pytnsproxy

19. Code Тож норм :/ Amoeba

20. Client Drivers Как проблему порешаем?

21. Oracle Client Drivers overview OCI 10g, 11g, 12c JDBC .NET

22. Oracle Client Drivers overview OCI 10g, 11g, 12c JDBC .NET

    Thin Thin

23. Oracle Net Architecture Чё там в авторских доках?

24. Oracle Net Architecture Application OCI/JDBC/.NET Two-Task Common (TTC) Oracle Net

    Foundation Layer Oracle Protocol Support Oracle Net Client

25. Oracle Net Architecture Application OCI/JDBC/.NET Two-Task Common (TTC) Oracle Net

    Foundation Layer Oracle Protocol Support Oracle Net TCP TCPS NP SDP TNS Network Session (NS) Network Transport (NT) Network Naming (NN)

26. Oracle Net Architecture (OSI view) Application (OCI/JDBC/.NET) Two-Task Common (TTC)

    Oracle Net Transport layer Network layer Data link layer Physical layer

27. Oracle Net Architecture (Server) Server OPI Two-Task Common (TTC) Oracle

    Net Foundation Layer Oracle Protocol Support Oracle Net RDBMS

28. Oracle Database Protocol Айда поподробнее! • Types and formats of

    messages • Sequence of messages • Fields • Serialization (Marshalling)

29. Types and formats of messages Transparent Network Substrate (TNS) 0000

    00 00 00 9F 06 00 00 00 00 00 DE AD BE EF 00 95 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00

30. Types and formats of messages Transparent Network Substrate (TNS) 0000

    00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00 Packet Size Packet Checksum Packet Type Header Flags Header Checksum

31. Types and formats of messages Transparent Network Substrate (TNS) in

    Oracle 12c 0000 00 00 00 9F 06 00 00 00 00 00 DE AD BE EF 00 95 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00 Packet Size Packet Type Header Flags Header Checksum

32. Types and formats of messages TNS / Packet Types: •

    CONNECT = 0x01 • ACCEPT = 0x02 • ACKNOWLEDGE = 0x03 • REFUSE = 0x04 • REDIRECT = 0x05 • DATA = 0x06 • NULL = 0x07 • ABORT = 0x09 • RESEND = 0x0B • MARKER = 0x0C • ATTENTION = 0x0D • CONTROL INFORMATION * = 0x0E • DATA DESCRIPTOR * = 0x0F * Observed in Oracle 12c

33. Types and formats of messages TNS / Packet Types: •

    CONNECT = 0x01 • ACCEPT = 0x02 • ACKNOWLEDGE = 0x03 • REFUSE = 0x04 • REDIRECT = 0x05 • DATA = 0x06 • NULL = 0x07 • ABORT = 0x09 • RESEND = 0x0B • MARKER = 0x0C • ATTENTION = 0x0D • CONTROL INFORMATION * = 0x0E • DATA DESCRIPTOR * = 0x0F * Observed in Oracle 12c

34. Types and formats of messages DATA Packet Type 0000 00

    9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00 Data flag DATA = 0x00 MORE * = 0x20 EOF = 0x40 * Observed in Oracle 12c

35. Types and formats of messages Additional Network Options Negotiation (ANO)

    Magic constant 0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95 0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00 0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00 0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02 0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00 0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00

36. Types and formats of messages Two-Task Interface (TTI) 0000 00

    00 00 A7 06 20 00 00 00 00 03 76 01 01 01 07 0010 01 01 01 01 05 01 01 4F 52 41 55 53 45 52 01 0D 0020 0D 41 55 54 48 5F 54 45 52 4D 49 4E 41 4C 01 07 0030 07 75 6E 6B 6E 6F 77 6E 00 01 0F 0F 41 55 54 48 0040 5F 50 52 4F 47 52 41 4D 5F 4E 4D 01 10 10 4A 44 0050 42 43 20 54 68 69 6E 20 43 6C 69 65 6E 74 00 01 0060 0C 0C 41 55 54 48 5F 4D 41 43 48 49 4E 45 01 0B 0070 0B 41 42 43 41 42 43 44 45 2D 70 63 00 01 08 08 0080 41 55 54 48 5F 50 49 44 01 04 04 31 32 33 34 00 0090 01 08 08 41 55 54 48 5F 53 49 44 01 08 08 72 2E Function ID Subfunction ID Sequence number * * Used only in the client request

