【環境介紹】
系統環境:Solaris + Oracle 11GR2 + 單機/RAC
【背景描述】
基於集團數據庫安全檢查項,需要數據庫的遠程投毒漏洞進行修復。
根據Oracle官方提供的修復文檔:
Using Class of Secure Transport (COST) to Restrict Instance Registration (Doc ID 1453883.1)
Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC (Doc ID 1340831.1)
對於低於11GR2版本的修復方法這里不做介紹,單機比較簡單,但是RAC環境修復相對比較復雜,同時會觸發其他的BUG,在11GR2版本中建議使用VNCR的配置進行修復,且方法非常簡單。
Valid Node Checking For Registration (VNCR) (Doc ID 1600630.1)
listener.ora文件添加如下內容(單機):
VALID_NODE_CHECKING_REGISTRATION_LISTENER =ON
REGISTRATION_INVITED_NODES_LISTENER=(host的IP都列進來)
REGISTRATION_INVITED_NODES_LISTENER=(host的IP都列進來)
listener.ora文件添加如下內容(RAC):
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=ON
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=ON
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=ON
VALID_NODE_CHECKING_REGISTRATION_LISTENER =ON
REGISTRATION_INVITED_NODES_LISTENER=(兩台host的IP都列進來)
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=ON
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=ON
VALID_NODE_CHECKING_REGISTRATION_LISTENER =ON
REGISTRATION_INVITED_NODES_LISTENER=(兩台host的IP都列進來)
該功能在12C以上的版本是默認打開的,所以不存在該漏洞。
PS:添加白名單方式也可以修復改漏洞,前提是IP列表得是具體的IP,不是IP網段的方式。
sqlnet.ora文件添加如下內容:
tcp.validnode_checking=yes
tcp.invited_nodes=(具體的IP信息,或者網段)
tcp.excluded_nodes=(具體的IP信息,或者網段)
tcp.invited_nodes=(具體的IP信息,或者網段)
tcp.excluded_nodes=(具體的IP信息,或者網段)
【問題處理】
這里使用單機進行測試信息:
數據庫主機:192.168.142.140
掃描工具主機:192.168.142.141(必須不在同一主機上)
遠程漏洞投毒掃描工具:metasploit-framework 是比較普遍的檢查工具
安裝方法:
linux:https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers
Windows:https://windows.metasploit.com/(32位)
[root@mysqldb2 soft]# curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5525 100 5525 0 0 2291 0 0:00:02 0:00:02 --:--:-- 2291
[root@mysqldb2 soft]# ls -trl
總用量 5525
-rw-r--r-- 1 root root 5525 6月 15 18:00 msfinstall
[root@mysqldb2 soft]# chmod 755 msfinstall
[root@mysqldb2 soft]# ./msfinstall
Checking for and installing update..
Adding metasploit-framework to your repository list..已加載插件:product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
base | 4.1 kB 00:00:00
metasploit | 2.9 kB 00:00:00
metasploit/primary_db | 11 kB 00:00:05
正在解決依賴關系
--> 正在檢查事務
---> 軟件包 metasploit-framework.x86_64.0.4.17.24+20181103093740~1rapid7-1.el6 將被 安裝
--> 解決依賴關系完成
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5525 100 5525 0 0 2291 0 0:00:02 0:00:02 --:--:-- 2291
[root@mysqldb2 soft]# ls -trl
總用量 5525
-rw-r--r-- 1 root root 5525 6月 15 18:00 msfinstall
[root@mysqldb2 soft]# chmod 755 msfinstall
[root@mysqldb2 soft]# ./msfinstall
Checking for and installing update..
