Re: Oracle 8i compromise questions

[Joshua Wright <jwright () hasborg com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jack,

Jack Donovan wrote:
> A client of mine reported a compromise of an outdated Oracle 8i
> (8.174) database server running on Windows 2000, which they wanted me
> to try and figure out the root cause of.

My guess is that the attacker's compromised the listener process to
overwrite arbitrary files owned by the Oracle software owner on the
operating system.  I posted something about this on the pen-test list a
few weeks back:

http://archives.neohapsis.com/archives/sf/pentest/2005-08/0008.html

If the attackers can overwrite the remote password authentication file,
they can login as SYS remotely.  Once they are logged in as SYS (or,
really, any other user since this is a fairly old installation of Oracle
with lots of bugs that don't get addressed by Oracle with patches) it's
trivial to write to any file on the filesystem as the Oracle software
owner.  In "The Database Hacker's Handbook", David Litchfield refers to
the database as "one big bash shell" (paraphrasing), which is quite
accurate.

I'm curious, what were the omitted entries for CLIENT USER and CLIENT
TERMINAL?  That may give you some personally identifiable information
about your attacker (or at least the host they used to attack with).

Good luck,

- -Josh
- --
- -Joshua Wright
jwright () hasborg com

2005-2006 pgpkey: http://802.11ninja.net/pgpkey.htm
fingerprint: F00E 7A42 8375 0C55 964F E5A4 4D2F 22F6 3658 A4BF

Today I stumbled across the world's largest hotspot.  The SSID is "linksys".
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDBkYqTS8i9jZYpL8RAkujAKDp1OySdhxOF7pIQ06KRmHynDgeOQCg5a/p
Z5RJsFftoSDkaj8H3dW0tq4=
=Ah81
-----END PGP SIGNATURE-----