Poke disables Oracle's database auditing

At this year's Hacktivity conference in Budapest, Hungary, security expert László Tóth has presented a method that is said to allow attackers to disable the auditing functions and authentication features in all versions of Oracle's databases. To achieve this, the security specialist used the undocumented oradebug utility that is part of every Oracle installation. The auditing feature is designed to ensure that database actions are reliably documented, which allows any changes to be traced.

The oradebug utility has commands such as poke, an instruction that was used to change memory contents in BASIC decades ago. Tóth said that the command can be used to disable auditing for system users such as SYSDBA and SYSOPER. The specialist explained that the only prerequisite is that the attacker must be able to execute oradebug – this can be achieved via the SYSDBA privilege which, as Tóth also demonstrated in his presentation, can easily be obtained by any database administrator.

To disable the auditing feature, an attacker can use a simple SQL statement to retrieve the memory address of a system variable from the internal X$KSMFSV table. This address is then put to zero:

SQL> oradebug poke 0×60031bb0 1 0
BEFORE: [060031BB0, 060031BB4) = 00000001
AFTER: [060031BB0, 060031BB4) = 00000000

Oracle security expert Alexander Kornbrust thinks that products such as Oracle Audit Vault, which are based on the database's auditing functions and, according to Oracle's own literature, even log the actions of privileged users, are therefore "nearly useless". Apparently, a SYSDBA/SYSOPER user can temporarily disable auditing, carry out a few operations, and then re-enable the function.

(crve)