Adding metasploit-framework to your repository list..已加載插件:product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
base | 4.1 kB 00:00:00
metasploit | 2.9 kB 00:00:00
metasploit/primary_db | 11 kB 00:00:05
正在解決依賴關系
--> 正在檢查事務
---> 軟件包 metasploit-framework.x86_64.0.4.17.24+20181103093740~1rapid7-1.el6 將被 安裝
--> 解決依賴關系完成
依賴關系解決
=============================================================================================================================================================================================
Package 架構 版本 源 大小
=============================================================================================================================================================================================
正在安裝:
metasploit-framework x86_64 4.17.24+20181103093740~1rapid7-1.el6 metasploit 158 M
Package 架構 版本 源 大小
=============================================================================================================================================================================================
正在安裝:
metasploit-framework x86_64 4.17.24+20181103093740~1rapid7-1.el6 metasploit 158 M
事務概要
=============================================================================================================================================================================================
安裝 1 軟件包
=============================================================================================================================================================================================
安裝 1 軟件包
總下載量:158 M
安裝大小:368 M
Downloading packages:
metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm 31% [=====================- ] 1.4 MB/s | 49 MB 00:01:16 ETA metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm 31% [====================== 警告:/var/cache/yum/x86_64/7Server/metasploit/packages/metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm: 頭V4 RSA/SHA256 Signature, 密鑰 ID 2007b954: NOKEY
metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm 的公鑰尚未安裝
metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm | 158 MB 00:02:25
從 file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Metasploit 檢索密鑰
導入 GPG key 0x2007B954:
用戶ID : "Metasploit <metasploit@rapid7.com>"
指紋 : 09e5 5faf 4f78 62cd 6d55 8997 cdfb 5fa5 2007 b954
來自 : /etc/pki/rpm-gpg/RPM-GPG-KEY-Metasploit
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安裝 : metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64 1/1
Run msfconsole to get started
驗證中 : metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64 1/1
安裝大小:368 M
Downloading packages:
metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm 31% [=====================- ] 1.4 MB/s | 49 MB 00:01:16 ETA metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm 31% [====================== 警告:/var/cache/yum/x86_64/7Server/metasploit/packages/metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm: 頭V4 RSA/SHA256 Signature, 密鑰 ID 2007b954: NOKEY
metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm 的公鑰尚未安裝
metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm | 158 MB 00:02:25
從 file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Metasploit 檢索密鑰
導入 GPG key 0x2007B954:
用戶ID : "Metasploit <metasploit@rapid7.com>"
指紋 : 09e5 5faf 4f78 62cd 6d55 8997 cdfb 5fa5 2007 b954
來自 : /etc/pki/rpm-gpg/RPM-GPG-KEY-Metasploit
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安裝 : metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64 1/1
Run msfconsole to get started
驗證中 : metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64 1/1
已安裝:
metasploit-framework.x86_64 0:4.17.24+20181103093740~1rapid7-1.el6
metasploit-framework.x86_64 0:4.17.24+20181103093740~1rapid7-1.el6
完畢!
[root@mysqldb2 soft]#
[root@mysqldb2 soft]#
驗證是否正常:
[root@mysqldb2 soft]# msfconsole
.....》》》省略部分顯示
.....》》》省略部分顯示
=[ metasploit v4.17.24-dev- ]
+ -- --=[ 1824 exploits - 1033 auxiliary - 318 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
+ -- --=[ 1824 exploits - 1033 auxiliary - 318 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf >
msf > use
auxiliary/scanner/oracle/tnspoison_checker
msf auxiliary(scanner/oracle/tnspoison_checker) > set rhosts 192.168.142.140 》》》設置為需要測試的數據庫IP
rhosts => 192.168.142.140
msf auxiliary(scanner/oracle/tnspoison_checker) > show options
msf auxiliary(scanner/oracle/tnspoison_checker) > set rhosts 192.168.142.140 》》》設置為需要測試的數據庫IP
rhosts => 192.168.142.140
msf auxiliary(scanner/oracle/tnspoison_checker) > show options
Module options (auxiliary/scanner/oracle/tnspoison_checker):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.142.140 yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
msf auxiliary(scanner/oracle/tnspoison_checker) > run
---- --------------- -------- -----------
RHOSTS 192.168.142.140 yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
msf auxiliary(scanner/oracle/tnspoison_checker) > run
[+] 192.168.142.140:1521 - 192.168.142.140:1521 is vulnerable 》》》說明遠程投毒漏洞存在
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/oracle/tnspoison_checker) >
use auxiliary/admin/oracle/tnscmd 》》》具體進行滲透測試
msf auxiliary(admin/oracle/tnscmd) > set rhost 192.168.142.140
rhost => 192.168.142.140
msf auxiliary(admin/oracle/tnscmd) > show options
msf auxiliary(admin/oracle/tnscmd) > set rhost 192.168.142.140
rhost => 192.168.142.140
msf auxiliary(admin/oracle/tnscmd) > show options
Module options (auxiliary/admin/oracle/tnscmd):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc..
