Re: [NSE] Changes/Improvements to Oracle TNS library

[Matt Selsky <selsky () columbia edu>]

On Aug 27, 2011, at 4:14 AM, Patrik Karlsson wrote:

> On Aug 26, 2011, at 5:51 PM, Chris Woodbury wrote:
>
> > Patrik-
> >
> > I was testing your improvements (which are fantastic, by the way)
> > against several different versions and platforms, and I ran into a few
> > issues. Specifically, I was unable to authenticate on Oracle XE 11g
> > instances on Windows (11.2.0.2.0 x86) and Linux (11.2.0.2.0 x64).
> > After some digging, I found a small problem in how PreAuth responses
> > were parsed.
> >
> > Specifically, the encoding for key-value pairs is a bit more complex
> > than the parsing function is looking for. For each of the strings (the
> > key, and the value), they begin with a 32-bit length, and then a
> > series of one or more chunks, each of which begins with the 8-bit
> > chunk length. If there are multiple chunks, this is indicated by a
> > 0xFE byte after the 32-bit length and a null byte after the last
> > chunk. I updated the parsing function to properly handle multi-chunk
> > strings, and, since they're used by both PreAuth and Auth messages, I
> > factored the parser out into a separate class that both message types
> > use. While I was at it, I also updated the logic to write KVPs to
> > binary strings.
> >
> > The 11g servers I was testing against send the AUTH_SESSKEY as a
> > 96-byte string (see example below), and TNS seems to chunk strings
> > that are longer than 64 bytes, so the library couldn't complete
> > authentication. With the patch, I'm able to authenticate to both 11g
> > servers.
> >
> > Multi-chunk string example:
> > 0000   08 03 00 0c 00 00 00 0c 41 55 54 48 5f 53 45 53  ........AUTH_SES
> > 0010   53 4b 45 59 60 00 00 00 fe 40 35 45 36 30 33 35  SKEY`....@5E6035
> > 0020   33 32 33 44 35 38 32 33 43 34 43 32 41 30 30 35  323D5823C4C2A005
> > 0030   39 44 38 30 31 37 30 34 41 34 32 38 34 42 39 38  9D801704A4284B98
> > 0040   46 41 30 46 35 37 36 39 38 45 46 31 30 37 33 34  FA0F57698EF10734
> > 0050   36 43 33 37 32 31 30 42 33 32 20 34 44 35 35 39  6C37210B32 4D559
> > 0060   38 37 30 46 32 44 34 44 34 37 36 36 33 38 32 43  870F2D4D4766382C
> > 0070   42 44 38 43 46 38 45 37 39 42 30 00 00 00 00 00  BD8CF8E79B0.....
> > After "AUTH_SESSKEY", 0x60000000 is the little-endian total length of
> > the string; 0xFE is the multi-chunk indicator; 0x40 is the length of
> > the first chunk; then the 40 bytes of the chunk itself; 0x20 is the
> > length of the next chunk; the 20 bytes of that chunk are next;
> > multi-chunk strings seem to be terminated by a 0x00; lastly, there are
> > the 32-bit flags, 0x00000000.
> >
> > Let me know what you think, and feel free to make any changes you see fit.
> >
> > Great work on the improvements. I'm looking forward to testing out
> > everything else.
> >
> > -chris
>
>
> Thanks for the patch! I've applied it as r26234.
> I tested it against the whole list of servers in the supported matrix and all worked great.
> In addition I added two more entries:
> -- +--------+---------------+---------+-------+-------------------------------+
> -- | OS     | DB Version    | Edition | Arch  | Functionality                 |
> -- +--------+---------------+---------+-------+-------------------------------|
> -- | Win    | 10.2.0.1.0    | XE      | 32bit | Authentication, Queries       |
> -- | Win    | 11.2.0.2.0    | XE      | 32bit | Authentication, Queries       |
>
> I didn't have a chance to test it against the Linux equivalent or 64bit versions.
> If anyone does, please let me know the results so I can add them to the matrix.

I'm seeing this against an Oracle 11gR2 instance on RHEL5 64-bit.

$ ./nmap -sV -p 1521 --script=oracle-brute,oracle-enum-users,oracle-sid-brute,oracle-query 
--script-args="creds.oracle='user:password',tns.sid=sidname" oracle-host

Starting Nmap 5.59BETA3 ( http://nmap.org ) at 2011-08-28 20:32 EDT
Nmap scan report for oracle-host (10.1.1.1)
Host is up (0.0039s latency).
PORT     STATE SERVICE    VERSION
1521/tcp open  oracle-tns Oracle TNS Listener
| oracle-query: 
|_  ERROR: No query was supplied (see oracle-query.query)
|_oracle-enum-users: ORA-03146: Invalid buffer length for TTC field
| oracle-brute: 
|   Accounts
|     No valid accounts found
|   Statistics
|_    Performed 21365 guesses in 600 seconds, average tps: 36

The nsedoc for oracle-query says that "query" is optional and has a default value.  The code doesn't implement that.

I tried specifying the query:

| oracle-query: 
|_  ERROR: Querying version x86_64/Linux 2.4.xx is not yet supported

The server is running a 64-bit Linux 2.6 kernel.

Any idea what's causing the ORA-03146 error in oracle-enum-users?


Cheers,

-- 
Matt
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/