defcon_oracle_rootkits_2.0.pdf

Oracle Rootkits 2.0 Oracle Rootkits 2.0 Defcon 14 Las Vegas 05-August-06 Alexander Kornbrust Red Database Security GmbH 1 2 3 4 5 6 7 8 9 10 we are here: - 2 - 06.08.2006 Agenda Introduction Viruses OS Rootkits Database Rootkits 1.0 Execution Path Modify Data Dictionary Objects Advanced Database Rootkits 1.0 Database Rootkits 2.0 Modify Binaries PL/SQL Native Pinned PL/SQL Packages Conclusion Q/A 1 2 3 4 5 6 7 8 9 10 we are here: - 3 - 06.08.2006 Introduction Red-Database-Security GmbH Founded Spring 2004 CEO Alexander Kornbrust Specialized in Oracle Security 1 2 3 4 5 6 7 8 9 10 we are here: - 4 - 06.08.2006 Introduction Operating Systems and Databases are quite similar in the architecture. Both have Users Processes Jobs Executables Symbolic Links … Î A database is a kind of operating system Definition Wikipedia: A rootkit is a set of tools used after cracking a computer system that hides logins, processes […] a set of recompiled UNIX tools such as ps, netstat, passwd that would carefully hide any trace that those commands normally display. Definition ikipedia: A rootkit is a set of tools used after cracking a computer system that hides logins, processes […] a set of recompiled UNIX tools such as ps, netstat, passwd that would carefully hide any trace that those commands normally display. 1 2 3 4 5 6 7 8 9 10 we are here: - 5 - 06.08.2006 Introduction select * from view; execute procedure select * from view; select * from view; exec procedure select * from view; exec procedure execute View, Stored Procedures force application (1234) list application DB2 alter session set current_schema =user01 cd View, Stored Procedures View, Stored Procedures View, Package, Procedures and Functions Executables SELECT @var1 = spid FROM sysprocesses WHERE nt_username='andrew' AND spid<>@@spidEXEC ('kill '+@var1); alter system kill session '12,55' kill 1234 select * from pg_stat_activity select * from sysprocesses select * from v$process ps Postgres SQL Server Oracle OS cmd 1 2 3