Oracle is a relational
database management system (RDBMS) and its popularity lies in its use
as a back
end for client-server databases. Its relational database was the first to
SQL language, which has since become the industry standard.
Oracle has number of security issues which are slowly being addressed over
time but to date there are still a large number of exploitable holes thru all
variants that Oracle have still not released a patch for. I can summarise
the main issues as:
Default usernames and passwords are
enabled on install - This is addressed partially with the majority of accounts
being expired and locked out, however, they still do exist and are well-known
and could easily be re-enabled by mistake. An example of this is dropping a
certain catalogue file re-enables the DBSNMP account with it default password.
Default installs allow a large number
of extra services to be enabled i.e. multiple web browsers serving pages on
differing ports. A custom install of the minimum amount of applications
should always be performed.
Newer versions of Oracle allow the
main administrative accounts to have the same password set i.e. SYS, SYSTEM, DBSNMP etc. From a Security standpoint these should always be different.
Major packages have assigned
privileges to the database server user group PUBLIC which may lead them open to misuse. The packages UTL_SMTP, UTL_TCP, UTL_HTTP and UTL_FILE especially
have issues relating to them.
accounts do not generally have a password assigned to them. Users should
ideally be given roles and privileges assigned to roles rather than on a per
Oracle TNS Listener is the link a user must use to get the backend database.
Often the listener has minimal, if any, protection afforded to it.
Passwords, Admin Restrictions, logging and obfuscation techniques such as using
non-standard ports should be used. Shut down the Listener and effectively you do
not have database access anymore ;-(
valid node checking security feature is usually not enabled. Enabling this
in the protocol.ora file can possibly aid in preventing DoS attacks. In addition access
control lists to the database can also be set up.
As I've mentioned before I am
concentrating on vulnerability assessment/ penetration testing based on free "open source" software
only, in saying that there is a fare amount of software and scripts available to
give you a fair assessment of the state of the Oracle database you are
Before you can run any sql commands or scripts directly against the
database you first of all
need to "acquire/ request" a valid username password
pair for the database you are testing
together with the Service Name associated
Free sql scripts that may be able to aid vulnerability analyst and pen
testers are available from a number of sources, two very good ones are; Pete Finnigan and Pen Test.
Exploit code is available from Red-Base Security.
Dumping the Service Name is
easy (or it was until >10g came along!), there some nice little GUI tools out there and a favourite one of mine is WinSid or there's OracleTNSLSNR.exe. These two particular tools quiz the TNS listener on
the remote host. You can also get a basic understanding of any Admin
restrictions and Passwords and Logging applied to the TNS listener by using the
tool lsnrcheck.exe. (It may even tell you where your first
security hole is found.)
Next is the requirement for a
valid username and password. The tools (Both Linux and Windows variants)
that I use to test for Default Usernames
and Passwords are OScanner and Oracle Auditing Tool, (OAT). OAT is a suite of tools whose extra
functionality can enable you to gain an SQL prompt without the need, for say SQLPlus, or an Oracle
Client installed on your machine.
Oracle TNS Listener
The Oracle TNS Listener is the lynchpin between a
user/web server offering connection and the back-end database. As
such access to it should be restricted. The relevant files that
control the listener are:
$ORACLE_HOME/bin/lsnrctl - This is the actual Listener
$ORACLE_HOME/network/admin/listener.ora - The actual TNS
Listener config file
$ORACLE_HOME/bin/tnslnsr - The actual listening
The listener is susceptible to a number of
issues dependant on the version you are running, these include, Denial of
Service, Fragmentation and Buffer Overflow attacks to name but a few. It
must be protected at all costs.
Oracle Password Files
Oracle by default stores passwords in a number of locations and the
following would be a good place to start if you manage to get access to
Default Oracle SID's
There are a number of default
Oracle SID's that exist for Oracle and other third-party products.
When performing an assessment you can start attempting to
enumerate/connect with these:
BEA Weblogic Integration
Adapter for Manugistics MSAM
Cisco CTM R 4 series CTM4_0/1/2/3/4 etc.
(Dependant on the version)
OpenView OPENVIEW or OVO
Oracle Generic ORCL and plsEXTPROC
Oracle Express Edition XE
Oracle Enterprise Mgr
Oracle App Svr 9i - 10g IASDB
SAP Standard System SA(no.) i.e. SA9 or SA(char.) i.e. SAG
VMWware VirtualCenter Database VPX