Penetration Testing mailing list archives
Re: [PEN-TEST] Oracle
From: "James W. Abendschan" <jwa () JAMMED COM>
Date: Tue, 6 Feb 2001 01:07:06 -0800
On Mon, 5 Feb 2001, Simon Waters wrote:
One general Oracle networking hole that I spotted the other day in the patch database was to stop unpassword protected listeners having their log file redirected at unsuspecting files owned by the Oracle user. Thus if no password on the listener, anyone could request it to write it's log over any file owned by the appropriate user.
.. and since the error log will log the contents of bogus packets, it's easy to get arbitrary data stuffed into uid oracle-writable files. This is (was?) a really stupid bug in tnslsnr; why a remote user should be allowed to set the logfile is beyond me. In the course of fooling around with Oracle TNS, I cobbled together a crufty perl script to bang on tnslsnr. I managed to DoS our 8.1.6 boxes (the same remote Oracle tnslsnr DoS publicized by ISS in late October). 8.1.7 fixes that, but as I recall, it's still possible to do the error log trick. You can also play some protocol games & lie about the packet length and get the portions of previous TNS commands sent back to you. IE: nimue:~/hacks/tnscmd> ./tnscmd -h x.x.x.x --cmdsize 256 Faking command length to 256 bytes connect writing 87 bytes [(CONNECT_DATA=(COMMAND=ping))] .W.......6.,...............:................4.............(CONNECT_DATA=(COMMAND=ping)) read ........"..v.........@(DESCRIPTION=(ERR=1153)(VSNNUM=135290880)(ERROR_STACK=(ERROR=(CODE=1153)(EMFI=4)(ARGS='(CONNECT_DATA=(COMMAND=ping))OL=TCP)(HOST=oraclesvr)(PORT=1541))(CONNECT_DATA=(SERVICE_NAME=pr01)(CID=(PROGRAM=)(HOST=oraclesvr)(USER=oracle))))HOST=TOM)(USER=tom))))\ORANT\BIN\ifrun60.EXE)(HOST=ENGINEERING-1)(USER=Rick))))im6\IM60.EXE)(HOST=RICK)(U'))(ERROR=(CODE=303)(EMFI=1)))) eon The leaked data is between ARGS='..'. While there's no SQL queries here (iirc the listener forks off a child to do most everything), it's useful for harvesting Oracle usernames & internal hostnames, and it wouldn't be unthinkable that the tnslsnr password could be revealed using this technique.. but why bother when you can set the oracle error log to .rhosts? The tool: http://www.jammed.com/~jwa/hacks/tnscmd/ James ps: reported to Oracle & CERT in October, 2000.
Current thread:
- [PEN-TEST] Oracle Michael Graham (Feb 02)
- Re: [PEN-TEST] Oracle Simon Waters (Feb 02)
- <Possible follow-ups>
- Re: [PEN-TEST] Oracle Frazier, Thomas (Feb 05)
- Re: [PEN-TEST] Oracle Simon Waters (Feb 05)
- Re: [PEN-TEST] Oracle James W. Abendschan (Feb 06)
- Re: [PEN-TEST] Oracle Simon Waters (Feb 05)