Re: Oracle 8i compromise questions

From: Kevin Reardon (Kevin.Reardon_at_oracle.com)
Date: 08/20/05

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: Proper ISP Reporting" 
    Date: Fri, 19 Aug 2005 16:34:15 -0700
To: Jack Donovan <jake.donovan@gmail.com>

    They should password protect their listener. This is a very old problem
    that has been fixed ages ago by patches. They should apply the latest
    Critical Patch Update that is available for download through:
        http://metalink.oracle.com

    ---K

    Jack Donovan wrote:

    >Hello all,
    >
    >A client of mine reported a compromise of an outdated Oracle 8i
    >(8.174) database server running on Windows 2000, which they wanted me
    >to try and figure out the root cause of. The compromise was very
    >generic, and allowed the attackers OS access which they used to
    >install some standard backdoor stuff and grab the password hashes for
    >the system which they broke overnight offline (presumably via
    >RainbowCrack). We know this because the usernames and passwords were
    >attempted against other systems belonging to the client, albeit
    >unsuccessfully. My knowledge of Oracle is limited, but I assumed it
    >would be easy to spot the initial event, since the attacker's
    >themselves were not very careful.
    >
    >After a quick analysis of the system and network data, the earliest
    >action I can find appears to be a PWD<database_name>.ORA file that was
    >overwritten, which is the ORACLE Remote Password File allowing folks
    >remote access as SYSDBA. Shortly after the timestamp on the ORA file,
    >there was a successful login entry in the application log to the
    >Oracle as as the sys user, as follows:
    >
    >Application,Oracle.<dbname>,INFORMATION,<host>,<date/time>,34,None,Audit
    >trail: ACTION : 'connect sys' OSPRIV : DBA CLIENT USER:
    ><attacker_login_name_presumably> CLIENT TERMINAL: <attacker_host>
    >STATUS: SUCCEEDED ( 0 ) .
    >
    >From what I understand, any user found in the PWD<db>.ORA file will
    >show up in the logs as 'connect sys', so this makes sense. There was
    >a similar login attempt that failed roughly 10 minutes before this,
    >though Oracle didn't keep track of the attacker host in the failed
    >attempt. Within roughly 1 minute of the successfull Oracle login, the
    >attacker's toolkit was uploaded (based on the timestamps I've got).
    >
    >The questions I have are:
    >
    >1) What is the most common attack method used for an Oracle database
    >that would result in this file being overwritten? Is it likely this
    >was the attack vector, or a backup access method with some other
    >method being used to initially break the system?
    >
    >2) If the overwritten authentication and subsequent login to the
    >database was the method of entry, how did the attackers get local
    >filesystem access? I know how to do this in MSSQL etc., and I know
    >there's the PL/SQL stuff in Oracle, but it seems nontrivial to me how
    >one would go about using that for this purpose.
    >
    >My assumption is these are somewhat basic questions, but my searching
    >around Google hasn't turned up anything concrete yet. I found a
    >number of listener vulnerabilities for doing things like arbitrarily
    >assigning the log file and overwriting, but most of them seem to be
    >circa 2000, and I'm fairly certain the system had been patched since
    >then (though the exact patch status of the system was unknown).
    >
    >It's possible there is some buffer overflow at work, but the service
    >itself didn't die, and there was no error in the system , security, or
    >application logs that would imply such an attack. My initial thought
    >when the compromise was reported was brute-force password attack,
    >because the password used was terrible. But the overwritten PWD file
    >seems counter to that theory.
    >
    >The attacker's did not appear terribly subtle (nice bright shiny FTP
    >banners), so the simplest solution here is probably the most likely.
    >Any thoughts on what that solution might be, or pointers to where I
    >should be looking, would be much appreciated.
    >
    >Thanks,
    >J
    >
    >

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: Proper ISP Reporting"

    Relevant Pages

    • Oracle 8i compromise questions
      ... A client of mine reported a compromise of an outdated Oracle 8i ... What is the most common attack method used for an Oracle database ... assigning the log file and overwriting, but most of them seem to be ...
      (Incidents)
    • happy sniffing of oracle passwords!
      ... This paper focuses on new threats on one of the most popular database ... Oracle Password Hashing Algorithm. ... This category of attack is typically performed byhackers.• ... It strengthens the session key sig- ...
      (comp.databases.oracle.server)
    • Remote Compromise in Oracle 9i Database Server
      ... A large part of Oracle database functionality is provided by PL/SQL ... operating system libraries or Dynamic Link Libraries. ... An attack would probably call systemand pass ... external procedure the oracle process connects to the Listener and requests ...
      (Bugtraq)
    • RE: Cant pass form to sub/function and...
      ... I'll work the login form some more and see if that doesn't change anything. ... I'm sorry, but I don't have any experience using Oracle, so I guess there is ... Set rstEstData = CurrentDb.OpenRecordset ... I create a new recordset object. ...
      (microsoft.public.access.modulesdaovba)
    • Re: Login problem of oracle DB
      ... > When I login to oracle database, a strange problem occurs, here comes the ... Create database, sid = TEST. ... > Copyright 2000 Oracle Corporation. ...
      (comp.databases.oracle.server)