New Version Of PUTTY (update fast)

Putty has presented a new version, the 0.71, of this popular, simple and useful open source software, which solves the day to day to many DBAs, Sysadmin, Developers, etc. Having options from telnet (it should no longer be used) to the possibility of making tunnels through making connections in RAW mode.

This version, does not really present great news, if not, that a bit in the Microsoft line is a patch to correct important security vulnerabilities.

Some of the most dangerous vulnerabilities are;

  • DSA signature check bypass (MITM)
  • Integer overflow (Over RFC 4432)
  • Potential Malicious code execution (from help files .chm)
  • Buffer Overflow in Unix PuTTY (over active Unix file descriptors by using poll() system call)
  • DoS if Many Unicode is used

You can download the new version from its official website
Putty 0.71 download

HTH – Antonio NAVARRO

Advertisements

ORA-00600 Error When Precompiling

Today I have installed a test environment for processes in Pro c. When performing the Oracle precompiler phase, this is coventing the sources in Pro c to pure language c the following error appears;

 

 
Pro*C/C++: Release 12.1.0.2.0 - Production on Thu Feb 21 17:08:24 2019

Copyright (c) 1982, 2014, Oracle and/or its affiliates.  All rights reserved.

System default option values taken from: /xxxxxx/12.1/precomp/admin/pcscfg.cfg

dbgc_init_all failed with ORA-48141
ORA-00600: internal error code, arguments: [17998], [2], [], [], [], [], [], [], [], [], [], []
ORA-00600: internal error code, arguments: [17998], [2], [], [], [], [], [], [], [], [], [], []

----- Call Stack Trace -----
calling              call     entry                argument values in hex
location             type     point                (? means dubious value)
-------------------- -------- -------------------- ----------------------------
skgudmp()+124        CALL     kohbuh()+1951        FFFFFFFF7FFFB768 ?
                                                   0000F4240 ? 0FFFFFFFF ?
                                                   000000000 ? 000000026 ?
                                                   00000003E ?
kgeriv_int()+216     PTR_CALL skgudmp()            100943900 ? 000002400 ?
                                                   000000800 ? 001FE6788 ?
                                                   FFFFFFFF7EFDB838 ?
                                                   000000000 ?
kgeasi()+176         CALL     kgeriv_int()         100943900 ? 10097C4D8 ?
                                                   00000464E ? 000000000 ?
                                                   000000001 ?
                                                   FFFFFFFF7FFFBA68 ?
pcgini()+1024        CALL     dbgruppm_purge_main  100943900 ? 10097C4D8 ?
                              ()+2079              00000464E ? 000000002 ?
                                                   000000001 ? 000000000 ?
pc2main()+1488       CALL     pcgini()             FFFFFFFF7FFFE588 ?
                                                   FFFFFFFF7FFFDAC0 ?
                                                   1009AA810 ?
                                                   FFFFFFFF7FFFE338 ?
                                                   FFFFFFFF7FFFEE20 ?
                                                   1009481B8 ?
lpmcall()+816        PTR_CALL pc2main()            10091D590 ?
                                                   FFFFFFFF7FFFE300 ?
                                                   000000101 ?
                                                   FFFFFFFF7FFFE498 ?
                                                   1008E05C0 ? 1008CADA0 ?
lpmpmai()+364        CALL     lpmcall()            000000002 ?
                                                   FFFFFFFF7FFFF807 ?
                                                   1008F7580 ? 1808F0E18 ?
                                                   1001CD140 ?
                                                   FFFFFFFF7FFFF0B8 ?
main()+292           CALL     00000001008CB280     FFFFFFFF7FFFF218 ?
                                                   FFFFFFFF7FFFF1E8 ?
                                                   000000002 ?
                                                   FFFFFFFF7FFFF608 ?
                                                   000001A68 ? 000206DAC ?
_start()+300         CALL     main()               000000002 ?
                                                   FFFFFFFF7FFFF608 ?
                                                   FFFFFFFF7FFFF802 ?
                                                   000000000 ? 1008CADA0 ?
                                                   FFFFFFFF7FFFF548 ?

