Spoofing V$SESSION.OSUSER java code

In my previous post I discussed using OSUSER for auditing user access. To spoof OSUSER I wrote a short program in Java, but I didn’t publish a source code. I was planning to do it for quite some time now, especially that Pete Finnigan expressed interest in seeing it. Martin also hassled me for the past few months, and here is the Java code I used.

To compile it I used java 1.6 and Oracle jdbc 11.2.0.1 driver:

javac -cp ../lib/ojdbc6.jar:. OraAccess.java

OraAccess.java source file

import java.util.Properties;
import java.sql.*;
import java.io.Console;
import java.io.IOException;


public class OraAccess{
   public static Connection getConnection(String db_address, String db_name, String db_username,
   String db_pass, String new_osuser){
   Properties props = new Properties();
   props.put("user", db_username);
   props.put("password", db_pass);
   props.put("v$session.osuser", new_osuser);
   props.put("v$session.program", "UserSpoofTest");
   Connection con = null;
   try {
          con = DriverManager.getConnection("jdbc:oracle:thin:@"+ db_address +":" + db_name +"",props);
       } catch(SQLException ex) {
          System.err.println("SQLException: " + ex.getMessage());
       }
   return con;
 }

public static void main(String[] args) throws SQLException, IOException {
   Console c = System.console();
   if (c == null) {
      System.err.println("No console.");
      System.exit(1);
   }
   String username;
   username = System.getProperty("user.name");

   System.out.print("Your current operating system username is: ");
   System.out.println(username);

   String database_address = c.readLine("Enter database server IP and port number (IP:port):  ");
   String database_name = c.readLine("Enter database name:  ");

   String db_username = c.readLine("Enter database username:  ");
   String db_password = c.readLine("Enter password for user \"" + db_username +"\":  ");

   String fake_osuser = c.readLine("Enter fake osuser name:  ");

   Connection conn = getConnection(database_address, database_name, db_username, db_password, fake_osuser);
   String end_connection = c.readLine("Enter something to disconnect.");
   conn.close();
  }
}
About these ads

7 thoughts on “Spoofing V$SESSION.OSUSER java code

  1. Hi Pawel,

    with 11.2.0.1 JDBC driver you don’t even have to change Java code to spoof OS user name. You can supply it via start up property: -Doracle.jdbc.v$session.osuser=.
    Want to spoof machine/terminal? No problem at all: oracle.jdbc.v$session.machine, oracle.jdbc.v$session.terminal.

    • Hi Timur,

      thanks for your comment.
      it definitely proves that there is even easier method to spoof connection properties that the one I used.

  2. A rather dumb question, where does the client at my side gets this OSUSER information? For example, I am using “Oracle SQL Developer” at my Windows PC to connect to the server. My understanding is – this client software at my end feeds this OSUSER information to the server while connecting. But Where does SQL Developer get my user name from? Can’t I change it at that point?

    • Hi Akash,

      You are right, it’s the client software that feeds OSUSER (or other properties) to the server, and this is exactly what my code does. I don’t know if SQL developer allows you do change OSUSER field. You could try to use method suggested by Timur as SQL Developer is written in Java

      many thanks
      pawel

  3. Hi Pavel,
    I am not java expert but I believe that all this information is relevant for tns connections.
    If we connect localy (without using listener // jdbc:thin is going to listener port as far as I am aware) I could not imagine how we can fake os_user.
    What is your opinion?

    • Hi Eterpani,

      I’m also not a Java expert or even a developer for that matter, but I can’t see any reason why you shouldn’t be able to fake os_user during local connection (when you connect using IPC protocol).
      Even if you connect locally you still connect via Oracle Net but use IPC protocol instead of TCP, and your connection doesn’t go via a listener. With TCP connections OS_USER seems to be a connection variable provided by a client software, and as far as I can tell, not used for any kind of authentication or verification (but I can be wrong about that). It would make sense to implement IPC connections in a similar way to TCP, that OS_USER is just a variable provided by client software.
      I can’t say that it’s definitely possible to fake OS_USER with local connections but I will try to do some research and if I find something I will let you know.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s