Let’s suppose that we have activated our database auditing as recommended and put in place a centralized auditing solution so that the audit data can be sent to a remote server and protected (Like in my previous blog post) . Let’s now think like a hacker, can we hide our database activities (or some of it) ?
So here we have access to our 19c oracle database (using pure unified auditing) and we want to hide our sysdba activity (disable auditing only for our current session) . All what we are going to do here is based on oradebug !
The first thing that we are going to do is change the protection of our memory region using mprotect to allow writing to it :
So now we have the write flag correctly set.This flag need to be set so that we can patch the oracle kernel function “sopts_IsUnifiedAuditOn” and disable auditing for our target session.
Sadly the oradebug poke function seem to not work as expected in recent oracle release
But don’t worry there is always other ways 🙂 We are going to use the “memset” function here to modify a little bit our function ( By the way I just modified the value pushed into the EAX register ) :
And that’s it we are good to go, we are in stealth mode now ! All auditing for our current session have been disabled ! Still we will find the execution of the last oradebug command in the “unified_audit_trail” :
PS: The oradebug command can be disabled by setting “_disable_oradebug_commands” to all.
That’s it 😀
REF :
- https://soonerorlater.hu/download/hacktivity_lt_2011_en.pdf
- http://www.red-database-security.com/wp/best_of_oracle_security_2011.pdf
Hi Mahmoud,
Thanks for this nice security article !
So audit logs generated for SYS account within the session will not get generated ?
if the parameter audit_sys_operations=TRUE
*.aud files gets generated…have you checked that ?
Regards,
Emad Al-Mousa
Hi ,
The target database is using unified auditing in pure mode so the parameter audit_sys_operations has no effect.
One has to wonder at the integrity of DBA that would do this and the wisdom of the author to publish it.
It’s not about integrity and trust , must of the cyber attack start from an internal employee. Every one has to know the potential threat of oradebug command so they can protect them self from it and reduce the attack surface . In this case disabling oradebug command will do the trick “_disable_oradebug_commands” . Anyway many of the thing i’m sharing here has been taken by consideration from oracle an corrected in there future patches.