Call stack signature: 0x1d6e42d7f18cb236

The error seems to be inside the database, because it is ora-00600, but in this case it is a problem at the level of physical permissions on directories. This compilation, precompilation and linking phase is being done with a user that is not the owner of the software, which restricts access. A workaround is to give persimmon 777 about the structure of the diagnostic with the owner of the software. Next, show an example;

 

chmod 777 $ADR_BASE/diag/plsql

 

HTH – Antonio NAVARRO

 

Deleting Thousands Of Files

Today I landed in a system that had a full filesystem, in this case because there was no maintenance of audit files or directly this holding the process that does this work. The purpose of this is to show a simple way to delete the files. Of course, there are many, as can be found and tell you to delete the files that meet the search criteria.

First of all count the files to delete and create a file with the name of all thems

 
grid12@moti1./app/oracle/grid/rdbms/audit $ ls -rlt | wc -l
  174958
grid12@moti1./app/oracle/grid/rdbms/audit $ time ls > report.txt

real    0m6.05s
user    0m5.72s
sys     0m0.32s

 

Below I show a little shell script (bash shell like shebang) that read line by line and perform a rm in each file

 
#!/bin/bash
while IFS='' read -r line || [[ -n "$line" ]]; do
   rm $line
done < "$1"

 

Now, set execute permissions and run the script;

 
grid12@moti1./app/oracle/grid/rdbms/audit $ chmod 700 delete.sh
grid12@moti1./app/oracle/grid/rdbms/audit $ time delete.sh report.txt

real    12m20.47s
user    0m35.63s
sys     2m4.13s

In this case, delete about 170.000 files takes 12 minutes, maybe a little slow.

 

If we analyze the times, the total was twelve minutes from the start until the end. The user and sys fields are CPU time. The user part corresponds to our process and the system part represents the kernel time.

total cpu = 0m35.63s + 2m4.13s = 2m39.76s

if we subtract this total time from cpu of total time of execution of the process

12m20.47s – 2m39.76s = 9m40.71s

These 9m40.71s, although we would have to trace it or see the consumptions (using for example IOCTL) and since we are working with files, that time goes on disk.

 
Remark that in this setup the temporary file contains the file list to delete is dropped. However delete.sh file is not dropped. I usally drop it like housekeeping policy.

 
rm delete.sh

HTH – Antonio NAVARRO

Creat A SSH TUNNEL Using Putty

The ssh tunnels are used for many things, but basically it is a point-to-point encryption (until the ssh gateway) with the purpose of not being able to capture the information that circulates through the channel. Even if someone uses a sniffer (it will capture the data packets) it will not be able to read the information that is sent or received.

As I said before there are many purposes to use the tunnels, in our case we will see from the point of view of the databases, and mainly from the perspective of the database administrator, which by the functions of the post entails Many times sensitive information.

Not long ago post a post to demonstrate how easy it is to see and capture network packets when we send an “alter user xxx identified by values ​​and and” statement, using a tunnel this information will be encrypted from the time it leaves my laptop until it reaches the ssh gateway. Okay on the laptop and once the data passes the gateway until the targete machine where is the sistener  would be captured and read. Normally this segment of network is a local area and is more or less secure.

We must define;

  •  ssh gateway or jumped host; as the entry point to the tunnel (or where we are going to bounce the signal).
  • target machine; as the host to which we want to connect.
  •  local port (source port named by Putty); which we will use on our computer (in my case laptop) and when we reference it will translate to the port of the listener that is on the target machine.

 

Open Putty and set the ssh gateway and port 22 (necessary to encript the channel)

create_ssh_tunnel_with_putty_v1

Drill down in the lest menu and click on tunnels, set source port and destination (target machine).

create_ssh_tunnel_with_putty_v2

Click on add button and after click on Open.

create_ssh_tunnel_with_putty_v3

Now from SQL Developer We need open a new connection and set username and pass as usual and the new for use the tunnel;

Set hostname to localhost (or 127.0.0.1)

Set Port to 7000, defined as local port (in our workstation)

Set Service_name to the database

create_ssh_tunnel_with_putty_v4

 

HTH – Antonio NAVARRO

 

 

OSWatcher Don’t Want To Die

Today I have a strange problem, I was recolleting traces with OSWatcher but when I stop the trace by using stopOSWbb.sh shell script after a while it start again.

