Re: Port 1521 aka "Unbreakable" Oracle Server

[Pete Finnigan <pete () peterfinnigan demon co uk>]

Hi Patrik

You can also use CREATE LIBRARY or CREATE ANY LIBRARY to access the
system() function under Unix and then use it to run "sh" or bash or
whatever and get a shell prompt as the owner of ExtProc ( usually the
owner of the oracle software ). 

Also you may want to look at tnscmd, a perl script on http://www.jammed.
com/~jwa/hacks/security/tnscmd/ that allows you to access the Oracle
listener and send various packets to it. It can be used to determine
what databases a listener is listening on.

cheers

Pete Finnigan
www.pentest-limited.com

In article <41256B43.00370DF5.00 () guardianit se>,
patrik.karlsson () ixsecurity com writes
> After reading some posts on the lists and looking at the scripts at
> http://www.pentest-limited.com I found that CREATE LIBRARY could be
> really useful when doing a PenTest. This is used to be able to
> create extended procedures. To do this you specifiy which library
> (dll file) you want to use. Then by creating a FUNCTION in Oracle
> you point out the function in the dll you want to run. So one
> could actually create a library pointing to
> %windir%\system32\kernel32.dll and specify the winexec as function.
> Your chances of having that dll on a Windows system are quite big :)
> Using the function created one could actually execute code on the
> server with the same privileges as the user which started the server,
> in Windows this is usually the LocalSystem.
>
> The above could only be done with a user with CREATE LIBRARY
> permissions. On a default installed Oracle (8.1.5 for Windows) there
> are 5 of 15 default accounts which can do this. You also need to
> know a SID to connect to. This is done easy by querying the Oracle
> Listener using the services query.  If someone has applied a listener
> password, do a status query, you'll get enough info there.
>
> If this is common knowledge to everyone, sorry for bothering you !
>
> To be able to do all this smoothly, without having to have the
> Oracle Client installed one could use these java based tools, which
> run on Windows and/or Linux.
>
> http://www.cqure.net/tools07.html
>
> --
> Patrik Karlsson, iXsecurity
>
>
> [ A MIME application / octet-stream part was included here. ]
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/

-- 
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager at admin () pentest-limited com
--
Pete Finnigan
IT Security Consultant
PenTest Limited

Office  01565 830 990
Fax     01565 830 889
Mobile  07974 087 885

pete.finnigan () pentest-limited com

www.pentest-limited.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/