Oracle, Interrupted: Stealing Sessions and Credentials (Steve Ocepak & Wendel G. Henrique)
Abstract (source: Blackhat.com)
In a world of free, ever-present encryption libraries, many penetration testers still find a lot of great stuff on the wire. Database traffic is a common favorite, and with good reason: when the data includes PAN, Track, and CVV, it makes you stop and wonder why this stuff isn’t encrypted by default. However, despite this weakness, we still need someone to issue queries before we see the data. Or maybe not… after all, it’s just plaintext.
Wendel G. Henrique and Steve Ocepek of Trustwave’s SpiderLabs division offer a closer look at the world’s most popular relational database: Oracle. Through a combination of downgrade attacks and session take-over exploits, this talk introduces a unique approach to database account hijacking. Using a new tool, thicknet, released at Black Hat Europe, the team will demonstrate how deadly injection attacks can be to database security.
Talk Abstract –> Oracle, Interrupted: Stealing Sessions and Credentials
Speaker Bio –> Steve Ocepek, Wendel G. Henrique
40,000 foot view of what the talk is about.
What is vamp ?
- arpspoof is getting a bit old, hard to compile with new version of libdnet
- Need something to use with thicknet
- Stateful – i.e. new hosts can join the fun
- Cross-platform: libdnet, libpcap / winpcap, libev
What is Ticknet ?
An injection tool that listens for database queries, and then alters it to perform actions as designated by an attacker.
Password not required, as the session is already authenticated.
Vamp, Arp Poisoning and you
- Most reliable way to get data about local network
- Injection opens up a whole category of attacks
- Good way to find important services
- It was very cool in the 80’s
The ARP protocol is old.
Arpspoof is also old, hard to compile with new version of libdnet
Vamp improves on this by being stateful and cross-platform (based on the updated libraries)
Don’t worry though…. ARP will disappear when we start using IPv6 (next week right?)
Hot Session Injection
Ettercap can do this, to a certain degree
- In connections view (curses or GTK), select TCP connection
- Can inject file or ASCII characters
- I had limited success, not a commonly-used feature
- Etterfilter also an option, but is not session aware
This allows modification of sessions / or to take-over the whole session. This session can be kept open as long as needed.
- Two types: packet modification and takeover
- Packet modification
- UNC Injection attack works this way
- Also downgrade attacks
- Allows sending of arbitrary packets into the session
- Issue asynchronous SQL queries, etc..
- Monitor for pattern
- Modify according to logic (replace string, change bytes, …)
- Inject data asynchronously
- Requires taking over the session completely (original client is disconnected)
- Gathering a sled helps to ensure we get this right
- This is all reliant on data layer as well…
Understanding Oracle Queries
TNS – Net8
- TNS – Transparent Network Substrate
- Fairly simple, well-known
- Wireshark decoder exists
- Purpose is to encapsulate a variety of higher-layer protocols
- Net8 – Used by Oracle to issue queries, sits on top of TNS
- Not well known or documented
- Specification is available, requires contract and $$$
- No Wireshark decoder
TNS protocol has a lot of fields…. a lot are just 0x000 (at least that’s what was see in testing)
Net8 – 3 types of messages seen frequently
- User-to-Server, Net8 Bundle call 0x03 0x5E
- Piggyback call 0x11E
- User-to-Server, Fetch 0x03 0x5E
Why wait for a SELECT request from the host and change it…. we want to send data now.
This is where SLED packets come into play.
A SLED packet is something that contains predictable data and does something similar to what we want to do. SELECT queries are great examples. Once identified, a thicknet sled consists of IP Layer, TCP Layer, DATA
The attacker now owns the session, so he needs to maintain it accordingly (ACK packets, etc…)
The client currently gets kicked out of the session
- Proof of concept sled based injection, downgrade
- Modular, can be expanded to use other protocols
- Oracle protocol implementation
- Extensions can be made in the future – MySQL, SMB, MSSQL
If this attack can work for Oracle, why can’t it work for other protocols and services (Samba for example)
Downgrading for credentials
Demo –> MitM attack to grab the password hash in transit between the client and server (after downgrading the authentication)
By performing this kind of downgrading attack it is possible to brute-force crack the password hash using tools like woraauthbf.
Sometimes Oracle isn’t listening on the standard 1521/TCP. This can cause issues with the downgrading attack. This can be overcome by perform pattern matching on packet content to discover the required packets regardless of the port being used.
Using this kind of matching it’s also possible to intercept disconnection requests from the client to the server, and silently drop then (replying with a spoofed response to the client). This will fool the client into closing the session but leave it open for an attacker to continue to use.
Goal: To downgrade the Oracle authentication to the weakest algorithm and password hash. In this case the goal is to downgrade to the hash format used in Oracle 8i, DES (Data Encryption Standard).
The first downgrade attack was released by László Tóth. However the attack was aimed at JDBC connections and doesn’t appear to work on newer Oracle instances with upgrade JDBC (i.e. 184.108.40.206.0).
The JDBC downgrade attack is still valid with older versions of the client. By altering 1 bit, the old 8i authentication takes place. To prevent this from failing, checks are made in the thicknet tool to check the JDBC version in use to ensure it’s vulnerable before performing the downgrade.
InstantClient appears not to be vulnerable to this downgrading attack. When attempting, the connection between the client and server fails. One possible attack is to reply to the user as an Oracle 8i server and harvest the information required. The user will then need to retry connection, at which point the MitM will not attempt y downgrade and the user can then connect.
FullClient doesn’t always respond to this previous method.
- It works against the Oracle full client 220.127.116.11.
- Crashes and consequently fails with Oracle full client 10.1.0.2 (possible heap overflow).
- An exception happens with Oracle full client 18.104.22.168 which causes the connection to terminate.
The Thicknet program can detect the version of full client in use, and if a method is supported, it is automatically selected. However, neither of these methods is supported in Windows….
So is Windows immune?
- During negotiation there are a few bytes used to define the acceptable protocol version.
- The client offers different options and the server answers with the highest supported value (0x06).
- During all our tests, all servers always responded with 0x06, as all clients tested always offer the same six options: 0x06, 0x05, 0x04, 0x03, 0x02 and 0x01.
- Downgrading at this stage is very easy, we will just replace these values with 0x05, 0x05, 0x04, 0x03, 0x02 and 0x01.
- Note we are not sending 0x06 as an option anymore;
- consequently we are sending 0x05 two times.
This means that the server will respond with a 0x05 and the downgrade will happen automatically.
Similar to the previous downgrade, by changing a bit in the connection request it is possible to downgrade the connection to older LANMAN hashes. These passwords can be recovered using HALF-LM rainbow tables freely available.
Due to lack of time this area was only covered in brief –> please see the whitepaper for full information (link below)
For more information please see the Blackhat Europe website