Looking for who is the process what were starting the OSWatcher I’ve discovered it is started by tfactl

 

 

grid@wolf-1./tmp $ tfactl

tfactl> toolstatus

.------------------------------------------------------------------.
|                   TOOLS STATUS - HOST : Wolf-1                   |
+----------------------+--------------+--------------+-------------+
| Tool Type            | Tool         | Version      | Status      |
+----------------------+--------------+--------------+-------------+
| Development Tools    | orachk       |   12.2.0.1.3 | DEPLOYED    |
|                      | oratop       |       14.1.2 | DEPLOYED    |
+----------------------+--------------+--------------+-------------+
| Support Tools Bundle | darda        | 2.10.0.R6036 | DEPLOYED    |
|                      | oswbb        |        8.0.1 | RUNNING     |
|                      | prw          | 12.1.13.11.4 | NOT RUNNING |
+----------------------+--------------+--------------+-------------+
| TFA Utilities        | alertsummary |   12.2.1.1.0 | DEPLOYED    |
|                      | calog        |   12.2.0.1.0 | DEPLOYED    |
|                      | changes      |   12.2.1.1.0 | DEPLOYED    |
|                      | dbglevel     |   12.2.1.1.0 | DEPLOYED    |
|                      | events       |   12.2.1.1.0 | DEPLOYED    |
|                      | grep         |   12.2.1.1.0 | DEPLOYED    |
|                      | history      |   12.2.1.1.0 | DEPLOYED    |
|                      | ls           |   12.2.1.1.0 | DEPLOYED    |
|                      | managelogs   |   12.2.1.1.0 | DEPLOYED    |
|                      | menu         |   12.2.1.1.0 | DEPLOYED    |
|                      | param        |   12.2.1.1.0 | DEPLOYED    |
|                      | ps           |   12.2.1.1.0 | DEPLOYED    |
|                      | pstack       |   12.2.1.1.0 | DEPLOYED    |
|                      | search       |   18.2.0.0.0 | DEPLOYED    |
|                      | summary      |   12.2.1.1.0 | DEPLOYED    |
|                      | tail         |   12.2.1.1.0 | DEPLOYED    |
|                      | triage       |   12.2.1.1.0 | DEPLOYED    |
|                      | vi           |   12.2.1.1.0 | DEPLOYED    |
'----------------------+--------------+--------------+-------------'

Note :-
  DEPLOYED    : Installed and Available - To be configured or run interactively.
  NOT RUNNING : Configured and Available - Currently turned off interactively.
  RUNNING     : Configured and Available.

Of course, stoping it from be started by tfa in the next way;

