oracle database communication protocol -...
TRANSCRIPT
![Page 1: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/1.jpg)
Oracle Database Communication Protocol
Roman BazhinZeroNights E.0x04@nezlooy
a pentester’s view, or rude Oracle experiments
![Page 3: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/3.jpg)
Agenda• Motivation• Oracle Client Drivers• Oracle Net Architecture• Oracle Database Protocol• TNSIntruder• Limitations and defense
![Page 4: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/4.jpg)
MotivationВсё началось с задачи
![Page 5: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/5.jpg)
Interaction Scheme
RAC Node 1
RAC Node 2
OracleClient
![Page 6: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/6.jpg)
Interaction Scheme
RAC Node 1
RAC Node 2
OracleClient Over 50 requests
per module
![Page 7: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/7.jpg)
Testing Scheme
Oracle Client NProxy / Fuzzer
![Page 8: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/8.jpg)
Reverse Fuzzing
Client Fuzzserver
SYN
ACK
SYN-ACK
![Page 9: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/9.jpg)
Reverse Fuzzing
Client Fuzzserver
SYN
ACK
REQUESTSYN-ACK
RESPONSE
![Page 10: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/10.jpg)
Reverse Fuzzing
Client Fuzzserver
SYN
ACK
REQUEST
REQUEST
SYN-ACK
RESPONSE
RESPONSE
![Page 11: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/11.jpg)
Reverse Fuzzing
Client Fuzzserver
SYN
ACK
REQUEST
REQUEST
SYN-ACK
RESPONSE
RESPONSE
Опа-опа… На на*!
![Page 12: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/12.jpg)
Reverse Fuzzing
Client Fuzzserver
SYN
ACK
REQUEST
REQUEST
SYN-ACK
RESPONSE
RESPONSE
Striped hat / Ethical gop-stopping
![Page 13: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/13.jpg)
Pentester Requirements
OracleClientMITM Proxy
Только давай без палева!
• Replaying• Modifying
• Spoofing• Injecting• etc.
![Page 14: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/14.jpg)
Hm, and what about protocol?
Oracle Client NProxy / Fuzzer
? ?
Эу… Чё там с протоколом?
![Page 15: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/15.jpg)
GooglingИ чё есть в этих ваших интернетах?
• Oracle TNS Protocolhttp://www.thesprawl.org/research/oracle-tns-protocol/Basic information about headers, type of packets / For beginners / Outdated.
• Wireshark TNS data dissector.http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/packet-tns.cOnly headers, type of packets / Already have one.
• Presentations by Jonah Harrishttp://oracle-internals.com/Basic information about headers, TTC, server internals / Good.
• Oracle Protocol by Gwen Shapirahttp://www.pythian.com/blog/repost-oracle-protocol/Description of some types of messages, marshalling / Very good but outdated :(
![Page 16: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/16.jpg)
GooglingИ чё есть в этих ваших интернетах?
• pytnsproxy by László Tóthhttp://soonerorlater.hu/index.khtml?article_id=515Oracle 9i, 10g and 11g MITM-attack tool.
• pytnspoison by Joxean Korethttp://seclists.org/fulldisclosure/2012/Apr/204Oracle 9i, 10g and 11g TNS Listener Poison exploitation tool.
• Amoebahttps://code.google.com/p/amoeba/Amoeba is a Distributing database proxy / no longer supported.
![Page 17: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/17.jpg)
CodeНу норм, чё :/
pytnspoison
![Page 18: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/18.jpg)
CodeВаще норм, чё :/
pytnsproxy
![Page 19: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/19.jpg)
CodeТож норм :/
Amoeba
![Page 20: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/20.jpg)
Client DriversКак проблему порешаем?
![Page 21: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/21.jpg)
Oracle Client Drivers overview
OCI
10g, 11g, 12c
JDBC .NET
![Page 22: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/22.jpg)
Oracle Client Drivers overview
OCI
10g, 11g, 12c
JDBC .NET ThinThin
![Page 23: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/23.jpg)
Oracle Net ArchitectureЧё там в авторских доках?
