On 14 April, the mysterious group ShadowBrokers released an archive containing several exploits, tools and operational notes on one of the most complex cyber-attack in History: JEEPFLEA.
Main function which redirects the logic based on the target Oracle server version
Among those tools Windows exploits but also tools, to compromise SWIFT Service Alliance servers. One of this tool, PASSFREELY, enable the bypass of the authentication process of Oracle Database servers, and the second ones, initial_oracle_exploit.sqI & swift_msg_queries_all.sql, are Oracle Database scripts to backup the entire transactions stored in the Oracle databases as explained in last week’s post, all the Oracle administrators accounts including their credentials — and also internal undocumented structures on the schema tables of the SWIFT Messaging tables.
PASSFREELY forces a compromised (with DOUBLEPULSAR) Oracle Database server to accept every incoming connection. It disables the authentication requirements directly by modifying the Oracle Database application in the server’s memory. Oracle databases are one of the most popular enterprise database systems in the world, used by everything from Airlines to Telecoms. They also happen to be used by the international bank messaging system, SWIFT, to store financial transactions.
PASSFREELY
PASSFREELY is an Oracle Database server implant to allow ANY connections to the Oracle Database, by altering the authentication procedures for 386 versions of Oracle.
The implant looks for the ORACLE{xx}.EXEprocess in memory before patching the authentication function to allow any connections.
List of processes targeted by PASSFREELY ORACLE72.EXE ORACLE73.EXE ORACLE80.EXE ORACLE.EXE
According to the strings contained in the implant, 386 versions (Oracle 7.2 -> 11.2 — see Appendix A for detailed list) of Oracle Database are affected by this four-year-old version of PASSFREELY— and after analysis, 2635 code mutations are stored which means each bypass requires an average of 7 code modifications per Oracle Database target.
386 (0x182) versions of Oracle by PASSFREELY from the NSA Arsenal.
Each of those code mutation aims at changing the code logic by either changing the direction of an jnz into a, jmp, or replacing it with nopinstruction in the ORACLE.exe executable loaded in memory, to directly alter the authentication logic.
Changing a logical branch (jnz -> jmp), or replacing it with nops— means you either nullify a check or force it to go a specific operation, regardless if the initially evaluated statement is true or not.
This is not an innovative technique, this has been used in the cracking scene since the 90s, and even last year BAE Systems reported a two bytes patch via the 525a8e3ae4e3df8c9c61f2a49e38541d196e9228 malware which infected the SWIFT Alliance softwares (vialiboradb.dll) during the Bank of Bangladesh’s heist.
Core function patching 4 bytes at a time the in-memory Oracle executable.
Most of strings used for debugging strings are also still present, although unlike ETERNALSYNERGY, they are encoded and are then decoded by the following algorithm:
decode_data function.
Threats
This utility represents a threat for any Oracle customer including SWIFT Service Bureau but also Banks using SWIFT Alliance. Even though until now, SWIFT always rejected responsibility of any SWIFT related hack, the release of this utility in the wild represent a serious and real threats to them and their customers which they can’t ignore.
Mitigation
There has been multiple kernel mitigation introduced by Microsoft since Windows Vista to prevent patching of userland processes by other userland processes. Protected Process are not a novelty per say, but very few vendors actually implement them — initially created for DRM purposes they prevent regular process to read or write the memory of a protected process.
Code Integrity checks are crucial too.
Although this does not prevent kernel mode drivers to access the virtual memory of a process — this would at least stop trivial code memory modifications like we saw during the Bangladesh Bank’s heist or with this newly available PASSFREELY tool to unfriendly attackers.