 
tfactl> stop oswbb
Stopped OSWatcher
tfactl>  toolstatus

.------------------------------------------------------------------.
|                   TOOLS STATUS - HOST : Wolf-1                   |
+----------------------+--------------+--------------+-------------+
| Tool Type            | Tool         | Version      | Status      |
+----------------------+--------------+--------------+-------------+
| Development Tools    | orachk       |   12.2.0.1.3 | DEPLOYED    |
|                      | oratop       |       14.1.2 | DEPLOYED    |
+----------------------+--------------+--------------+-------------+
| Support Tools Bundle | darda        | 2.10.0.R6036 | DEPLOYED    |
|                      | oswbb        |        8.0.1 | STOPPED     |
|                      | prw          | 12.1.13.11.4 | NOT RUNNING |
+----------------------+--------------+--------------+-------------+
| TFA Utilities        | alertsummary |   12.2.1.1.0 | DEPLOYED    |
|                      | calog        |   12.2.0.1.0 | DEPLOYED    |
|                      | changes      |   12.2.1.1.0 | DEPLOYED    |
|                      | dbglevel     |   12.2.1.1.0 | DEPLOYED    |
|                      | events       |   12.2.1.1.0 | DEPLOYED    |
|                      | grep         |   12.2.1.1.0 | DEPLOYED    |
|                      | history      |   12.2.1.1.0 | DEPLOYED    |
|                      | ls           |   12.2.1.1.0 | DEPLOYED    |
|                      | managelogs   |   12.2.1.1.0 | DEPLOYED    |
|                      | menu         |   12.2.1.1.0 | DEPLOYED    |
|                      | param        |   12.2.1.1.0 | DEPLOYED    |
|                      | ps           |   12.2.1.1.0 | DEPLOYED    |
|                      | pstack       |   12.2.1.1.0 | DEPLOYED    |
|                      | search       |   18.2.0.0.0 | DEPLOYED    |
|                      | summary      |   12.2.1.1.0 | DEPLOYED    |
|                      | tail         |   12.2.1.1.0 | DEPLOYED    |
|                      | triage       |   12.2.1.1.0 | DEPLOYED    |
|                      | vi           |   12.2.1.1.0 | DEPLOYED    |
'----------------------+--------------+--------------+-------------'

 

Now it don’t start again anymore and I’m be a little more happy

 
HTH – Antonio NAVARRO

 

Security Breach Due To Erroneous Configuration Of The Path

Today I found a security bug quite important in a Unix system. In fact the problem is very old and known. It was already used in the years 90. Looking at the PATH variable I found the following (for several users);

 
WOF-3(ora18):/ext/home4/ora18/ant# echo $PATH
.:/usr/bin:/bin:/bdpd/prod/server/181/bin:/bdpd/prod/server/181/OPatch

Apparently it may look like it’s okay, but it’s not like that. The problem is the first character, the “.”, We are telling the shel to run the that executes (if we do not put absolute way to the commands to him) it looks for it in the directory in which we are. The risk in this case is that they strain us a kind of trojan, this is a program that does what it has and “something else”. The normal thing when you enter a directory is to see what there is, so the usual thing is to execute an ls, now, what happens if I create an ls, in this case a shell script, although I am more in favor of creating it in c and compiling to have a binary.

 
WOF-3(ora18):/ext/home4/ora18/ant# cat ls
/usr/bin/ls
date >> when_my_ls

The shell file that I have created calls the ls, the real one for it to do an ls, the one that executes it will see its ls, and apart I have put a payload, in this quite simple case, which is to put the current time in a log file, a kind of “keylogger” or what we could call an “executelogger”. Every time my ls is executed it will leave a record.

In this case the payload is very simple, but you can elaborate more and do many things, from a rm, a copy of a shadow file, or escalate privileges very quickly.
For it to work we give permission to the script

 
WOF-3(ora18):/ext/home4/ora18/ant# chmod 777 ls
WOF-3(ora18):/ext/home4/ora18/ant# ls -lrt
total 11
drwxr-xr-x   2 orap12   oinstall       4 May 18 09:16 cron
drwxr-xr-x   3 orap12   oinstall       5 Jun 20 10:14 oneoff_218934948
drwxr-xr-x   2 orap12   oinstall       2 Sep 13 16:25 automateX
-rwxrwxrwx   1 orap12   oinstall      34 Sep 24 12:38 ls

After running a few times the false ls, we see what the log has recorded

 
WOF-3(ora18):/ext/home4/ora18/ant# cat when_my_ls
Monday, September 24, 2018 12:40:44 PM CEST
Monday, September 24, 2018 12:40:58 PM CEST
Monday, September 24, 2018 12:41:43 PM CEST

 

Recommendations;

 
#1 Never have the. As a first option, replace this .:/usr/bin:/bin: by /usr/ bin:/bin:.: first you look where you should look.

#2 Execute the commands with absolute path, although it can be quite heavy. It would do /usr/bin/ls instead of ls

HTH – Antonio NAVARRO