Oracle Database

Communication Protocol
a pentesters view, or rude Oracle experiments

Roman Bazhin
ZeroNights E.0x04
@nezlooy
Who am I
Security researcher at Digital Security

r.bazhin@dsec.ru
@nezlooy
Agenda
Motivation
Oracle Client Drivers
Oracle Net Architecture
Oracle Database Protocol
TNSIntruder
Limitations and defense
Motivation

Interaction Scheme

RAC Node 1

Client
Oracle

RAC Node 2
Interaction Scheme

RAC Node 1

Client Over 50 requests

Oracle per module

RAC Node 2
Testing Scheme

Proxy / Fuzzer
Oracle Client N
Reverse Fuzzing

Client
SYN

ACK
Fuzz
SYN-ACK server
Reverse Fuzzing

Client
SYN

ACK
Fuzz
SYN-ACK server
REQUEST

RESPONSE
Reverse Fuzzing

Client
SYN

ACK
Fuzz
SYN-ACK server
REQUEST

REQUEST RESPONSE

RESPONSE
Reverse Fuzzing
- *!

Client
SYN

ACK
Fuzz
SYN-ACK server
REQUEST

REQUEST RESPONSE

RESPONSE
Reverse Fuzzing
Striped hat / Ethical gop-stopping

Client
SYN

ACK
Fuzz
SYN-ACK server
REQUEST

REQUEST RESPONSE

RESPONSE
Pentester Requirements
!

MITM Proxy Client

Oracle
Replaying Spoofing
Modifying Injecting
etc.
Hm, and what about protocol?
?

? ?
Proxy / Fuzzer
Oracle Client N
Googling
?
Oracle TNS Protocol
http://www.thesprawl.org/research/oracle-tns-protocol/
Basic information about headers, type of packets / For beginners / Outdated.
Wireshark TNS data dissector.
http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/packet-tns.c
Only headers, type of packets / Already have one.
Presentations by Jonah Harris
http://oracle-internals.com/
Basic information about headers, TTC, server internals / Good.
Oracle Protocol by Gwen Shapira
http://www.pythian.com/blog/repost-oracle-protocol/
Description of some types of messages, marshalling / Very good but outdated :(
Googling
?
pytnsproxy by Lszl Tth
http://soonerorlater.hu/index.khtml?article_id=515
Oracle 9i, 10g and 11g MITM-attack tool.
pytnspoison by Joxean Koret
http://seclists.org/fulldisclosure/2012/Apr/204
Oracle 9i, 10g and 11g TNS Listener Poison exploitation tool.
Amoeba
https://code.google.com/p/amoeba/
Amoeba is a Distributing database proxy / no longer supported.
Code
, :/

pytnspoison
Code
, :/

pytnsproxy
Code
:/

Amoeba
Client Drivers
?
Oracle Client Drivers overview

JDBC OCI .NET

10g, 11g, 12c

Oracle Client Drivers overview

Thin JDBC OCI .NET Thin

10g, 11g, 12c

Oracle Net Architecture
?
Oracle Net Architecture
Application
Client
OCI/JDBC/.NET

Two-Task Common (TTC)

Oracle Net Foundation Layer

Oracle Net
Oracle Protocol Support
Oracle Net Architecture
Application

OCI/JDBC/.NET Network Naming (NN)

Two-Task Common (TTC) Network Transport (NT)

Network Session (NS) TNS

Oracle Net Foundation Layer
Oracle Net TCP TCPS NP SDP
Oracle Protocol Support
Oracle Net Architecture (OSI view)
Application (OCI/JDBC/.NET)

Two-Task Common (TTC)

Oracle Net

Transport layer

Network layer

Data link layer

Physical layer
Oracle Net Architecture (Server)
Server
RDBMS
OPI

Two-Task Common (TTC)

Oracle Net Foundation Layer

Oracle Net
Oracle Protocol Support
Oracle Database Protocol
!
Types and formats of messages
Sequence of messages
Fields
Serialization (Marshalling)
Types and formats of messages
Transparent Network Substrate (TNS)