RHOST 192.168.142.140 yes The target address
RPORT 1521 yes The target port (TCP)
---- --------------- -------- -----------
CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc..
RHOST 192.168.142.140 yes The target address
RPORT 1521 yes The target port (TCP)
msf auxiliary(admin/oracle/tnscmd) >
run
[*] 192.168.142.140:1521 - Sending '(CONNECT_DATA=(COMMAND=VERSION))' to 192.168.142.140:1521
[*] 192.168.142.140:1521 - writing 90 bytes.
[*] 192.168.142.140:1521 - reading
[*] 192.168.142.140:1521 - .e......"..Y(DESCRIPTION=(TMP=)(VSNNUM=186647552)(ERR=1189)(ERROR_STACK=(ERROR=(CODE=1189)(EMFI=4))))
[*] Auxiliary module execution completed
msf auxiliary(admin/oracle/tnscmd) >
[*] 192.168.142.140:1521 - writing 90 bytes.
[*] 192.168.142.140:1521 - reading
[*] 192.168.142.140:1521 - .e......"..Y(DESCRIPTION=(TMP=)(VSNNUM=186647552)(ERR=1189)(ERROR_STACK=(ERROR=(CODE=1189)(EMFI=4))))
[*] Auxiliary module execution completed
msf auxiliary(admin/oracle/tnscmd) >
以上顯示該數據庫存在遠程投毒的漏洞。
現在對數據庫的配置進行修改:
[oracle@mysqldb1 admin]$ cat listener.ora
# listener.ora Network Configuration File: /u01/app/oracle/product/12.2.0/db_1/network/admin/listener.ora
# Generated by Oracle configuration tools.
# listener.ora Network Configuration File: /u01/app/oracle/product/12.2.0/db_1/network/admin/listener.ora
# Generated by Oracle configuration tools.
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = mysqldb1)(PORT = 1521))
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
)
)
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = mysqldb1)(PORT = 1521))
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
)
)
ADR_BASE_LISTENER = /u01/app/oracle
VALID_NODE_CHECKING_REGISTRATION_LISTENER =ON
REGISTRATION_INVITED_NODES_LISTENER=(192.168.142.140)
[oracle@mysqldb1 admin]$
REGISTRATION_INVITED_NODES_LISTENER=(192.168.142.140)
[oracle@mysqldb1 admin]$
然后重啟監聽即可。
現在再用軟件進程測試:
[root@mysqldb2 ~]#
msfconsole
.....》》》忽略部分顯示內容
=[ metasploit v4.17.24-dev- ]
+ -- --=[ 1824 exploits - 1033 auxiliary - 318 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
.....》》》忽略部分顯示內容
=[ metasploit v4.17.24-dev- ]
+ -- --=[ 1824 exploits - 1033 auxiliary - 318 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use auxiliary/scanner/oracle/tnspoison_checker
msf auxiliary(scanner/oracle/tnspoison_checker) > set rhosts 192.168.142.140
rhosts => 192.168.142.140
msf auxiliary(scanner/oracle/tnspoison_checker) > show options
msf auxiliary(scanner/oracle/tnspoison_checker) > set rhosts 192.168.142.140
rhosts => 192.168.142.140
msf auxiliary(scanner/oracle/tnspoison_checker) > show options
Module options (auxiliary/scanner/oracle/tnspoison_checker):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.142.140 yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
---- --------------- -------- -----------
RHOSTS 192.168.142.140 yes The target address range or CIDR identifier
RPORT 1521 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
msf auxiliary(scanner/oracle/tnspoison_checker) >
run
[-] 192.168.142.140:1521 - 192.168.142.140:1521
is not vulnerable》》》已經不存在該漏洞
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/oracle/tnspoison_checker) >
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/oracle/tnspoison_checker) >
PS:由於無法截圖,於是貼的文字較多。