Using Oracle BBED Block Editor Utility
Oracle’s BBED utility (Block Browser and Editor)
is available in all releases of Oracle, from
Oracle7 to Oracle11g.
Designed for internal use only, BBED can
be used for several functions, both legitimate
and illegal. This tool means that there is
effectively no privilege control between the
users in the OSDBA group that can access BBED.
For instance, the tool could be used to change
the SYS password and status to a known value.
This would act as a safety measure if Oracle
decided to be start lockout on SYS AS SYSDBA in
the case of a brute force attack.
BBED could also be used by an attacker,
so it would be a good recommendation to remove
the tool from the server.
However, it is worth keeping a copy of BBED on
hand when it comes to the field of Oracle
Forensics in order to recover data from the
database that has been deleted by an attacker.
BBED is on Windows 8i as bbed.exe or on *nix.
The object files are included but need to
be linked as will be shown.
So, keep an unlinked copy available.
The original intent for BBED is for use by
Oracle Technical support to browse, diagnose and
repair data block corruption issues. BBED is an
excellent tool for browsing data blocks for
those interested in examining the internal
structures with data and index blocks.
However, the "alter system dump" command
can also dump data block contents.
WARNING:
NEVER use BBED in EDIT
Mode unless working with Oracle
technical support.
|
Beware, hackers might use BBED to break into an
Oracle database.
Tools like BBED can be used to view data
directly within their data block by bypassing
the Oracle layer, and because BBED writes
directly to the data block, BBED could be used
by hackers to update a database without logging
and auditing.
Using and Linking BBED
The paper titled "Disassembling the Oracle Data
Block",
(http://www.orafaq.com/papers/dissassembling_the_data_block.pdf)
has complete instructions for installing and
using BBED.
This
make
command tells how to
linkedit
BBED.
What follows is a brief set of
instructions for making the BBED executable and
using the program:
make -f ins_rdbms.mk
BBED=$ORACLE_HOME/bin/bbed $ORACLE_HOME/bin/bbed
TIP:
BBED Safety tip:
When using BBED, always
stay in BROWSE mode, and only
use BBED EDIT mode (with VER and
REP) when
completely knowledgeable.
|
BBED allows direct editing of the datafiles,
therefore bypassing Oracle's access control. Of
course, one will need to have OS access to the
datafiles which should limit the use of this
tool to the OS level Oracle account and the rest
of OSDBA group.
On UNIX, the object files are included but need
to be linked.
As the Oracle OS user:
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk $ORACLE_HOME/rdbms/lib/bbed.
[oracle@localhost
lib]$ file bbed
bbed: ELF 32-bit LSB
executable, Intel 80386, version 1 (SYSV),
for GNU/Linux 2.2.5, dynamically linked
(uses shared libs), not stripped
Create a listfile for BBED to work from:
SQL> SELECT FILE#|| ' '||name||' '||bytes from v$datafile;
FILE#||''||NAME||''||BYTES
1 /u01/app/oracle/oradata/orcl/system01.dbf
513802240
2 /u01/app/oracle/oradata/orcl/undotbs01.dbf
52428800
3 /u01/app/oracle/oradata/orcl/sysaux01.dbf
293601280
4 /u01/app/oracle/oradata/orcl/users01.dbf
5242880
5 /u01/app/oracle/oradata/orcl/example01.dbf
104857600
And input the result into a text file called
listfile.txt. Listfile.txt is then referenced in
the BBED parameter file as below.
[oracle@localhost
lib]$ vi bbed.par
blocksize=8192
listfile=/u01/app/oracle/oracle/product/10.2.0/db_4/rdbms/lib/listfile.txt
mode=edit
This shows the commands available:
This shows the current configuration of BBED:
DBMS_ROWID is the package to use to get the
necessary information to feed into BBED. BBED
can be used to read individual Oracle data
blocks; however, it will not find block
corruption.
|
For more details on Oracle utilities, see the book "Advanced
Oracle Utilities" by Bert Scalzo, Donald K. Burleson, and Steve Callan.
You can buy it direct from the publisher for 30% off directly from
Rampant TechPress.
|