Into the Black Box: A Case Study in Obtaining Visibility into Commercial Software

2 Database

The first step in decoding these databases was to determine the type of database system that Netscape used to store information. If Netscape used a proprietary database, this step was going to be difficult. We recalled that Netscape released some initial source code of their Mozilla browser. Although the released source code did not contain support for security, we suspected that Netscape used the same database to store more than just security-related items. If this suspicion held true, we could take advantage of our knowledge of this implementation detail to gain programmatic access to the Netscape databases.

We downloaded the Mozilla source, unzipped it and discovered a directory named "dbm." After a closer investigation, we discovered that the files in the dbm directory were the source code files for the Berkeley DB 1.85 database. Next, we built a library from the source for the Berkeley DB 1.85. We wrote a simple test program called "DBDump" (see Figure 1) to open a database, dump all records, and access keys in binary form.

The Berkeley DB 1.85 database supports three different types of databases files:

DB_HASH- allows arbitrary key/data pairs to be stored in data files

DB_BTREE - allows arbitrary key/data pairs to be stored in a sorted, balanced binary tree

DB_RECNO - allows both fixed-length and variable-length flat text files to be manipulated using the same key/value pair interface as in DB_HASH and DB_BTREE. For DB_RECNO, the key will consist of a record (line) number

The test program executed successfully on both the key (key3.db) and certificate (cert7.db) databases. Thus, we determined that the Berkley DB 1.85 was the database system Netscape used to create, access and modify the databases. Figure 2 shows the output from the "DBDump" program when given a key3.db file as input. Both the certificate and key databases are in the DB_HASH format.


#pragma hdrstop 
 
#include <condefs.h> 
 
#include <stdio.h> 
 
#include <ctype.h> 
 
#include "mcom_db.h" 
 
//-------------------------------------------------------------------------- 
 
USELIB("..\lib\dbm\dbmlib.lib"); 
 
//-------------------------------------------------------------------------- 
 
void dumphex(unsigned char *dptr,int size); 
 
//--------------------------------------------------------------------------- 
 
#pragma argsused 
 
int main(int argc, char **argv) { 
 
 static HASHINFO   hash_info = {16*1024,0,0,0,0,0}; 
 
 DB              * db; 
 
 int               status,record=R_FIRST,cnt=0; 
 
 DBT               key,data; 
 
 if (argc!=2) { 
 
     fprintf(stderr,"%s <filename>",argv[0]); 
 
     return(-1); 
 
 } 
 
 if ((db=dbopen(argv[1],O_RDONLY,0644,DB_HASH,&hash_info))==NULL) { 
 
     fprintf(stderr,"Database open error\n"); 
 
     return(-1); 
 
 } 
 
 while ((status=(*db->seq)(db,&key,&data,record))==0) { 
 
     printf("Record %d\nKey Data: (%d bytes)\n",++cnt,key.size); 
 
     dumphex((unsigned char *)key.data,key.size); 
 
     printf("Record Data: (%d bytes)\n",data.size); 
 
     dumphex((unsigned char *)data.data,data.size); 
 
     printf("\n\n"); 
 
     record=R_NEXT; 
 
 } 
 
 db->close(db); 
 
 if (status<0) { 
 
     fprintf(stderr,"Database sequence error"); 
 
     return(-1); 
 
 } 
 
 return(0); 
 
} 
 
//-------------------------------------------------------------------------- 
 
void dumphex(unsigned char *dptr,int size) { 
 
 int cnt,counter=0; 
 
 
 while(size>0) { 
 
  (size>16)? cnt=16 :cnt=size; 
 
  printf("%08lx   ",counter); 
 
  for (int i=0;i<cnt;i++) printf("%02x ",dptr[counter+i]); 
 
  for (int i=0;i<16-cnt;i++) printf("   "); 
 
  printf(" "); 
 
  for (int i=0;i<cnt;i++) 
 
      (isprint(dptr[counter+i])) ? printf("%c",dptr[counter+i]):printf("."); 
 
  printf("\n"); 
 
  counter+=16; 
 
  size-=16; 
 
 } 
 
 return; 
 
} 
 
//--------------------------------------------------------------------------

Figure 1: DBDump.c Code


Record 1 
Key Data: (7 bytes) 
00000000   56 65 72 73 69 6f 6e                             Version 
Record Data: (1 bytes) 
00000000   03                                               . 
 
 
Record 2 
Key Data: (11 bytes) 
00000000   67 6c 6f 62 61 6c 2d 73 61 6c 74                 global-salt 
Record Data: (16 bytes) 
00000000   d4 b4 e9 b8 d2 6c 78 ad b9 28 e0 52 36 48 3b b7  .....lx..(.R6H;. 
 
 
Record 3 
Key Data: (14 bytes) 
00000000   70 61 73 73 77 6f 72 64 2d 63 68 65 63 6b        password-check 
Record Data: (48 bytes) 
00000000   03 10 01 ea f1 02 3f c8 d9 3c 3b 86 b8 53 3f 2d  ......?..<;..S?- 
00000010   0d 52 6c 00 0b 2a 86 48 86 f7 0d 01 0c 05 01 03  .Rl..*.H........ 
00000020   5e ed a0 c0 65 d1 39 0f e3 7a 37 ed 99 76 7b 1c  ^...e.9..z7..v{. 
 