Appendix A — Affected Oracle Database Versions
Oracle Database v 10.2.0.3 Patch 14
Oracle Database v 9.2.0.4.0 P1
Oracle Database v 8.0.5.2.2
Oracle Database v 11.1.0.7 Patch 11
Oracle Database v 9.0.1.3.1 P3
Oracle Database v 9.2.0.8 Patch 12
Oracle Database v 8.1.7.4.20
Oracle Database v 10.2.0.4 Patch 4
Oracle Database v 9.2.0.2.1 Patch 1.5
Oracle Database v 8.1.6.3.1
Oracle Database v 9.2.0.6 Base
Oracle Database v 10.2.0.4 Patch 9
Oracle Database v 9.2.0.4 Patch 3
Oracle Database v 10.1.0.4 Patch 3
Oracle Database v 9.0.1.5 Patch 5 FIPS
Oracle Database v 8.1.6.3.3
Oracle Database v 9.2.0.6 Patch 16
Oracle Database v 9.2.0.7 Patch 3
Oracle Database v 11.1.0.7 Patch 9
Oracle Database v 10.1.0.4 Patch 17
Oracle Database v 10.2.0.4 Patch 12
Oracle Database v 10.1.0.5 Patch 2
Oracle Database v 7.3.4.5.2
Oracle Database v 10.2.0.2 Patch 8
Oracle Database v 10.2.0.2 Patch 2
Oracle Database v 11.1.0.6
Oracle Database v 8.1.6.1.1
Oracle Database v 10.2.0.1 Patch 7
Oracle Database v 10.1.0.3 Patch 5
Oracle Database v 9.0.1.2.0 P5
Oracle Database v 10.2.0.3 Patch 25
Oracle Database v 9.2.0.8 Patch 7
Oracle Database v 8.1.7.0.2
Oracle Database v 10.2.0.2 Patch 15
Oracle Database v 10.1.0.4 Patch 10
Oracle Database v 10.2.0.3 Patch 1
Oracle Database v 10.1.0.5 Base
Oracle Database v 8.1.6.3.5
Oracle Database v 8.0.3.0.0
Oracle Database v 9.2.0.6 Patch 6
Oracle Database v 10.2.0.2 Base
Oracle Database v 10.1.0.5 Patch 9
Oracle Database v 9.2.0.2.1 P5
Oracle Database v 7.3.3.5.3
Oracle Database v 10.2.0.4 Patch 10
Oracle Database v 9.2.0.1.0
Oracle Database v 10.1.0.5 Patch 6
Oracle Database v 8.1.7.1.3
Oracle Database v 10.2.0.2 Patch 18
Oracle Database v 10.2.0.3 Patch 5
Oracle Database v 8.1.6.1.5
Oracle Database v 10.2.0.4 Patch 16
Oracle Database v 10.1.0.5 Patch 34
Oracle Database v 10.2.0.3 Patch 7
Oracle Database v 9.0.1.4.1 Patch 6
Oracle Database v 10.2.0.2 Patch 10
Oracle Database v 9.0.1.5 Patch 9
Oracle Database v 9.2.0.3.0 P1
Oracle Database v 8.1.7.4.17
Oracle Database v 8.1.7.4 Patch 27
Oracle Database v 8.0.5.0.0
Oracle Database v 9.0.1.5 Patch 11
Oracle Database v 9.2.0.6 Patch 2
Oracle Database v 10.2.0.4 Patch 24
Oracle Database v 10.2.0.1 Patch 2
Oracle Database v 8.0.3.2.3
Oracle Database v 8.1.7.4 Patch 22
Oracle Database v 9.0.1.1.1
Oracle Database v 9.2.0.3.0 P3
Oracle Database v 10.1.0.5 Patch 1
Oracle Database v 10.2.0.3 Patch 29
Oracle Database v 11.1.0.7 Patch 17
Oracle Database v 9.2.0.4 Base
Oracle Database v 11.2.0.1 Patch 7 - 64-bit
Oracle Database v 9.2.0.8 Patch 9