![Page 24: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/24.jpg)
Oracle Net Architecture
Application
OCI/JDBC/.NET
Two-Task Common (TTC)
Oracle Net Foundation Layer
Oracle Protocol SupportOracle Net
Client
![Page 25: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/25.jpg)
Oracle Net Architecture
Application
OCI/JDBC/.NET
Two-Task Common (TTC)
Oracle Net Foundation Layer
Oracle Protocol SupportOracle Net TCP TCPS NP SDP
TNSNetwork Session (NS)
Network Transport (NT)
Network Naming (NN)
![Page 26: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/26.jpg)
Oracle Net Architecture (OSI view)Application (OCI/JDBC/.NET)
Two-Task Common (TTC)
Oracle Net
Transport layer
Network layer
Data link layer
Physical layer
![Page 27: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/27.jpg)
Oracle Net Architecture (Server)
Server
OPI
Two-Task Common (TTC)
Oracle Net Foundation Layer
Oracle Protocol SupportOracle Net
RDBMS
![Page 28: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/28.jpg)
Oracle Database ProtocolАйда поподробнее!
• Types and formats of messages• Sequence of messages• Fields• Serialization (Marshalling)
![Page 29: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/29.jpg)
Types and formats of messagesTransparent Network Substrate (TNS)
0000 00 00 00 9F 06 00 00 00 00 00 DE AD BE EF 00 95
0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00
0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09
0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00
0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00
0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
![Page 30: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/30.jpg)
Types and formats of messagesTransparent Network Substrate (TNS)
0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95
0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00
0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09
0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00
0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00
0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Packet Size
Packet Checksum
Packet Type
Header Flags
Header Checksum
![Page 31: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/31.jpg)
Types and formats of messagesTransparent Network Substrate (TNS) in Oracle 12c
0000 00 00 00 9F 06 00 00 00 00 00 DE AD BE EF 00 95
0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00
0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09
0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00
0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00
0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Packet Size
Packet Type
Header Flags
Header Checksum
![Page 32: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/32.jpg)
Types and formats of messagesTNS / Packet Types:
• CONNECT = 0x01• ACCEPT = 0x02• ACKNOWLEDGE = 0x03• REFUSE = 0x04• REDIRECT = 0x05• DATA = 0x06• NULL = 0x07
• ABORT = 0x09• RESEND = 0x0B• MARKER = 0x0C• ATTENTION = 0x0D• CONTROL INFORMATION * = 0x0E• DATA DESCRIPTOR * = 0x0F
* Observed in Oracle 12c
![Page 33: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/33.jpg)
Types and formats of messagesTNS / Packet Types:
• CONNECT = 0x01• ACCEPT = 0x02• ACKNOWLEDGE = 0x03• REFUSE = 0x04• REDIRECT = 0x05• DATA = 0x06• NULL = 0x07
• ABORT = 0x09• RESEND = 0x0B• MARKER = 0x0C• ATTENTION = 0x0D• CONTROL INFORMATION * = 0x0E• DATA DESCRIPTOR * = 0x0F
* Observed in Oracle 12c
![Page 34: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/34.jpg)
Types and formats of messagesDATA Packet Type
0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95