37. Types and formats of messages TTC / TTI commands: •

    TTIPRO # Set protocol • TTIDTY # Set datatypes • TTIFUN # Start of user function • TTIOER # Error / Selecting completed • TTIRXH # Row transfer header • TTIRXD # Row transfer data • … • TTIRPA # Return OPI Parameter • TTISTA # Oracle func complete • TTIIOV # I/O vector • TTILOBD # LOB/FILE data follows • TTIDCB # Describe information • TTIPFN # Piggyback func follows • …

38. Types and formats of messages TTC / TTI commands: •

    TTIPRO # Set protocol • TTIDTY # Set datatypes • TTIFUN # Start of user function • TTIOER # Error / Selecting completed • TTIRXH # Row transfer header • TTIRXD # Row transfer data • … • TTIRPA # Return OPI Parameter • TTISTA # Oracle func complete • TTIIOV # I/O vector • TTILOBD # LOB/FILE data follows • TTIDCB # Describe information • TTIPFN # Piggyback func follows • …

39. Types and formats of messages TTC / TTI commands: •

    TTIPRO # Set protocol • TTIDTY # Set datatypes • TTIFUN # Start of user function • TTIOER # Error / Selecting completed • TTIRXH # Row transfer header • TTIRXD # Row transfer data • … • TTIRPA # Return OPI Parameter • TTISTA # Oracle func complete • TTIIOV # I/O vector • TTILOBD # LOB/FILE data follows • TTIDCB # Describe information • TTIPFN # Piggyback func follows • …

40. Types and formats of messages TTC / TTI commands: •

    TTIPRO # Set protocol • TTIDTY # Set datatypes • TTIFUN # Start of user function • TTIOER # Error / Selecting completed • TTIRXH # Row transfer header • TTIRXD # Row transfer data • … • TTIRPA # Return OPI Parameter • TTISTA # Oracle func complete • TTIIOV # I/O vector • TTILOBD # LOB/FILE data follows • TTIDCB # Describe information • TTIPFN # Piggyback func follows • …

41. Types and formats of messages TTC / TTI commands: •

    TTIPRO # Set protocol • TTIDTY # Set datatypes • TTIFUN # Start of user function • TTIOER # Error / Selecting completed • TTIRXH # Row transfer header • TTIRXD # Row transfer data • … • TTIRPA # Return OPI Parameter • TTISTA # Oracle func complete • TTIIOV # I/O vector • TTILOBD # LOB/FILE data follows • TTIDCB # Describe information • TTIPFN # Piggyback func follows • … Client data requests

42. Types and formats of messages TTC / TTI subfunction: •

    TTIFUN • OSESSKEY • OAUTH • OVERSION • OALL8 • OFETCH • OLOBOPS • OCOMMIT • OROLLBACK • OPING • OCLOSE • TTIPFN • O80SES • OCCA • …

43. Types and formats of messages TTC / TTI subfunction: •

    TTIFUN • OSESSKEY • OAUTH • OVERSION • OALL8 • OFETCH • OLOBOPS • OCOMMIT • OROLLBACK • OPING • OCLOSE • TTIPFN • O80SES • OCCA • …

44. Types and formats of messages TTC / TTI commands: •

    TTIPRO # Set protocol • TTIDTY # Set datatypes • TTIFUN # Start of user function • TTIOER # Error / Selecting completed • TTIRXH # Row transfer header • TTIRXD # Row transfer data • … • TTIRPA # Return OPI Parameter • TTISTA # Oracle func complete • TTIIOV # I/O vector • TTILOBD # LOB/FILE data follows • TTIDCB # Describe information • TTIPFN # Piggyback func follows • … Server data responses

45. Sequence of messages Authentication Client Server CONNECT ANO TTIPRO ACCEPT

    ANO TTIPRO TTIDTY TTIDTY TTIFUN -> OSESSKEY TTIRPA TTIFUN -> OAUTH TTIRPA TTIFUN -> OVERSION * TTIRPA * Thin client, OCI use TTIPFN -> O80SES or not used at all

46. Sequence of messages Selecting Client Server TTIFUN -> OALL8 TTIFUN

    -> OFETCH TTIDCB TTIRXH

47. Sequence of messages Selecting Client Server TTIPFN -> OCCA TTIDCB

    TTIFUN -> OFETCH TTIOER

48. Sequence of messages Selecting Client Server TTIFUN -> OALL8 TTIDCB

    TTIFUN -> OFETCH TTIRXH TTIFUN -> OLOBOPS TTILOBD DATA * DATA DATA * Observed in Oracle 10g and 11g TTIFUN -> OLOBOPS TTIRPA

