BlackHatEU : Oracle, Interrupted: Stealing Sessions and Credentials
By Steve Ocepek & Wendel G. Henrique
Steven and Wendel will be showing live demos of tools for exploitation of Oracle that will be released after the conference. These tools are all about performing man in the middle attacks. And while a lot of people think this is a hard scenario, the truswave guys find that it is surprisingly efficient in practice.
First tool demoed is vamp. Vamp is a tool for basic arp spoofing.
Arp poisoning is old. The specification of ARP was written in the 80s. However it still very effective and open up an entire category of attacks.
Vamp expands on the existing tools, which are currently hard to compile, with more functionality called arp request poisoning. In stead of doing unsolicited arp which just sends arp replies, it answers arp requests with malicious arp replies.
Arp spoofing is not the only way to get in the middle. DHCP, Dynamic DNS, Wireless, BGP attacks, typing for somebody else.
After you have an established session, there are two things you can do: modify the packets as they pass through you, or take over the session altogether
Second tool is Thicknet. It allows you, by using the MitM obtained with e.g. vamp, manipulate active sessions to Oracle database. It was demoed by inserting user creation command into an active session.
Thicknet also handles the Oracle side of the house. On top op TCP/IP there is TNS (Transport Network Substrate) and on top of TNS their is Net8, a proprietary protocol used by Oracle.
In Net8 there are three types of client messages:
• User-to-Server – Used to issue queries
• Piggyback calls – Can include user-to-server communication
• User-to-Server, Fetch – Used to request more data from the server
So how do we find a “sled”, a query we can use to ride our command in on? First we Find a query similar to what we want to do. Then we modify the packet header so we can hang on to it and we need to replace the users query with our own query. This means that we will have to disconnect the user session at this time.
Writing a tool that does this is hard, because it requires a lot of protocol analysis, luckily by using valid data from the user and only changing this only means that you don’t have to understand the protocol fully to execute an attack. Checksums are the hardest te reverse engineer, but Oracle does not use them at this time.
Currently Thicknet only supports Oracle, but there are some extension that can be made in the future: SMB, MySQL, MSSQL, etc…
Next up was a demo of a authentication downgrade attack. Wendel showed how Thicknet could be used to intercept a weakened challenge response session data and used the tool “woraauthbf” to brute force the password from it.
Default Oracle 10g authentication is to strong to brute force. In order to counter this problem, Thicknet has code to detect the part of the session where the level of authentication is exchanged and then changes a value from 0×08 to 0×00 to downgrade the authentication level, but this only works against older version of Oracle JDBC Thin Drivers.
Oracle’s newest client InstantClient is not susceptible against the attack, unless it thinks its talking to an Oracle 8.1.7. Because Thinknet is in the middle of the communication it can fool the InstantClient into thinking it is talking to this database version. InstantClient then sends the Oracle8 authentication strings that can be downgraded.
Exploitation of the Oracle FullClient is only possible for version 9.2.0.6 and only on Linux, not on Windows. It turns out that downgrading the authentication level is relatively easy. Oracle answers with which version are supported and replacing one 0×06 with a 0×05 fools the client into downgrading the authentication.
Next the attack was demoed.
If a windows Oracle client is authenticating against a server running on Windows the NTLM hash is leaked in the Oracle authentication session, and thus the users domain credentials can be obtained and cracked.