0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00
0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09
0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00
0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00
0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Data flag
DATA = 0x00MORE * = 0x20EOF = 0x40
* Observed in Oracle 12c
![Page 35: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/35.jpg)
Types and formats of messagesAdditional Network Options Negotiation (ANO)
Magic constant0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95
0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00
0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09
0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00
0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00
0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
![Page 36: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/36.jpg)
Types and formats of messagesTwo-Task Interface (TTI)
0000 00 00 00 A7 06 20 00 00 00 00 03 76 01 01 01 07
0010 01 01 01 01 05 01 01 4F 52 41 55 53 45 52 01 0D
0020 0D 41 55 54 48 5F 54 45 52 4D 49 4E 41 4C 01 07
0030 07 75 6E 6B 6E 6F 77 6E 00 01 0F 0F 41 55 54 48
0040 5F 50 52 4F 47 52 41 4D 5F 4E 4D 01 10 10 4A 44
0050 42 43 20 54 68 69 6E 20 43 6C 69 65 6E 74 00 01
0060 0C 0C 41 55 54 48 5F 4D 41 43 48 49 4E 45 01 0B
0070 0B 41 42 43 41 42 43 44 45 2D 70 63 00 01 08 08
0080 41 55 54 48 5F 50 49 44 01 04 04 31 32 33 34 00
0090 01 08 08 41 55 54 48 5F 53 49 44 01 08 08 72 2E
Function ID
Subfunction ID
Sequence number *
* Used only in the client request
![Page 37: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/37.jpg)
Types and formats of messagesTTC / TTI commands:
• TTIPRO # Set protocol• TTIDTY # Set datatypes• TTIFUN # Start of user function• TTIOER # Error / Selecting completed• TTIRXH # Row transfer header• TTIRXD # Row transfer data• …
• TTIRPA # Return OPI Parameter• TTISTA # Oracle func complete• TTIIOV # I/O vector• TTILOBD # LOB/FILE data follows• TTIDCB # Describe information• TTIPFN # Piggyback func follows• …
![Page 38: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/38.jpg)
Types and formats of messagesTTC / TTI commands:
• TTIPRO # Set protocol• TTIDTY # Set datatypes• TTIFUN # Start of user function• TTIOER # Error / Selecting completed• TTIRXH # Row transfer header• TTIRXD # Row transfer data• …
• TTIRPA # Return OPI Parameter• TTISTA # Oracle func complete• TTIIOV # I/O vector• TTILOBD # LOB/FILE data follows• TTIDCB # Describe information• TTIPFN # Piggyback func follows• …
![Page 39: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/39.jpg)
Types and formats of messagesTTC / TTI commands:
• TTIPRO # Set protocol• TTIDTY # Set datatypes• TTIFUN # Start of user function• TTIOER # Error / Selecting completed• TTIRXH # Row transfer header• TTIRXD # Row transfer data• …
• TTIRPA # Return OPI Parameter• TTISTA # Oracle func complete• TTIIOV # I/O vector• TTILOBD # LOB/FILE data follows• TTIDCB # Describe information• TTIPFN # Piggyback func follows• …
![Page 40: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/40.jpg)
Types and formats of messagesTTC / TTI commands:
• TTIPRO # Set protocol• TTIDTY # Set datatypes• TTIFUN # Start of user function• TTIOER # Error / Selecting completed• TTIRXH # Row transfer header• TTIRXD # Row transfer data• …
• TTIRPA # Return OPI Parameter• TTISTA # Oracle func complete• TTIIOV # I/O vector• TTILOBD # LOB/FILE data follows• TTIDCB # Describe information• TTIPFN # Piggyback func follows• …
![Page 41: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/41.jpg)
