Penetration Testing mailing list archives

Port 1521 aka "Unbreakable" Oracle Server

From: patrik.karlsson () ixsecurity com
Date: Wed, 16 Jan 2002 11:01:18 +0100



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

After reading some posts on the lists and looking at the scripts at
http://www.pentest-limited.com I found that CREATE LIBRARY could be
really useful when doing a PenTest. This is used to be able to
create extended procedures. To do this you specifiy which library
(dll file) you want to use. Then by creating a FUNCTION in Oracle
you point out the function in the dll you want to run. So one
could actually create a library pointing to
%windir%\system32\kernel32.dll and specify the winexec as function.
Your chances of having that dll on a Windows system are quite big :)
Using the function created one could actually execute code on the
server with the same privileges as the user which started the server,
in Windows this is usually the LocalSystem.

The above could only be done with a user with CREATE LIBRARY
permissions. On a default installed Oracle (8.1.5 for Windows) there
are 5 of 15 default accounts which can do this. You also need to
know a SID to connect to. This is done easy by querying the Oracle
Listener using the services query.  If someone has applied a listener
password, do a status query, you'll get enough info there.

If this is common knowledge to everyone, sorry for bothering you !

To be able to do all this smoothly, without having to have the
Oracle Client installed one could use these java based tools, which
run on Windows and/or Linux.

http://www.cqure.net/tools07.html

- --
Patrik Karlsson, iXsecurity

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBPEVPnI118uy6FU2iEQLUNACcCCJtj5+FJWktfaaDDMmFz/zmtYwAniJ4
13dE8HSw4a4sikkvrzMdusUl
=3YBq
-----END PGP SIGNATURE-----

Attachment: pgp.rtf.asc
Description:

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Port 1521 aka "Unbreakable" Oracle Server patrik . karlsson (Jan 16)
- Re: Port 1521 aka "Unbreakable" Oracle Server Pete Finnigan (Jan 17)