Skip to content

All posts by ludatou - 4. page

关于Oracle数据库比特币敲诈的简单防御方法

由于17年到18年现在陆陆续续接到了不少新老客户的Oracle database受此类恶意脚本的攻击,我们也积累了一些防范此类问题的措施,在此篇中简单介绍2种容易的被动防御方法:

 

1.创建此类攻击脚本的对象名称进行占用(最简单最笨的方法)

 

DBMS_SUPPORT_INTERNAL

DBMS_SYSTEM_INTERNAL

DBMS_CORE_INTERNAL

对这三个对象名称进行占用处理。

 

2.对创建触发器的操作进行主动阻止

 

对主要的dba用户进行DDL操作的阻止,类似写法不再描述。

Oracle bootstrap$ 说明

What is bootstrap?

Bootstrap is a technique for loading the first few instructions of a computer program into active memory and then using them to bring in the rest of the program.

What is bootstrap in Oracle ?

In Oracle, Bootstrap refers to loading of metadata (data dictionary) before we OPEN the database.Bootstrap objects are classified as the objects (tables / indexes / clusters) with the object_id below 56 as bootstrap objects.  These objects are mandatory to bring up an instance, as this contains the most important metadata of the database.

What happens on database startup?

This shall be explained by setting the SQL_TRACE while opening the database.Connect as sysdba and do the following
SQL> startup mount ;
SQL> alter session set events ‘10046 trace name context forever, level 12 ‘ ;
SQL> alter database open ;
SQL>  alter session set events ‘10046 trace name context off ‘ ;
SQL> ORADEBUG SETMYPID
SQL> ORADEBUG TRACEFILE_NAME
The sql_trace of the above process explains the following operations behind startup. The bootstrap operation happens between MOUNT stage and OPEN stage.
1.)  The first SQL after in the above trace shows the creation of the bootstrap$ table. Something similar to the following:
create table bootstrap$ ( line# number not null, obj# number not null, sql_text varchar2(4000) not null) storage (initial 50K objno 56 extents (file 1 block 377))
This sys.bootstrap$ table contains the DDL’s for other bootstrap tables (object_id below 56). Actually these tables were created internally by the time of database creation (by sql.bsq), The create DDL passed between MOUNT and OPEN stage will be executed through different driver routines. In simple words these are not standard CREATE DDLs.
While starting up the database oracle will load these objects into memory (shared_pool), (ie) it will assign the relevant object number and refer to the datafile and the block associated with that. And such operations happen only while warm startup.
 The internals of the above explained in ‘kqlb.c’.
2.)  Now a query executed against the sys.bootstrap$ table, which holds the create sql’s for other base tables.
select line#, sql_text from bootstrap$ where obj# != :1 (56)
Subsequently it will create those objects by running those queries.
Object number 0 – (System Rollback Segment)
Object number 2 to 55 (Other base tables)
Object number 1 is NOT used by any of the objects.
3.) Performs various operations to keep the bootstrap objects in consistent state.
Upon the successful completion of bootstrap the database will do the other tasks like recovery and will open the database.

Which objects are classified as bootstrap objects in oracle database?

Objects with data_object_id less than 56 are classified as core bootstrap objects.The objects are added to the bootstrap. The objects affected are :

hist_head$
histgrm$
i_hh_obj#_col#
i_hh_obj#_intcol#
i_obj#_intcol#
i_h_obj#_col#
c_obj#_intcol#
From 10.1 the following objects have been added:
fixed_obj$
tab_stats$
ind_stats$
i_fixed_obj$_obj#
i_tab_stats$_obj#
i_ind_stats$_obj#
object_usage
These additional objects shall be re-classified (or) ignored by following methods.
1. Opening the database in migrate mode
2. Using event 38003
Event 38003 affects the bootstrap process of loading the fixed cache in  kqlblfc(). Per default certain objects are marked as bootstrap objects (even though they are not defined as such in sys.bootstrap$) but by setting the event they will be left as non-bootstrapped.

What is bootstrap process failure? or  ORA-00704

This ORA-00704 error SERIOUS if reported at startup. This error refers to some problem during bootstrap operation. Any ORA-00704 error on STARTUP / RECOVER is serious, this error normally rose due to some inconsistency with the bootstrap segments (or) data corruption on bootstrap$ (or) any of the base tables below object_id  56. After this error it might not allow to open that database.

When ORA-00704 shall occur?

1. There is a probable of this error when any unsupported operations are tried to force open the database.
2. This error can also occur when system datafile has corrupted blocks. (ORA-01578)
3. In earlier releases of oracle (prior to 7.3.4 and 8.0.3) this issue shall arise due to Bug 434596
The option is to restore it from a good backup and recover it.
-> If the underlying cause is physical corruption that is due to hardware problems then do complete recovery.
-> If the issue is not relating to any physical corruption, then the problem could be due some unsupported actions on Bootstrap, and a Point In Time Recovery would be an option in such cas.

8月12,又一次遭遇比特币勒索病毒,变种。

在国内一个汽车制造商的生产库中碰到该类问题。

相对比16年的那次,病毒变种了,增加了额外2个存储过程。当时客户的生产库离1200天还不到2个小时,但是庆幸还有备份。

···所以悄悄的作弊了,改系统时间,备份恢复后对相关的触发器和存储过程进行删除后,系统恢复运行。但是建议客户进行datapump数据干净导出。

在10月底到11月的plsql病毒分析中,顺便弄了此工具方便使用wrap加密后的存储过程解密. HC把乱糟糟的代码重编译了下,使用起来更简单了。

关于这个解密原理很简单,ITPUB有很详细的说明,这里就不刨根究底了。

 

给予10,11g plsql 解密指引参考:

 http://www.itpub.net/thread-1154232-1-1.html

 

9I的plsql解密原理参考:

http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Finnigan.pdf

 

使用语法:

 

用界面太弱了(其实我们懒),所以还是纯命令行格式.注意路径.

 

java -jar unwrap.jar  加密文件  [解密文件]

 

1

 

下载地址:

 

UNWRAP.JAR DOWNLOAD

发布个plsql的解密小工具- unwrap