Re: [NSE] Changes/Improvements to Oracle TNS library

[Chris Woodbury <woodbusy () gmail com>]

Patrik-

I was testing your improvements (which are fantastic, by the way)
against several different versions and platforms, and I ran into a few
issues. Specifically, I was unable to authenticate on Oracle XE 11g
instances on Windows (11.2.0.2.0 x86) and Linux (11.2.0.2.0 x64).
After some digging, I found a small problem in how PreAuth responses
were parsed.

Specifically, the encoding for key-value pairs is a bit more complex
than the parsing function is looking for. For each of the strings (the
key, and the value), they begin with a 32-bit length, and then a
series of one or more chunks, each of which begins with the 8-bit
chunk length. If there are multiple chunks, this is indicated by a
0xFE byte after the 32-bit length and a null byte after the last
chunk. I updated the parsing function to properly handle multi-chunk
strings, and, since they're used by both PreAuth and Auth messages, I
factored the parser out into a separate class that both message types
use. While I was at it, I also updated the logic to write KVPs to
binary strings.

The 11g servers I was testing against send the AUTH_SESSKEY as a
96-byte string (see example below), and TNS seems to chunk strings
that are longer than 64 bytes, so the library couldn't complete
authentication. With the patch, I'm able to authenticate to both 11g
servers.

Multi-chunk string example:
0000   08 03 00 0c 00 00 00 0c 41 55 54 48 5f 53 45 53  ........AUTH_SES
0010   53 4b 45 59 60 00 00 00 fe 40 35 45 36 30 33 35  SKEY`....@5E6035
0020   33 32 33 44 35 38 32 33 43 34 43 32 41 30 30 35  323D5823C4C2A005
0030   39 44 38 30 31 37 30 34 41 34 32 38 34 42 39 38  9D801704A4284B98
0040   46 41 30 46 35 37 36 39 38 45 46 31 30 37 33 34  FA0F57698EF10734
0050   36 43 33 37 32 31 30 42 33 32 20 34 44 35 35 39  6C37210B32 4D559
0060   38 37 30 46 32 44 34 44 34 37 36 36 33 38 32 43  870F2D4D4766382C
0070   42 44 38 43 46 38 45 37 39 42 30 00 00 00 00 00  BD8CF8E79B0.....
After "AUTH_SESSKEY", 0x60000000 is the little-endian total length of
the string; 0xFE is the multi-chunk indicator; 0x40 is the length of
the first chunk; then the 40 bytes of the chunk itself; 0x20 is the
length of the next chunk; the 20 bytes of that chunk are next;
multi-chunk strings seem to be terminated by a 0x00; lastly, there are
the 32-bit flags, 0x00000000.

Let me know what you think, and feel free to make any changes you see fit.

Great work on the improvements. I'm looking forward to testing out
everything else.

-chris

On Sun, Aug 21, 2011 at 2:20 PM, Patrik Karlsson <patrik () cqure net> wrote:
> Hi list,
>
> After receiving bug reports from Duarte Silva and Alexander Kornbrust I've been working on the tns library to fix it.
> The bugs found were both in the query code as well as in the connect code of the library.
> I would like to thank both Duarte and Alexander for sending me packet dumps so that I've been able to look into the 
> problem in detail.
>
> It turns out that the packet needed to perform a connection and authenticate to the server are a little different 
> depending on what platform we're connecting to.
> Although I already knew that and had accounted for it in the library, I had only tested 32-bit servers which 
> apparently behave a little different than 64-bit servers.
> I've tried to address this in the library now and have done some more testing of both the connection/authentication 
> code and the query code and it seems to work better now.
> There are still a lot of unknowns in this implementation as the library is more or less completely based on packet 
> dumps, due to the lack of documentation.
> I've improved error handling a little and changed the code so it will only connect to tested versions that are known 
> to work.
> By tested versions I don't mean the full version number eg. 11.2.0.2.0 but rather the version reported in the packets 
> eg. IBMPC/WIN_NT64-9.1.0.
>
> Here's a complete list of servers I've been testing against:
> +--------+---------------+-------+-------------------------------+
> | OS     | DB Version    | Arch  | Functionality                 |
> +--------+---------------+-------+-------------------------------|
> | Win    | 11.2.0.2.0    | 64bit | Authentication                |
> | Win    | 11.2.0.1.0    | 64bit | Authentication                |
> | Win    | 11.1.0.6.0    | 64bit | Authentication                |
> | Win    | 11.1.0.6.0    | 32bit | Authentication, Queries       |
> | Win    | 11.2.0.1.0    | 32bit | Authentication, Queries       |
> | Linux  | 10.2.0.1.0    | 32bit | Authentication                |
> | Linux  | 11.2.0.1.0    | 64bit | Authentication                |
> +--------+---------------+-------+-------------------------------+
>
> As you can see, there's still some work to be done to get query functionality working in more versions.
> While I don't have time to look into this at the moment I hope to do so soon.
> In addition to bug reports I'm also interested to get more versions in to the table, so if you have a version that's 
> not in the table that works, please let me know.
>
> Also, there's currently an undocumented argument tns.forceos that allows you to force the packet exchange of a 
> specific OS.
> This could be useful to test whether unsupported versions work with the current implemented packet exchanges or not.
> The currently supported OS strings are:
> IBMPC/WIN_NT64-9.1.0
> IBMPC/WIN_NT-8.1.0
> Linuxi386/Linux-2.0.34-8.1.0
> x86_64/Linux 2.4.xx
>
> The code has been committed as r26114.
>
> Cheers,
> Patrik
> --
> Patrik Karlsson
> http://www.cqure.net
> http://www.twitter.com/nevdull77
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/

Attachment: tns_kvp_parsing.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/