Security Incidents mailing list archives
Re: Oracle 8i compromise questions
From: Joshua Wright <jwright () hasborg com>
Date: Fri, 19 Aug 2005 16:50:51 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jack, Jack Donovan wrote:
A client of mine reported a compromise of an outdated Oracle 8i (8.174) database server running on Windows 2000, which they wanted me to try and figure out the root cause of.
My guess is that the attacker's compromised the listener process to overwrite arbitrary files owned by the Oracle software owner on the operating system. I posted something about this on the pen-test list a few weeks back: http://archives.neohapsis.com/archives/sf/pentest/2005-08/0008.html If the attackers can overwrite the remote password authentication file, they can login as SYS remotely. Once they are logged in as SYS (or, really, any other user since this is a fairly old installation of Oracle with lots of bugs that don't get addressed by Oracle with patches) it's trivial to write to any file on the filesystem as the Oracle software owner. In "The Database Hacker's Handbook", David Litchfield refers to the database as "one big bash shell" (paraphrasing), which is quite accurate. I'm curious, what were the omitted entries for CLIENT USER and CLIENT TERMINAL? That may give you some personally identifiable information about your attacker (or at least the host they used to attack with). Good luck, - -Josh - -- - -Joshua Wright jwright () hasborg com 2005-2006 pgpkey: http://802.11ninja.net/pgpkey.htm fingerprint: F00E 7A42 8375 0C55 964F E5A4 4D2F 22F6 3658 A4BF Today I stumbled across the world's largest hotspot. The SSID is "linksys". -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDBkYqTS8i9jZYpL8RAkujAKDp1OySdhxOF7pIQ06KRmHynDgeOQCg5a/p Z5RJsFftoSDkaj8H3dW0tq4= =Ah81 -----END PGP SIGNATURE-----
Current thread:
- Oracle 8i compromise questions Jack Donovan (Aug 19)
- Re: Oracle 8i compromise questions Joshua Wright (Aug 22)
- Re: Oracle 8i compromise questions Kevin Reardon (Aug 22)
- <Possible follow-ups>
- RE: Oracle 8i compromise questions Carolyn Jewel (Aug 22)