0000 00 00 00 9F 06 00 00 00 00 00 DE AD BE EF 00 95
0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00
0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09
0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00
0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00
0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Types and formats of messages
Transparent Network Substrate (TNS)
Packet Size
0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95 Packet Checksum
0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00
Packet Type
0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09
0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 Header Flags
0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00 Header Checksum
0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Types and formats of messages
Transparent Network Substrate (TNS) in Oracle 12c
Packet Size
0000 00 00 00 9F 06 00 00 00 00 00 DE AD BE EF 00 95 Packet Type
0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00
Header Flags
0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09
0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00 Header Checksum
0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00
0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Types and formats of messages
TNS / Packet Types:
CONNECT = 0x01 ABORT = 0x09
ACCEPT = 0x02 RESEND = 0x0B
ACKNOWLEDGE = 0x03 MARKER = 0x0C
REFUSE = 0x04 ATTENTION = 0x0D
REDIRECT = 0x05 CONTROL INFORMATION * = 0x0E
DATA = 0x06 DATA DESCRIPTOR * = 0x0F
NULL = 0x07

* Observed in Oracle 12c

Types and formats of messages
TNS / Packet Types:
CONNECT = 0x01 ABORT = 0x09
ACCEPT = 0x02 RESEND = 0x0B
ACKNOWLEDGE = 0x03 MARKER = 0x0C
REFUSE = 0x04 ATTENTION = 0x0D
REDIRECT = 0x05 CONTROL INFORMATION * = 0x0E
DATA = 0x06 DATA DESCRIPTOR * = 0x0F
NULL = 0x07

* Observed in Oracle 12c

Types and formats of messages
DATA Packet Type
Data flag
0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95
0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00 DATA = 0x00
MORE * = 0x20
0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09 EOF = 0x40
0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00
0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00
0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00

* Observed in Oracle 12c

Types and formats of messages
Additional Network Options Negotiation (ANO)
Magic constant
0000 00 9F 00 00 06 00 00 00 00 00 DE AD BE EF 00 95
0010 0A 20 00 00 00 04 00 00 04 00 03 00 00 00 00 00
0020 04 00 05 0A 20 00 00 00 08 00 01 09 09 09 09 09
0030 09 09 09 00 12 00 01 DE AD BE EF 00 03 00 00 00
0040 04 00 04 00 01 00 02 00 03 00 01 00 03 00 00 00
0050 00 00 04 00 05 0A 20 00 00 00 02 00 03 E0 E1 00
0060 02 00 06 FC FF 00 02 00 02 00 00 00 00 00 04 00
0070 05 0A 20 00 00 00 0C 00 01 00 01 08 0A 06 03 02
0080 0B 0C 0F 10 11 00 03 00 02 00 00 00 00 00 04 00
0090 05 0A 20 00 00 00 06 00 01 00 01 03 04 05 06 00
Types and formats of messages
Two-Task Interface (TTI)
Function ID
0000 00 00 00 A7 06 20 00 00 00 00 03 76 01 01 01 07 Subfunction ID
0010 01 01 01 01 05 01 01 4F 52 41 55 53 45 52 01 0D
Sequence number *
0020 0D 41 55 54 48 5F 54 45 52 4D 49 4E 41 4C 01 07
0030 07 75 6E 6B 6E 6F 77 6E 00 01 0F 0F 41 55 54 48
0040 5F 50 52 4F 47 52 41 4D 5F 4E 4D 01 10 10 4A 44
0050 42 43 20 54 68 69 6E 20 43 6C 69 65 6E 74 00 01
0060 0C 0C 41 55 54 48 5F 4D 41 43 48 49 4E 45 01 0B
0070 0B 41 42 43 41 42 43 44 45 2D 70 63 00 01 08 08
0080 41 55 54 48 5F 50 49 44 01 04 04 31 32 33 34 00
0090 01 08 08 41 55 54 48 5F 53 49 44 01 08 08 72 2E

* Used only in the client request

Types and formats of messages
TTC / TTI commands:
TTIPRO # Set protocol TTIRPA # Return OPI Parameter
TTIDTY # Set datatypes TTISTA # Oracle func complete
TTIFUN # Start of user function TTIIOV # I/O vector
TTIOER # Error / Selecting completed TTILOBD # LOB/FILE data follows
TTIRXH # Row transfer header TTIDCB # Describe information
TTIRXD # Row transfer data TTIPFN # Piggyback func follows