Oracle Database v 9.0.1.3.1 P4
Oracle Database v 9.2.0.6 Patch 1
Oracle Database v 10.2.0.3 Patch 18
Oracle Database v 8.0.6.3.8
Oracle Database v 9.0.1.4.1 Patch 13
Oracle Database v 9.2.0.6 Patch 3
Oracle Database v 8.0.4.3.8
Oracle Database v 11.1.0.7 Patch 8
Oracle Database v 8.1.6.3.4
Oracle Database v 9.2.0.7 Patch 13
Oracle Database v 10.1.0.2.0 Patch 3
Oracle Database v 9.0.1.5.0
Oracle Database v 8.1.7.3.2
Oracle Database v 10.1.0.3 Patch 6
Oracle Database v 8.1.7.4.1
Oracle Database v 9.0.1.4.1 Patch 9
Oracle Database v 9.2.0.8 Patch 21
Oracle Database v 10.1.0.5 Patch 30
Oracle Database v 8.1.5.0.5
Oracle Database v 10.1.0.5 Patch 26
Oracle Database v 10.2.0.3 Patch 21
Oracle Database v 11.1.0.6 Patch 5
Oracle Database v 10.2.0.3 Patch 11
Oracle Database v 8.1.7.1.1
Oracle Database v 10.1.0.4 Patch 11
Oracle Database v 11.1.0.6 Patch 9
Oracle Database v 9.0.1.4.1
Oracle Database v 10.2.0.1 Base
Oracle Database v 8.1.7.4 Patch 26
Oracle Database v 8.1.7.2.7
Oracle Database v 7.3.2.3.15
Oracle Database v 10.1.0.5 Patch 10
Oracle Database v 10.1.0.5 Patch 18
Oracle Database v 11.1.0.6 Patch 4
Oracle Database v 10.1.0.3 Patch 4
Oracle Database v 9.0.1.2.0
Oracle Database v 8.0.5.2.1
Oracle Database v 11.2.0.2 Base - 64-bit
Oracle Database v 11.1.0.7 Patch 7
Oracle Database v 9.2.0.7 Patch 8
Oracle Database v 9.2.0.8 Patch 2
Oracle Database v 9.2.0.7 Patch 4
Oracle Database v 9.2.0.8 Patch 20
Oracle Database v 7.3.3.6.0
Oracle Database v 9.2.0.8 Patch 18
Oracle Database v 11.1.0.7 Patch 10
Oracle Database v 10.1.0.5 Patch 4
Oracle Database v 7.3.4.0.0
Oracle Database v 10.2.0.4 Patch 2
Oracle Database v 9.2.0.6 Patch 11
Oracle Database v 8.1.7.3.0
Oracle Database v 10.1.0.4.2 Patch 1
Oracle Database v 9.2.0.8 Base
Oracle Database v 8.1.7.4.5
Oracle Database v 8.1.7.4.12
Oracle Database v 9.2.0.5 Patch 4
Oracle Database v 10.1.0.4 Patch 16
Oracle Database v 9.0.1.4.1 Patch 12
Oracle Database v 11.1.0.6 Patch 6
Oracle Database v 8.0.6.1.0
Oracle Database v 9.2.0.7 Base
Oracle Database v 9.0.1.5 Patch 14
Oracle Database v 11.1.0.6 Patch 1
Oracle Database v 9.2.0.8 Patch 1
Oracle Database v 10.2.0.3 Patch 13
Oracle Database v 9.0.1.5 Patch 13
Oracle Database v 9.0.1.2.0 P2
Oracle Database v 9.2.0.7 Patch 10
Oracle Database v 10.2.0.3 Patch 19
Oracle Database v 9.0.1.5 Patch 2
Oracle Database v 10.2.0.2 Patch 6
Oracle Database v 11.2.0.1 Base - 64-bit
Oracle Database v 10.2.0.4 Patch 11
Oracle Database v 9.2.0.7 Patch 14
Oracle Database v 9.0.1.5 Patch 6
Oracle Database v 9.0.1.4.1 Patch 10