49. Sequence of messages Logging Off Client Server TTIFUN -> OLOGOFF

    * EOF TTISTA * OCI, Thin client use TTIPFN -> OCCA TTIFUN -> OROLLBACK TTISTA TTIFUN -> OCOMMIT TTISTA

50. Fields length pkt_checksum type flag hdr_checksum data_flag data_flag data_id data_id

    sig data_id ano overall_data_size version_int_1 version_str_1 service options_flag_or_service_to_be_used service_sv timeout seqNumber packetVersion lowestVersion options sduSize tduSize protocolCharacteristics undefined1 HWByteOrder dataLen dataOff maxReceivedData anoFlags anoEnabled b4padding largeSDU sduSize tduSize func lag0 flag1 noAnoServices noAnoServices extended timeout tick timeout reconnectAddrLen reconnectAddrOff largeSDU sduSize tduSize session poolEnabled timestampLastIO sduSize tduSize isBreak A_MAGIC1 dataLen intVersion strVersion Supervisor options serviceSv serviceSvSub serviceSvMarker serviceSvShortVer1 serviceSvShortVer2 serviceSvIntVersion serviceSvStrVersion drivers driversType curPID junk objLen objType

51. Fields length pkt_checksum type flag hdr_checksum data_flag data_flag data_id data_id

    sig data_id ano overall_data_size version_int_1 version_str_1 service options_flag_or_service_to_be_used service_sv timeout seqNumber packetVersion lowestVersion options sduSize tduSize protocolCharacteristics undefined1 HWByteOrder dataLen dataOff maxReceivedData anoFlags anoEnabled b4padding largeSDU sduSize tduSize func lag0 flag1 noAnoServices noAnoServices extended timeout tick timeout reconnectAddrLen reconnectAddrOff largeSDU sduSize tduSize session poolEnabled timestampLastIO sduSize tduSize isBreak A_MAGIC1 dataLen intVersion strVersion Supervisor options serviceSv serviceSvSub serviceSvMarker serviceSvShortVer1 serviceSvShortVer2 serviceSvIntVersion serviceSvStrVersion drivers driversType curPID junk objLen objType

52. Serialization (Marshalling) Data Types: • UB1, SB1 (UBInt8, SBInt8) •

    UB2, SB2 (UBInt16, SBInt16) • UB4, SB4 (UBInt32, SBInt32) • SB8 (SBInt64) • UWORD, SWORD (UBInt32, SBInt32) • B1Array (UB1 Array) • B4Array (UB4 Array) • O2U (B1/B4Array) • NULLPTR (O2U(False)) • PTR (O2U(True)) • CLR (B1Array[64]) • CHR (UB1Array) • TEXT (CString) • DALC (SB4, CLR) • KEYVAL (DALC, DALC, UB4) • KPDKV (DALC, DALC, UB2) • UCS2 (UB2) • RefCursor (SB4) • BFILE / BLOB / CLOB

53. Serialization (Marshalling) Some magic

54. TNSIntruder Зацени, братюня!

55. TNSIntruder Utility written in Python, works as a database proxy.

    Support Oracle Databases 10g, 11g, 12c Features: • Classes and marshalling engine • Collector of sequences • Injecting arbitrary SQL queries (Session hijacking)

56. Demo Эу… пацанчик, гони видео!

57. TNSIntruder Necessary to implement: • PL/SQL support • Network Data

    Encryption and Integrity Checks support Whish list: • SQL-parser • Java-backdoors uploader in hijacked session * * And ODAT (Oracle Database Attacking Tool) features supporting

58. TNSIntruder https://github.com/nezlooy

59. Limitations and defense Гопай аккуратнее!

60. Limitations and defense • Channel • Network Data Encryption and

    Integrity Checks • PKI (Oracle wallets) • Data protection • Authentication • Database attacks • Oracle Database Firewall • Antifraud solutions

61. Bonus Пацанчики из Оракла жгут!

62. Gop-stopping of Instant Clients 10.2.0.5.0 11.2.0.4.0 12.1.0.2.0 Fuzzing with pyZZUF

    and Radamsa • OCI • Was fuzzed only 6 server responses

63. Gop-stopping of Instant Clients Fuzzing with pyZZUF and Radamsa (9)

    (7) (9) 10.2.0.5.0 11.2.0.4.0 12.1.0.2.0 • OCI • Was fuzzed only 6 server responses • Unique faults AV_READ, AV_WRITE, AV_EXEC, HEAP_CORRUPTS

64. Questions? Вопросы есть? А если найду?

65. Thank You nezlooy От души, братюни!