Types and formats of messages
TTC / TTI commands:
TTIPRO # Set protocol TTIRPA # Return OPI Parameter
TTIDTY # Set datatypes TTISTA # Oracle func complete
TTIFUN # Start of user function TTIIOV # I/O vector
TTIOER # Error / Selecting completed TTILOBD # LOB/FILE data follows
TTIRXH # Row transfer header TTIDCB # Describe information
TTIRXD # Row transfer data TTIPFN # Piggyback func follows

Types and formats of messages
TTC / TTI commands:
TTIPRO # Set protocol TTIRPA # Return OPI Parameter
TTIDTY # Set datatypes TTISTA # Oracle func complete
TTIFUN # Start of user function TTIIOV # I/O vector
TTIOER # Error / Selecting completed TTILOBD # LOB/FILE data follows
TTIRXH # Row transfer header TTIDCB # Describe information
TTIRXD # Row transfer data TTIPFN # Piggyback func follows

Types and formats of messages
TTC / TTI commands:
TTIPRO # Set protocol TTIRPA # Return OPI Parameter
TTIDTY # Set datatypes TTISTA # Oracle func complete
TTIFUN # Start of user function TTIIOV # I/O vector
TTIOER # Error / Selecting completed TTILOBD # LOB/FILE data follows
TTIRXH # Row transfer header TTIDCB # Describe information
TTIRXD # Row transfer data TTIPFN # Piggyback func follows

Types and formats of messages
TTC / TTI commands:
TTIPRO # Set protocol TTIRPA # Return OPI Parameter
TTIDTY # Set datatypes TTISTA # Oracle func complete
TTIFUN # Start of user function TTIIOV # I/O vector
TTIOER # Error / Selecting completed TTILOBD # LOB/FILE data follows
TTIRXH # Row transfer header TTIDCB # Describe information
TTIRXD # Row transfer data TTIPFN # Piggyback func follows

Client data requests

Types and formats of messages
TTC / TTI subfunction:
TTIFUN TTIPFN
OSESSKEY O80SES
OAUTH OCCA
OVERSION
OALL8
OFETCH
OLOBOPS
OCOMMIT
OROLLBACK
OPING
OCLOSE
Types and formats of messages
TTC / TTI subfunction:
TTIFUN TTIPFN
OSESSKEY O80SES
OAUTH OCCA
OVERSION
OALL8
OFETCH
OLOBOPS
OCOMMIT
OROLLBACK
OPING
OCLOSE
Types and formats of messages
TTC / TTI commands:
TTIPRO # Set protocol TTIRPA # Return OPI Parameter
TTIDTY # Set datatypes TTISTA # Oracle func complete
TTIFUN # Start of user function TTIIOV # I/O vector
TTIOER # Error / Selecting completed TTILOBD # LOB/FILE data follows
TTIRXH # Row transfer header TTIDCB # Describe information
TTIRXD # Row transfer data TTIPFN # Piggyback func follows

Server data responses

Sequence of messages
CONNECT
Authentication
ANO
ACCEPT
TTIPRO
ANO
TTIDTY

Client Server
TTIPRO
TTIFUN -> OSESSKEY
TTIDTY
TTIFUN -> OAUTH
TTIRPA
TTIFUN -> OVERSION *
TTIRPA

TTIRPA
* Thin client, OCI use TTIPFN -> O80SES or not used at all
Sequence of messages
Selecting