Oracle Database v 10.2.0.3 Patch 15
Oracle Database v 7.3.4.5.0
Oracle Database v 10.2.0.1 Patch 5
Oracle Database v 10.2.0.1 Patch 8
Oracle Database v 9.0.1.4.1 P4
Oracle Database v 8.1.7.4 Patch 24
Oracle Database v 9.0.1.4.1 P3
Oracle Database v 10.2.0.4 Patch 18
Oracle Database v 10.2.0.4 Patch 20
Oracle Database v 8.1.7.4 Patch 23
Oracle Database v 10.2.0.3 Patch 3
Oracle Database v 9.0.1.4.1 P2
Oracle Database v 10.1.0.4 Patch 13
Oracle Database v 11.1.0.7 Patch 5
Oracle Database v 8.1.6.0.0
Oracle Database v 9.2.0.5 Patch 2
Oracle Database v 9.0.1.3.1 P5
Oracle Database v 11.1.0.6 Patch 15
Oracle Database v 9.0.1.5 Patch 8
Oracle Database v 8.1.7 p1575474
Oracle Database v 11.1.0.7 Patch 15
Oracle Database v 8.0.6.1.2
Oracle Database v 11.1.0.6 Patch 17
Oracle Database v 8.0.6.3.3
Oracle Database v 10.2.0.1 Patch 9
Oracle Database v 10.2.0.4 Patch 21
Oracle Database v 9.0.1.3.1
Oracle Database v 10.2.0.2 Patch 13
Oracle Database v 11.1.0.6 Patch 3
Oracle Database v 10.1.0.5 Patch 27
Oracle Database v 10.1.0.5 Patch 19
Oracle Database v 9.0.1.4.1 P1
Oracle Database v 10.1.0.2.0 patch 6
Oracle Database v 10.2.0.4 Patch 5
Oracle Database v 10.1.0.3 Patch 11
Oracle Database v 11.1.0.7 Patch 4
Oracle Database v 9.2.0.6 Patch 10
Oracle Database v 10.1.0.4 Patch 5
Oracle Database v 10.2.0.1 Base - 64-bit
Oracle Database v 8.0.4.0.0
Oracle Database v 11.1.0.6 Patch 8
Oracle Database v 10.1.0.4 Patch 1
Oracle Database v 11.1.0.7 Patch 3
Oracle Database v 10.2.0.2 Patch 17
Oracle Database v 11.1.0.6 Patch 2
Oracle Database v 10.1.0.3.0 Base
Oracle Database v 10.2.0.1 Patch 4
Oracle Database v 10.2.0.3 Patch 17
Oracle Database v 10.1.0.5 Patch 3
Oracle Database v 11.1.0.6 Patch 16
Oracle Database v 8.0.4.4.1
Oracle Database v 10.2.0.3 Patch 6
Oracle Database v 10.1.0.5 Patch 14
Oracle Database v 8.1.6.3.2
Oracle Database v 10.1.0.5 Patch 7
Oracle Database v 8.0.5.2.4
Oracle Database v 10.2.0.3 Patch 4
Oracle Database v 10.1.0.4 Patch 7
Oracle Database v 10.2.0.4 Patch 6
Oracle Database v 10.2.0.3 Patch 2
Oracle Database v 8.1.5.0.1
Oracle Database v 10.2.0.2 Patch 1
Oracle Database v 10.2.0.2 Patch 11
Oracle Database v 10.1.0.2.0 Patch 1
Oracle Database v 8.1.7.4 Patch 29
Oracle Database v 8.1.6.1.2
Oracle Database v 10.1.0.4 Patch 4
Oracle Database v 9.2.0.6 Patch 9
Oracle Database v 10.2.0.3 Patch 26
Oracle Database v 10.1.0.3 Patch 2
Oracle Database v 9.2.0.5 Patch 6
Oracle Database v 9.2.0.8 Patch 4
Oracle Database v 10.2.0.2 Patch 14
Oracle Database v 11.1.0.6 Patch 13
Oracle Database v 10.2.0.4 Patch 8
