Poke switched from Oracle Database Auditing
At
this year's conference in Budapest hacktivity security researcher
László Tóth has demonstrated a method which will be the auditing
functions, and authentication in all versions of Oracle database can
paralyze. Instead, it uses the undocumented, but in every Oracle installation oradebug existing command. Auditing to ensure the reliable logging of database actions, so that tampering can be traced back.
Inter alia, the oradebug decades ago in Basic for changing memory contents used command Poke. This makes it possible, according to Tóth stop auditing for system user with SYSDBA and SYSOPER privileges as. Condition
is only that the attacker could execute oradebug - enough to the SYSDBA
privilege that is easily obtained for a database administrator. Tóth also shows the presentation.
For
the shutdown of the auditing, it is sufficient to read by SQL
statement, the memory address of a system variable from the internal
table X $ KSMFSV. Then set it to zero:
SQL> oradebug poke 60031bb0 0 × 1 0
BEFORE: [060031BB0, 060031BB4) = 00000001
AFTER: [060031BB0, 060031BB4) = 00000000
Oracle
security expert Alexander Kornbrust therefore considers products like
Oracle Audit Vault [6] which are based on the auditing capabilities of
the database and log according to its own advertising and the actions of
privileged users to, for "almost useless". A SYSDBA / SYSOPER user can disable the auditing short, perform some operations and enable it again.
No comments:
Post a Comment