Oracle trace events hunting : Undocumented events/Filling the gaps

In my last blog post Oracle trace events hunting : dbgdChkEventIntV i talked about how we can extract events that are checked in specific oracle core function by analyzing the arguments passed to dbgdChkEventIntV function. I used for that a mapping file called dbgdChkEventIntV_event_list.txt   (Basically mapping EventId to actual Event Name)

When we analyze the mapping file we observe something :

Capture 150

The different events seems to have a sequential Event ID  (stored in an array ?)  ! So what is stored in slot 1160002,116004 ,116007 etc ? Let’s check !

Continue reading

Oracle trace events hunting : dbgdChkEventIntV

Few days ago i published a blog post talking about write consistency & DML restart  . During my investigation i was interested in the function “dmltrace” and i noticed that this function was instrumented with the dbk*/dbg*  debug functions introduced in 11g.

Capture 151

The question is how to enable this tracing facility ?  Which events are checked by that function ?

We know how to extract the trace events number from the old ksdpec function (kernel service debug internal errors parser post event and check trigger condition using of course 😀  ) thank to Dennis Yurichev see here and here. 

We also know how to extract it from dbkdChkEventRdbmsErr (DB kernel debug check event of RDBMS error) thanks to Yong Huang see here.

But here the function is instrumented differently !

Continue reading

Write consistency and DML restart

Few weeks ago Tanel Poder published a great video talking about Oracle’s write consistency , DML restarts and demonstrating also how we can detect them.He also published a script that allow finding UPDATE/DELETE statements that hit the write consistency issue & have to restart under the hood. But as he stated it uses V$SQL_PLAN_MONITOR, so requires Diag+Tuning pack licenses.

The purpose of this blog post is to show another way to detect statements hitting the write consistency issue.

Continue reading

Tracking Oracle Database Binaries files changes

The Linux Audit system provides a way to determine the violator of the security policy and the actions they performed such as tracking malicious changes on the oracle executable.

Using Linux Audit system we can basically do the following activities :

  • Watching file access
  • Monitoring system calls
  • Recording commands run by a user
  • Recording security events

In this short blog post i will show how we can easily use it to catch changes in “./bin” directory.

Continue reading

Using LD_PRELOAD to implement a hidden trojan in an oracle database

In one of my previous post  i showed how we can inject a backdoor in an ORACLE database based on Dennis Yurichev findings.The described method required the modification of the oracle executable files.  Few days ago Rodrigo Jorge shared a blog post explaining how we can add another layer of security to the oracle binaries files to protect them against improper changes. That motivated me to check if i still can implement the hidden Trojan without modifying the oracle executable files ?

Continue reading