Penetration Testing mailing list archives
RE: Oracle Auditing
From: "Erez" <schwarz () esecurity co jp>
Date: Wed, 3 Aug 2005 15:54:23 +0900
Joe hi, A few things about Oracle and the 'listener' service. It is a process that accepts and manages connections from the client to the Oracle database. The listener provides the capability to remotely manage the listener. It has separate authentication and auditing, it runs as a separate process and it accepts commands and performs tasks outside the database. In the past this would have allowed a remote user to execute commands like: STOP, RELOAD, and SET LOG_FILE on the listener. In response to your second question, there are tools that will allow you to interact with the Listener service in this way, for example you can find a utility called tnscmd.pl that is freely available, that allows you to issue a STOP command and this would 'stop' the Listener service - which means that no one could connect to the database. This is of course was very undesirable (and of course very dangerous). Oracle's response was to issue a patch that updated the listener.ora file and added a ADMIN_RESTRICTIONS_listener_name=ON parameter. The ADMIN_RESTRICTIONS flag disables the ability of the listener controller to set parameters, thereby not allowing remote users to set parameters. Unfortunately the default setting when the Listener service is installed is OFF! Most of the databases that I have seen have had this setting turned 'OFF'!!! You can find a slightly old explanation on Listener manipulation at: http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd-doc.html by jwa, he also wrote & published the tnscmd tool. The explanation by jwa is a bit dated now, but once you start experimenting with later versions, you will no doubt discover many very interesting reactions and occurrences. Also check out the EXTPROC(external procedure) vulnerabilities. This is a service that allows PL/SQL packages to load and call functions in operating system DLLs and shared libraries . When a call to load a function in an external library is made, the Oracle process contacts the Listener process. The Listener process in turn connects to the EXTPROC service and passes the name of the library and the requested function to it. You may ask how the EXTPROC service authenticate the user, well it doesn't!! You can issue requests to the Listener process to call functions in the external operating system libraries. Oracle responded by changing this functionality in the next version 9.2(something). Now all the failed calls would get logged to a file. If you enter an overly long string it overwrites the saved return address allowing you to execute your own code. Oracle came out with a patch to solve this problem as well. By the way there are much quicker & easier ways to 'own' an Oracle database then attacking the Listener. Erez Schwarz -----Original Message----- From: Joe T [mailto:recommendeddosage () gmail com] Sent: Wednesday, August 03, 2005 12:55 AM To: pen-test () securityfocus com Subject: Oracle Auditing Good day, I should preface this message by saying that I have little to no experience with Oracle administration, and I'm looking to gain a bit of information. When performing some network scans, I notice that the Oracle database rarely has a password set for the tnslsnr account. From the Nessus scan results, I have learned that the database may be compromised because of this null password. I've searched the web, and the majority of the information I find talks about a DoS attack for Oracle 8. My question becomes: Has anyone exploited this misconfiguration, and if so - how? Is this an account that you can connect to without expensive Oracle software? Also, what other tools do you utilize to audit Oracle? Thank you, Joe ---------------------------------------------------------------------------- -- FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- Oracle Auditing Joe T (Aug 02)
- RE: Oracle Auditing Clement Dupuis (Aug 02)
- Re: Oracle Auditing Joshua Wright (Aug 02)
- Re: Oracle Auditing DokFLeed (Aug 03)
- Re: Oracle Auditing Thor (Hammer of God) (Aug 03)
- RE: Oracle Auditing Erez (Aug 03)
- Re: Oracle Auditing David Eduardo Acosta RodrÃguez (Aug 03)
- Re: Oracle Auditing Pete Finnigan (Aug 12)