 
Record 4 
Key Data: (65 bytes) 
00000000   00 b1 e0 ad 39 e7 09 41 b9 d3 21 90 9b 0f 95 78  ....9..A..!....x 
00000010   e6 fd ef d3 62 34 51 4d 79 02 83 17 9f 4f 09 68  ....b4QMy....O.h 
00000020   5c 81 a2 e6 2d b1 f7 bb e6 69 ba 39 a5 f4 17 0b  \...-....i.9.... 
00000030   a9 a9 ea b0 4c 7f ff 55 a5 46 a7 67 10 3a 1f e1  ....L..U.F.g.:.. 
00000040   7b                                               { 
Record Data: (436 bytes) 
00000000   03 08 23 47 eb a8 ce fc 4b c0 6b 53 63 6f 74 74  ..#G....K.kScott 
00000010   20 41 20 48 69 73 73 61 6d 27 73 20 56 65 72 69   A Hissam's Veri 
00000020   53 69 67 6e 2c 20 49 6e 63 2e 20 49 44 00 30 82  Sign, Inc. ID.0. 
00000030   01 82 30 1c 06 0b 2a 86 48 86 f7 0d 01 0c 05 01  ..0...*.H....... 
00000040   03 30 0d 04 08 47 eb a8 ce fc 4b c0 6b 02 01 01  .0...G....K.k... 
00000050   04 82 01 60 bf 3e 52 71 3e 07 94 73 25 f2 28 8d  ...`.>Rq>..s%.(. 
00000060   06 d6 1e f8 b3 ec fa 59 17 06 ec f9 8f 92 19 fe  .......Y........ 
00000070   4c ff c3 81 f8 be f0 12 a2 dd 6a d3 17 da 56 5a  L.........j...VZ 
00000080   b4 65 8b e8 5d 6f 4b ae 6f 5f 39 dc 1f ef bf 56  .e..]oK.o_9....V 
00000090   6e 79 d5 b4 2b 9a 6e 20 98 4d 66 98 79 4c 85 98  ny..+.n .Mf.yL.. 
000000a0   31 1d 4b e3 de ef c3 07 54 76 86 50 a8 22 9e 94  1.K.....Tv.P.".. 
000000b0   c8 cb f9 f4 46 9e 52 26 f8 20 8c 51 e8 52 6e 95  ....F.R&. .Q.Rn. 
000000c0   16 ca 9d 4d e6 7e 90 69 96 1e 1e df cc 67 fe ab  ...M.~.i.....g.. 
000000d0   96 5a d7 88 26 1a a9 cc 52 f6 97 0f 28 fc 52 96  .Z..&...R...(.R. 
000000e0   de fb fd f7 87 01 ae 71 e0 88 1b c6 7d 01 c8 83  .......q....}... 
000000f0   27 40 36 a3 46 23 dd 64 86 64 f7 64 73 46 04 30  '@6.F#.d.d.dsF.0 
00000100   3a 96 71 33 7e 98 f1 be 18 b9 8b 10 da ff fa 32  :.q3~..........2 
00000110   ac 03 18 37 da 87 32 5f eb f7 ed 0d 37 b2 1b 97  ...7..2_....7... 
00000120   35 d6 38 f2 f8 cc 4e 2d 00 e2 43 f1 6f 02 b2 fd  5.8...N-..C.o... 
00000130   94 53 9d 7b 78 00 4d fb 4d 47 63 6e b9 65 92 4c  .S.{x.M.MGcn.e.L 
00000140   03 c2 a6 9f 20 59 80 d5 a0 d4 b2 79 51 6e 31 b6  .... Y.....yQn1. 
00000150   20 d4 a9 43 80 31 ce c6 93 0c b0 1e 2f 13 3f c3   ..C.1....../.?. 
00000160   c0 e0 7b 16 89 76 88 dd 38 d6 8f 2b 5f 6f 50 1d  ..{..v..8..+_oP. 
00000170   f7 48 d9 2e 89 c2 04 1f 78 6b ac 85 97 55 0f 71  .H......xk...U.q 
00000180   be 5d d2 c7 c8 22 41 b6 c9 a0 c9 81 cd 93 55 83  .]..."A.......U. 
00000190   d2 9d e3 00 63 72 4f 79 d4 e9 ad 1d 1e cd 79 3f  ....crOy......y? 
000001a0   89 9a 66 e4 f6 a2 1d ec a0 3e 61 35 81 cc b8 83  ..f......>a5.... 
000001b0   5c df 87 24                                      \..$

Figure 2: Output of DBDump (key3.db File as Input)

[abstract] [chapter 1] [chapter 2] [chapter 3] [chapter 4] [chapter 5] [references] [DTIC] [PDF]