Random notes about reverse engineering, security research, Oracle RDBMS internals, and so on...

Generic tracer

gt is very simple win32 tracer, in some way similar to strace *NIX tool.
One reason I blog about it here because it supports Oracle RDBMS .SYM symbol files.
Readme file is here and download it here.

Few examples:

Memory allocations and deallocations:

gt.exe -a:oracle.exe bpf=.*!_kghalf,args:6 bpf=.*!_kghfrf,args:4

Dump calling stack before each call:

Extracting some useful information from Oracle RDBMS binaries

As to method of extracting all *that* information in Oracle RDBMS, about what function called what, and what arguments can be, and what golbal variables can be used, all that is really simple.
I use IDA for all disassembling work, and it can generate .asm file automatically.
Then, these .asm files can be parsed using regular expressions or anything similar.
Then, we just notice functions start, end, "push" and "call" instructions and so on.
We also need to parse all data statements.

Job

I'm currently looking for a job as a reverse engineer and/or security researcher.
Here is my CV.

Reverse engineering

I was asked to remove all that stuff I got using Oracle RDBMS reverse engineering, because of license terms conflict.
So please do not be surprised.

CPUapr2009

CPUapr2009 came out. CVE-2009-0991 Listener vulnerability was discovered by me, and here is PoC for it (Python code).

Update:
It is some kind of RPC inside Oracle RDBMS, called, If I correct, RO (remote operation).
And the problem is about correct parsing of such packets.

IBM DB2

IBM DB2 Version 9.5 Fix Pack 3a came out, fixing also two DoS vulnerabilities I found.

1. "IZ37697: SECURITY: MALICIOUS CONNECT DATA STREAM CAN CAUSE DENIAL OF SERVICE."
First is pre-auth DoS vulnerability. Here is exploit: it require "DB2TEST" database present on target database, because its name is hardcoded into packet.
Download: DB2_PoC_1.py

"CHANGE USER" OPI call

Regarding "BECOME USER" privilege and upicui() function (UPI Change User Id):
There's a barely known OPI call "CHANGE USER", which is similar in a way to *NIX su. It is known to be used at least by IMP utility.
A caller should be logged in as a user with "BECOME USER" privilege and call upicui() to change it.
Here is sample code that illustrates it, it uses some ancient OCI API (OCI7, if I'm correct).

Oracle SPY Events

Oracle SPY Events
-- Dennis Yurichev http://blogs.conus.info

This win32 utility intercept internal Oracle RDBMS function calls to ksdpec() and ss_wrtf() and may be used for undocumented Oracle trace events hunting.

Some trace events used for turning on some debug messages, some used for behavior change, some are even used for turning on and off some bug fixes.

Trace event may be turning on by issuing command like that:

ALTER SYSTEM SET EVENTS '10051 trace name context forever, level 255';

It assign value of 255 to event number 10051.

SYS_OP_*

In reply to Jared Still's blog entry entitled "Undocumented Oracle Functions".

These are SYS_OP_* functions which I able to find in 11.1.0.7.0, however, I do not have any clue about what each does.

SYS_OP_ALEXPCOL
SYS_OP_ATG
SYS_OP_BL2R
SYS_OP_BLOOM_FILTER
SYS_OP_BLOOM_FILTER_LIST
SYS_OP_C2C
SYS_OP_CEG
SYS_OP_CL2C
SYS_OP_COMBINED_HASH
SYS_OP_COMP
SYS_OP_CONVERT
SYS_OP_COUNTCHG
SYS_OP_CSCONV
SYS_OP_CSCONVTEST
SYS_OP_CSR
SYS_OP_CSX_PATCH
SYS_OP_CSX_UPD
SYS_OP_DECOMP

"Basics of C within the Oracle kernel."

Very interesting text of unknown origin appeared on some forum, named "Basics of C within the Oracle kernel."
It contains also code snippets from ksl.h and ksl.c.

Basics of C within the Oracle kernel.
          

C is a function based language and as with most languages is composed of
declarations and statement blocks.

Below is a very simple example and even this example uses 5 functions:

        strcat(),strcpy(),write(),strlen() and print_string().

                ***************

Syndicate content