From: Michael Gargiullo (mgargiullo@pvtpt.com)
Date: Mon Sep 05 2005 - 10:51:46 EDT
I have a tool written in Perl somewhere here to exploit this. Lemme dig
around a bit.
How much you can do with the listener depends on a few factors.
-Mike
-----Original Message-----
From: Chitresh Sen [mailto:chitresh_sen@ftml.net]
Sent: Thursday, September 01, 2005 9:41 PM
To: pen-test@securityfocus.com
Subject: Oracle TNS Listener
Dear All,
Vulnerability: Oracle TNS listener without password;
Implication: Remote attacker can control the listener;
In order to test the above vulnerability I had done the following:
1. Installed the Oracle 9i client on my laptop
2. Copy the lsnrctl.exe from Oracle 8 server
3. Configured the listener.ora file as follows
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = JUNK)(PORT = 1521))
)
)
But I am unable to execute the commands on remote listener and getting
the following error.
LSNRCTL> status
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=JUNK)(PORT=152
1))(CONNECT_DATA=(SERVICE_NAME=chitresh)))
TNS-12538: TNS:no such protocol adapter
TNS-12560: TNS:protocol adapter error
TNS-00508: No such protocol adapter
TNS-12538: TNS:no such protocol adapter
TNS-12560: TNS:protocol adapter error
TNS-00508: No such protocol adapter
What can be the problem ? is it the version problem for lsnrctl.exe
because I was unable to get the Oracle 9i server lsnrctl.exe so I had
taken from oracle 8 server and copies all its dll and set the path to
execute it, or am I missing something.
Regards
Chitresh
-- Chitresh Sen chitresh_sen@ftml.net -- http://www.fastmail.fm - The way an email service should be ------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:49 EDT