Types and formats of messagesTTC / TTI commands:
• TTIPRO # Set protocol• TTIDTY # Set datatypes• TTIFUN # Start of user function• TTIOER # Error / Selecting completed• TTIRXH # Row transfer header• TTIRXD # Row transfer data• …
• TTIRPA # Return OPI Parameter• TTISTA # Oracle func complete• TTIIOV # I/O vector• TTILOBD # LOB/FILE data follows• TTIDCB # Describe information• TTIPFN # Piggyback func follows• …
Client data requests
![Page 42: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/42.jpg)
Types and formats of messagesTTC / TTI subfunction:
• TTIFUN• OSESSKEY• OAUTH• OVERSION• OALL8• OFETCH• OLOBOPS• OCOMMIT• OROLLBACK• OPING• OCLOSE
• TTIPFN• O80SES• OCCA
• …
![Page 43: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/43.jpg)
Types and formats of messagesTTC / TTI subfunction:
• TTIFUN• OSESSKEY• OAUTH• OVERSION• OALL8• OFETCH• OLOBOPS• OCOMMIT• OROLLBACK• OPING• OCLOSE
• TTIPFN• O80SES• OCCA
• …
![Page 44: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/44.jpg)
Types and formats of messagesTTC / TTI commands:
• TTIPRO # Set protocol• TTIDTY # Set datatypes• TTIFUN # Start of user function• TTIOER # Error / Selecting completed• TTIRXH # Row transfer header• TTIRXD # Row transfer data• …
• TTIRPA # Return OPI Parameter• TTISTA # Oracle func complete• TTIIOV # I/O vector• TTILOBD # LOB/FILE data follows• TTIDCB # Describe information• TTIPFN # Piggyback func follows• …
Server data responses
![Page 45: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/45.jpg)
Sequence of messagesAuthentication
Client Server
CONNECT
ANO
TTIPROACCEPT
ANO
TTIPROTTIDTY
TTIDTYTTIFUN -> OSESSKEY
TTIRPATTIFUN -> OAUTH
TTIRPATTIFUN -> OVERSION *
TTIRPA* Thin client, OCI use TTIPFN -> O80SES or not used at all
![Page 46: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/46.jpg)
Sequence of messagesSelecting
Client Server
TTIFUN -> OALL8
TTIFUN -> OFETCHTTIDCB
TTIRXH
![Page 47: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/47.jpg)
Sequence of messagesSelecting
Client Server
TTIPFN -> OCCA
TTIDCBTTIFUN -> OFETCH
TTIOER
![Page 48: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/48.jpg)
Sequence of messagesSelecting
Client Server
TTIFUN -> OALL8
TTIDCBTTIFUN -> OFETCH
TTIRXHTTIFUN -> OLOBOPS
TTILOBDDATA *DATADATA
* Observed in Oracle 10g and 11g
TTIFUN -> OLOBOPS
TTIRPA
![Page 49: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/49.jpg)
Sequence of messagesLogging Off
Client ServerTTIFUN -> OLOGOFF *
EOFTTISTA
* OCI, Thin client use TTIPFN -> OCCA
TTIFUN -> OROLLBACK
TTISTA
TTIFUN -> OCOMMIT
TTISTA
![Page 50: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/50.jpg)
Fieldslengthpkt_checksumtypeflaghdr_checksumdata_flagdata_flagdata_iddata_idsigdata_idanooverall_data_sizeversion_int_1version_str_1serviceoptions_flag_or_service_to_be_usedservice_svtimeout
seqNumberpacketVersionlowestVersionoptionssduSizetduSizeprotocolCharacteristicsundefined1HWByteOrderdataLendataOffmaxReceivedDataanoFlagsanoEnabledb4paddinglargeSDUsduSizetduSizefunc
lag0flag1noAnoServicesnoAnoServicesextendedtimeoutticktimeoutreconnectAddrLenreconnectAddrOfflargeSDUsduSizetduSizesessionpoolEnabledtimestampLastIOsduSizetduSizeisBreak
A_MAGIC1dataLenintVersionstrVersionSupervisoroptionsserviceSvserviceSvSubserviceSvMarkerserviceSvShortVer1serviceSvShortVer2serviceSvIntVersionserviceSvStrVersiondriversdriversTypecurPIDjunkobjLenobjType
![Page 51: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/51.jpg)
Fieldslengthpkt_checksumtypeflaghdr_checksumdata_flagdata_flagdata_iddata_idsigdata_idanooverall_data_sizeversion_int_1version_str_1serviceoptions_flag_or_service_to_be_usedservice_svtimeout