Oracle Database v 9.2.0.5 Patch 9
Oracle Database v 10.1.0.4 Patch 8
Oracle Database v 11.1.0.6 Patch 11
Oracle Database v 10.1.0.4 Patch 15
Oracle Database v 8.1.7.4.6
Oracle Database v 9.2.0.3.0 P2
Oracle Database v 10.2.0.3 Patch 28
Oracle Database v 8.0.5.1.5
Oracle Database v 10.1.0.5 Patch 28
Oracle Database v 9.2.0.3 Base
Oracle Database v 9.2.0.4 Patch 8
Oracle Database v 8.1.6.3.8
Oracle Database v 11.1.0.6 Patch 7
Oracle Database v 8.0.4.0.1
Oracle Database v 10.1.0.4 Patch 14
Oracle Database v 8.1.7.4.18
Oracle Database v 10.2.0.3 Patch 9
Oracle Database v 9.0.1.4.1 Patch 15
Oracle Database v 10.1.0.4 Patch 6
Oracle Database v 9.2.0.7 Patch 16
Oracle Database v 10.2.0.2 Patch 16
Oracle Database v 8.1.6.3.0
Oracle Database v 10.2.0.4 Patch 17
Oracle Database v 9.2.0.2.1 P2
Oracle Database v 10.1.0.3 Patch 9
Oracle Database v 10.1.0.5 Patch 21
Oracle Database v 9.2.0.7 Patch 17
Oracle Database v 8.0.6.0.0
Oracle Database v 8.1.7.4.7
Oracle Database v 8.0.6.3 Patch 13
Oracle Database v 9.2.0.5 Patch 5
Oracle Database v 8.0.5.2.6
Oracle Database v 11.1.0.7 Patch 13
Oracle Database v 10.2.0.2 Patch 3
Oracle Database v 8.1.7.1.2
Oracle Database v 9.2.0.1.1
Oracle Database v 10.1.0.5 Patch 12
Oracle Database v 10.1.0.3 Patch 3
Oracle Database v 10.1.0.5 Patch 20
Oracle Database v 10.1.0.5 Patch 29
Oracle Database v 11.1.0.7 Patch 6
Oracle Database v 8.1.7.3.3
Oracle Database v 10.2.0.3 Patch 22
Oracle Database v 8.1.7.4.19
Oracle Database v 10.1.0.5 Patch 17
Oracle Database v 8.0.4.3.5
Oracle Database v 9.2.0.8 Patch 14
Oracle Database v 10.2.0.4 Patch 14
Oracle Database v 9.2.0.7 Patch 1
Oracle Database v 8.1.7.2.3
Oracle Database v 9.2.0.6 Patch 13
Oracle Database v 10.2.0.1 Patch 1
Oracle Database v 10.2.0.4 Patch 22
Oracle Database v 9.2.0.2.1 Base
Oracle Database v 10.1.0.2.0 patch 5
Oracle Database v 10.2.0.4 Patch 15
Oracle Database v 9.2.0.8 Patch 15
Oracle Database v 11.1.0.7 Patch 16
Oracle Database v 10.2.0.4 Patch 1
Oracle Database v 10.2.0.4 Patch 3
Oracle Database v 10.2.0.3 Patch 30
Oracle Database v 9.2.0.8 Patch 22
Oracle Database v 10.2.0.3 Patch 10
Oracle Database v 8.1.7.4.16
Oracle Database v 9.2.0.4 Patch 7
Oracle Database v 9.2.0.7 Patch 7
Oracle Database v 10.1.0.5 Patch 8
Oracle Database v 8.1.7.4.15
Oracle Database v 10.2.0.3 Patch 23
Oracle Database v 8.1.7.4.9
Oracle Database v 11.1.0.7 Patch 12
Oracle Database v 10.1.0.5 Patch 25
Oracle Database v 8.1.5.0.4
Oracle Database v 9.2.0.1.2
Oracle Database v 8.1.6 p1683364
Oracle Database v 8.1.7.2.4
Oracle Database v 8.1.7.0.0
