Security Incidents mailing list archives
Re: Oracle 8i compromise questions
From: Kevin Reardon <Kevin.Reardon () oracle com>
Date: Fri, 19 Aug 2005 16:34:15 -0700
They should password protect their listener. This is a very old problem that has been fixed ages ago by patches. They should apply the latest Critical Patch Update that is available for download through:
http://metalink.oracle.com ---K Jack Donovan wrote:
Hello all, A client of mine reported a compromise of an outdated Oracle 8i (8.174) database server running on Windows 2000, which they wanted me to try and figure out the root cause of. The compromise was very generic, and allowed the attackers OS access which they used to install some standard backdoor stuff and grab the password hashes for the system which they broke overnight offline (presumably via RainbowCrack). We know this because the usernames and passwords were attempted against other systems belonging to the client, albeit unsuccessfully. My knowledge of Oracle is limited, but I assumed it would be easy to spot the initial event, since the attacker's themselves were not very careful. After a quick analysis of the system and network data, the earliest action I can find appears to be a PWD<database_name>.ORA file that was overwritten, which is the ORACLE Remote Password File allowing folks remote access as SYSDBA. Shortly after the timestamp on the ORA file, there was a successful login entry in the application log to the Oracle as as the sys user, as follows: Application,Oracle.<dbname>,INFORMATION,<host>,<date/time>,34,None,Audit trail: ACTION : 'connect sys' OSPRIV : DBA CLIENT USER:<attacker_login_name_presumably> CLIENT TERMINAL: <attacker_host> STATUS: SUCCEEDED ( 0 ) .From what I understand, any user found in the PWD<db>.ORA file will show up in the logs as 'connect sys', so this makes sense. There was a similar login attempt that failed roughly 10 minutes before this, though Oracle didn't keep track of the attacker host in the failed attempt. Within roughly 1 minute of the successfull Oracle login, the attacker's toolkit was uploaded (based on the timestamps I've got). The questions I have are: 1) What is the most common attack method used for an Oracle database that would result in this file being overwritten? Is it likely this was the attack vector, or a backup access method with some other method being used to initially break the system? 2) If the overwritten authentication and subsequent login to the database was the method of entry, how did the attackers get local filesystem access? I know how to do this in MSSQL etc., and I know there's the PL/SQL stuff in Oracle, but it seems nontrivial to me how one would go about using that for this purpose. My assumption is these are somewhat basic questions, but my searching around Google hasn't turned up anything concrete yet. I found a number of listener vulnerabilities for doing things like arbitrarily assigning the log file and overwriting, but most of them seem to be circa 2000, and I'm fairly certain the system had been patched since then (though the exact patch status of the system was unknown). It's possible there is some buffer overflow at work, but the service itself didn't die, and there was no error in the system , security, or application logs that would imply such an attack. My initial thought when the compromise was reported was brute-force password attack, because the password used was terrible. But the overwritten PWD file seems counter to that theory. The attacker's did not appear terribly subtle (nice bright shiny FTPbanners), so the simplest solution here is probably the most likely. Any thoughts on what that solution might be, or pointers to where Ishould be looking, would be much appreciated. Thanks, J
Current thread:
- Oracle 8i compromise questions Jack Donovan (Aug 19)
- Re: Oracle 8i compromise questions Joshua Wright (Aug 22)
- Re: Oracle 8i compromise questions Kevin Reardon (Aug 22)
- <Possible follow-ups>
- RE: Oracle 8i compromise questions Carolyn Jewel (Aug 22)