#96 | pen08 – Oracle data files and ideas of how to abuse them

Hi, today I’ll do a quick article after some research and development I did earlier this day. It is related to the way Oracle store data inside files, particularly .DBF files.

 

What are DBF files?

DBF is the file format used by Oracle to store the main part of its data structure. When you have a table, its data gets stored inside DBF files and it could be difficult to edit them because it could be different depending on the Oracle version. As each version have different datastructures, you’ll have to adapt your DBF if you want to be able to import it.

 

Idea

Imagine a case when the datafiles are stored in an accessible area, you could directly edit these files to add some data. For example, you could edit the USERS$ table to change an user password and connect to the database afterward. You could potentially, as well, add information inside the DBMS_SCHEDULER module tables to potentially create a job and get remote code execution on the server.

 

BBED

To edit these files, Oracle gave us a tool available until Oracle 10, allowing “hackers” to edit DBF files directly with a tool kind of similar to an hex editor mixed with gdb. You can still get it for the latest version of Oracle by recompiling it yourself. It has some functions to examine part of the data, edit it, print it and so on. To use the tool, you’ll have to use an hard-coded password which is “blockedit“. Once you do your edit, you’ll have to recalculate a checksum using the command “sum dba”.

The only problematic is that if you want your modification to be applied, you’ll need to flush Oracle since it has a cache system, either with “alter system flush buffer_cache;” or by waiting for a restart of the database. It can get problematic since that could corrupt data inside your database.

It is still an interesting idea that needs to be researched a little bit more.

Leave a Reply

Your email address will not be published.