Oracle Database v 7.3.3.0.0
Oracle Database v 11.1.0.6 Patch 12
Oracle Database v 10.2.0.4
Oracle Database v 9.2.0.6 Patch 5
Oracle Database v 11.1.0.7 Patch 1
Oracle Database v 9.0.1.4.1 Patch 14
Oracle Database v 10.2.0.2 Patch 5
Oracle Database v 9.2.0.8 Patch 16
Oracle Database v 9.2.0.5 Patch 8
Oracle Database v 9.0.1.5 Patch 12
Oracle Database v 10.2.0.3 Patch 31
Oracle Database v 9.2.0.6 Patch 7
Oracle Database v 10.1.0.5 Patch 13
Oracle Database v 9.2.0.8 Patch 19
Oracle Database v 11.1.0.6 Patch 10
Oracle Database v 9.2.0.6 Patch 15
Oracle Database v 7.2.2.4.0
Oracle Database v 9.2.0.5 Patch 3
Oracle Database v 8.1.5.1.1
Oracle Database v 11.1.0.6 Patch 14
Oracle Database v 11.1.0.7 Patch 2
Oracle Database v 10.2.0.3 Patch 27
Oracle Database v 8.1.7.1.5
Oracle Database v 10.1.0.5 Patch 23
Oracle Database v 10.1.0.2.0 Patch 4
Oracle Database v 10.2.0.4 Patch 7
Oracle Database v 9.2.0.8 Patch 17
Oracle Database v 8.1.7.4.13
Oracle Database v 10.1.0.5 Patch 22
Oracle Database v 8.1.5.1.0
Oracle Database v 9.2.0.8 Patch 8
Oracle Database v 8.1.5.0.0
Oracle Database v 10.1.0.2.0 Base
Oracle Database v 9.2.0.4.0 P2
Oracle Database v 11.1.0.7 Patch 14
Oracle Database v 9.2.0.8 Patch 11
Oracle Database v 10.1.0.4 Patch 12
Oracle Database v 9.2.0.4 Patch 5
Oracle Database v 9.0.1.5 Patch 4
Oracle Database v 8.0.4.4.0
Oracle Database v 9.0.1.5 Patch 10
Oracle Database v 10.2.0.3 Base
Oracle Database v 10.1.0.3 Patch 10
Oracle Database v 9.2.0.5 Patch 10
Oracle Database v 9.2.0.7 Patch 6
Oracle Database v 10.2.0.4 Patch 13
Oracle Database v 9.2.0.6 Patch 14
Oracle Database v 10.1.0.4.0 Base
Oracle Database v 9.2.0.8 Patch 5
Oracle Database v 11.1.0.7
Oracle Database v 9.2.0.7 Patch 11
Oracle Database v 10.1.0.5 Patch 24
Oracle Database v 10.2.0.4 Patch 19
Oracle Database v 9.2.0.8 Patch 24
Oracle Database v 10.1.0.3 Patch 8
Oracle Database v 8.1.7.2.2
Oracle Database v 8.1.7.4 Patch 28
Oracle Database v 9.2.0.5.0 P1
Oracle Database v 10.2.0.4 Patch 23
Oracle Database v 9.0.1.4.1 Patch 7
Oracle Database v 8.0.6.3.2
Oracle Database v 9.2.0.5.0
Oracle Database v 7.3.4.4.0
Oracle Database v 10.1.0.5 Patch 16
Oracle Database v 8.1.7.2.5
Oracle Database v 9.2.0.8 Patch 6
Oracle Database v 7.3.2.2.0
Oracle Database v 8.1.6.3.6
Oracle Database v 10.1.0.2.0 Patch 2
Oracle Database v 9.2.0.7 Patch 15
Oracle Database v 9.2.0.2.1 Patch 1
Oracle Database v 8.1.7.2.1
Oracle Database v 10.2.0.2 Patch 9
Oracle Database v 9.0.1.3.1 P2
Oracle Database v 8.1.6.1.3
Oracle Database v 8.0.5.2.5
Oracle Database v 9.2.0.2.1 P6