Re: Oracle 8.0.6

From: Pete Finnigan (pete@peterfinnigan.demon.co.uk)
Date: 11/30/01 

Message-ID: <$tPXogAmh$B8EwVq@peterfinnigan.demon.co.uk>
Date: Fri, 30 Nov 2001 21:21:42 +0000
To: PEN-TEST@securityfocus.com
From: Pete Finnigan <pete@peterfinnigan.demon.co.uk>
Subject: Re: Oracle 8.0.6

Hi

Whilst not accessing ect/passwd i have a paper on our companies site
that shows how to read passwords from the SGA ( if any users have been
added or changed ) see http://www.pentest-limited.com/utl_file.htm.

I take it you mean you have accessed via a client based SQL*Plus ??

There is also a paper on there with a list of default Oracle users and
passwords in http://www.pentest-limited.com/default-user.htm.

Also you may be interested in a script in our downloads page that allows
you to log on as any other Oracle users once you have a dba, as you
do!!. see http://www.pentest-limited.com/su.sql

You can gain Oracle on the OS by using the Oracle8 ExtProc facilities
that allow you to call C functions in shared libraries from PL/SQL. You
can create a library that calls existing C functions i.e. system(). then
call it and create yourself a suid shell as Oracle. So at least you can
get OS access. Because you have SYSTEM and can access any Oracle user
then you can just find a user that has the system procedure CREATE
LIBRARY. do

SQL> select grantee from dba_sys_priv where privilege='CREATE LIBRARY';

There are also a number of exploits that allow escalation of privileges
see Oracle's OTN site ( create a free user if you havent got one )
see bugtraq of course
see http://www.appsecinc.com - good list of holes / exploits etc.

There are some known root holes.

HTH
Pete Finnigan
www.pentest-limited.com

In article <20011130162905.60993.qmail@web14809.mail.yahoo.com>, Andy
Rees <cs61ar@yahoo.co.uk> writes
>Dear All,
>
>I was wondering if anybody has any ideas about this
>one.
>
>I am undertaking a security audit and have managed to
>get the Oracle SYSTEM account password for an Oracle
>8.0.6 server running on Solaris 2.7. This has allowed
>me to login to the server via SQLPLUS. The server in
>question has 'utl_file_dir = *' set in the initSID.ora
>file. (It is only a test server ....).
>
>Whilst I can write Oracle scripts that allow me to
>read and write system files (solaris file permissions
>allowing) but I cannot find a way of compromising the
>actual host OS from this position, I can read the
>/etc/passwd file but I cannot write to it and I cannot
>even read the /etc/shadow (as you would expect)
>
>Any ideas any of you guys have would be most
>appreciated.
>
>Thanks in advance
>
>Andrew
>
>__________________________________________________
>Do You Yahoo!?
>Everything you'll ever need on one web page from News and Sport to Email and
>Music Charts
>http://uk.my.yahoo.com
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/
> 

-- 
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager at admin@pentest-limited.com
--
Pete Finnigan
IT Security Consultant
PenTest Limited

Office  01565 830 990
Fax     01565 830 889
Mobile  07974 087 885

pete.finnigan@pentest-limited.com

www.pentest-limited.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/