seqNumberpacketVersionlowestVersionoptionssduSizetduSizeprotocolCharacteristicsundefined1HWByteOrderdataLendataOffmaxReceivedDataanoFlagsanoEnabledb4paddinglargeSDUsduSizetduSizefunc
lag0flag1noAnoServicesnoAnoServicesextendedtimeoutticktimeoutreconnectAddrLenreconnectAddrOfflargeSDUsduSizetduSizesessionpoolEnabledtimestampLastIOsduSizetduSizeisBreak
A_MAGIC1dataLenintVersionstrVersionSupervisoroptionsserviceSvserviceSvSubserviceSvMarkerserviceSvShortVer1serviceSvShortVer2serviceSvIntVersionserviceSvStrVersiondriversdriversTypecurPIDjunkobjLenobjType
![Page 52: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/52.jpg)
Serialization (Marshalling)Data Types:
• UB1, SB1 (UBInt8, SBInt8)• UB2, SB2 (UBInt16, SBInt16)• UB4, SB4 (UBInt32, SBInt32)• SB8 (SBInt64)• UWORD, SWORD (UBInt32, SBInt32)• B1Array (UB1 Array)• B4Array (UB4 Array)• O2U (B1/B4Array)• NULLPTR (O2U(False))• PTR (O2U(True))
• CLR (B1Array[64])• CHR (UB1Array)• TEXT (CString)• DALC (SB4, CLR)• KEYVAL (DALC, DALC, UB4)• KPDKV (DALC, DALC, UB2)• UCS2 (UB2)• RefCursor (SB4)• BFILE / BLOB / CLOB
![Page 53: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/53.jpg)
Serialization (Marshalling)Some magic
![Page 54: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/54.jpg)
TNSIntruderЗацени, братюня!
![Page 55: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/55.jpg)
TNSIntruderUtility written in Python, works as a database proxy.Support Oracle Databases 10g, 11g, 12c
Features:• Classes and marshalling engine• Collector of sequences• Injecting arbitrary SQL queries (Session hijacking)
![Page 56: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/56.jpg)
DemoЭу… пацанчик, гони видео!
![Page 57: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/57.jpg)
TNSIntruderNecessary to implement:
• PL/SQL support• Network Data Encryption and Integrity Checks support
Whish list:• SQL-parser• Java-backdoors uploader in hijacked session *
* And ODAT (Oracle Database Attacking Tool) features supporting
![Page 58: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/58.jpg)
TNSIntruder
https://github.com/nezlooy
![Page 59: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/59.jpg)
Limitations and defenseГопай аккуратнее!
![Page 60: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/60.jpg)
Limitations and defense• Channel
• Network Data Encryption and Integrity Checks• PKI (Oracle wallets)
• Data protection• Authentication
• Database attacks• Oracle Database Firewall• Antifraud solutions
![Page 61: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/61.jpg)
BonusПацанчики из Оракла жгут!
![Page 62: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/62.jpg)
Gop-stopping of Instant Clients
10.2.0.5.0 11.2.0.4.0 12.1.0.2.0
Fuzzing with pyZZUF and Radamsa
• OCI• Was fuzzed only 6 server responses
![Page 63: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/63.jpg)
Gop-stopping of Instant ClientsFuzzing with pyZZUF and Radamsa
(9) (7) (9)10.2.0.5.0 11.2.0.4.0 12.1.0.2.0
• OCI• Was fuzzed only 6 server responses• Unique faults
AV_READ, AV_WRITE, AV_EXEC, HEAP_CORRUPTS
![Page 64: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/64.jpg)
Questions?Вопросы есть? А если найду?
![Page 65: Oracle Database Communication Protocol - ZeroNights2014.zeronights.org/.../oracle-database-communication-protocol.pdf · Oracle Database Communication Protocol Roman Bazhin ZeroNights](https://reader033.vdocuments.net/reader033/viewer/2022061400/5abf89f17f8b9aa15e8e2074/html5/thumbnails/65.jpg)
Thank You
nezlooy
От души, братюни!