Among those tools Windows exploits but also tools, to compromise SWIFT Service Alliance servers. One of this tool, PASSFREELY, enable the bypass of the authentication process of Oracle Database servers, and the second ones, initial_oracle_exploit.sqI & swift_msg_queries_all.sql, are Oracle Database scripts to backup the entire transactions stored in the Oracle databases as explained in last week’s post, all the Oracle administrators accounts including their credentials — and also internal undocumented structures on the schema tables of the SWIFT Messaging tables.

PASSFREELY forces a compromised (with DOUBLEPULSAR) Oracle Database server to accept every incoming connection. It disables the authentication requirements directly by modifying the Oracle Database application in the server’s memory. Oracle databases are one of the most popular enterprise database systems in the world, used by everything from Airlines to Telecoms. They also happen to be used by the international bank messaging system, SWIFT, to store financial transactions.

PASSFREELY

PASSFREELY is an Oracle Database server implant to allow ANY connections to the Oracle Database, by altering the authentication procedures for 386 versions of Oracle.

The implant looks for the ORACLE{xx}.EXE process in memory before patching the authentication function to allow any connections.

List of processes targeted by PASSFREELY

ORACLE72.EXE

ORACLE73.EXE

ORACLE80.EXE

ORACLE.EXE

According to the strings contained in the implant, 386 versions (Oracle 7.2 -> 11.2 — see Appendix A for detailed list) of Oracle Database are affected by this four-year-old version of PASSFREELY — and after analysis, 2635 code mutations are stored which means each bypass requires an average of 7 code modifications per Oracle Database target.