TTIFUN -> OALL8

TTIFUN -> OFETCH

Client TTIDCB Server
TTIRXH
Sequence of messages
Selecting

TTIPFN -> OCCA

TTIFUN -> OFETCH

Client TTIDCB Server
TTIOER
Sequence of messages
Selecting
TTIFUN -> OALL8

TTIFUN -> OFETCH

TTIDCB
TTIFUN -> OLOBOPS
TTIRXH
Client Server
TTILOBD
DATA *
TTIFUN -> OLOBOPS DATA
DATA

TTIRPA

* Observed in Oracle 10g and 11g

Sequence of messages
Logging Off

TTIFUN -> OCOMMIT

TTIFUN -> OROLLBACK

Client Server
TTISTA
TTIFUN -> OLOGOFF *
TTISTA
EOF
TTISTA

* OCI, Thin client use TTIPFN -> OCCA

Fields
length seqNumber lag0 A_MAGIC1
pkt_checksum packetVersion flag1 dataLen
type lowestVersion noAnoServices intVersion
flag options noAnoServices strVersion
hdr_checksum sduSize extended Supervisor
data_flag tduSize timeout options
data_flag protocolCharacteristics tick serviceSv
data_id undefined1 timeout serviceSvSub
data_id HWByteOrder reconnectAddrLen serviceSvMarker
sig dataLen reconnectAddrOff serviceSvShortVer1
data_id dataOff largeSDU serviceSvShortVer2
ano maxReceivedData sduSize serviceSvIntVersion
overall_data_size anoFlags tduSize serviceSvStrVersion
version_int_1 anoEnabled session drivers
version_str_1 b4padding poolEnabled driversType
service largeSDU timestampLastIO curPID
options_flag_or_service_to_be_used sduSize sduSize junk
service_sv tduSize tduSize objLen
timeout func isBreak objType
Fields
length seqNumber lag0 A_MAGIC1
pkt_checksum packetVersion flag1 dataLen
type lowestVersion noAnoServices intVersion
flag options noAnoServices strVersion
hdr_checksum sduSize extended Supervisor
data_flag tduSize timeout options
data_flag protocolCharacteristics tick serviceSv
data_id undefined1 timeout serviceSvSub
data_id HWByteOrder reconnectAddrLen serviceSvMarker
sig dataLen reconnectAddrOff serviceSvShortVer1
data_id dataOff largeSDU serviceSvShortVer2
ano maxReceivedData sduSize serviceSvIntVersion
overall_data_size anoFlags tduSize serviceSvStrVersion
version_int_1 anoEnabled session drivers
version_str_1 b4padding poolEnabled driversType
service largeSDU timestampLastIO curPID
options_flag_or_service_to_be_used sduSize sduSize junk
service_sv tduSize tduSize objLen
timeout func isBreak objType
Serialization (Marshalling)
Data Types:
UB1, SB1 (UBInt8, SBInt8) CLR (B1Array[64])
UB2, SB2 (UBInt16, SBInt16) CHR (UB1Array)
UB4, SB4 (UBInt32, SBInt32) TEXT (CString)
SB8 (SBInt64) DALC (SB4, CLR)
UWORD, SWORD (UBInt32, SBInt32) KEYVAL (DALC, DALC, UB4)
B1Array (UB1 Array) KPDKV (DALC, DALC, UB2)
B4Array (UB4 Array) UCS2 (UB2)
O2U (B1/B4Array) RefCursor (SB4)
NULLPTR (O2U(False)) BFILE / BLOB / CLOB
PTR (O2U(True))
Serialization (Marshalling)
Some magic
TNSIntruder
, !
TNSIntruder
Utility written in Python, works as a database proxy.
Support Oracle Databases 10g, 11g, 12c

Features:
Classes and marshalling engine
Collector of sequences
Injecting arbitrary SQL queries (Session hijacking)
Demo
, !
TNSIntruder
Necessary to implement:
PL/SQL support
Network Data Encryption and Integrity Checks support

Whish list:
SQL-parser
Java-backdoors uploader in hijacked session *

* And ODAT (Oracle Database Attacking Tool) features supporting

TNSIntruder

https://github.com/nezlooy
Limitations and defense
!
Limitations and defense
Channel
Network Data Encryption and Integrity Checks
PKI (Oracle wallets)
Data protection
Authentication
Database attacks
Oracle Database Firewall
Antifraud solutions
Bonus
!
Gop-stopping of Instant Clients
Fuzzing with pyZZUF and Radamsa
OCI
Was fuzzed only 6 server responses

10.2.0.5.0 11.2.0.4.0 12.1.0.2.0

Gop-stopping of Instant Clients
Fuzzing with pyZZUF and Radamsa
OCI
Was fuzzed only 6 server responses
Unique faults

10.2.0.5.0 (9) 11.2.0.4.0 (7) 12.1.0.2.0 (9)

AV_READ, AV_WRITE, AV_EXEC, HEAP_CORRUPTS

Questions?
? ?
Thank You
, !

nezlooy