Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> penetration test
        
(Message started by: Pete Finnigan on Dec 4th, 2009, 7:40pm)
Title: penetration test
Post by Pete Finnigan on Dec 4th, 2009, 7:40pm
1. Apache+php+oci8
2. 10gR2
3. Script with sql injectable param
4. pl/sql function with sql injection :)

I have a dba escalating privs with a sql injection in a local procedure created for  admin panel to show current sessions and jobs, acces to listener i do not have. I test it from the web not from user net. I create a function with pragma and execute immediate i transmit it pl/sql but not all is executed and simple dml sql like "select user from dual" too... I do not understand where search a problem. IDS used, but i evade it chr()+base64+cursor and i grant to me a dba but i cant perform a simple DML  ;D
Magic?


Sorry for my bad english
Title: Re: penetration test
Post by Pete Finnigan on Dec 4th, 2009, 11:18pm
SELECT PRIVILEGE FROM SESSION_PRIVS


CREATE CLUSTER
CREATE INDEXTYPE
CREATE OPERATOR
CREATE PROCEDURE
CREATE SEQUENCE
CREATE SESSION
CREATE TABLE
CREATE TRIGGER
CREATE TYPE
UNLIMITED TABLESPACE

____________________________________________
SELECT GRANTED_ROLE FROM USER_ROLE_PRIVS

ADM_USER
CONNECT
DBA
RESOURCE



I try to select from dba_role_privs and i do not have privs...
Maybe default role is problem?  
Title: Re: penetration test
Post by Pete Finnigan on Dec 6th, 2009, 9:26am
Hi DSU,

you didnt show the exploit sequence so its hard to see, but the session privs you have look like CONNECT and RESOURSE. Did you log out and log back in to see if DBA is available? - try logging out otherwise simply set the role dba when you have logged in. Its granted to your user and should not be password protected so try these two things.

cheers

Pete
Title: Re: penetration test
Post by Pete Finnigan on Dec 6th, 2009, 5:29pm

on 12/06/09 at 09:26:43, Pete Finnigan wrote:
Hi DSU,

you didnt show the exploit sequence so its hard to see, but the session privs you have look like CONNECT and RESOURSE. Did you log out and log back in to see if DBA is available? - try logging out otherwise simply set the role dba when you have logged in. Its granted to your user and should not be password protected so try these two things.

cheers

Pete



Hi Pete

This is problen because i do not have connect to listener, its php script he login and connect all when when it is start. I try execute immediate ('declare pragma... execute inmmediate ''set role dba'' )
Do not work... maybe problem is created functions its is authid, but in other schema?
Title: Re: penetration test
Post by Pete Finnigan on Dec 6th, 2009, 7:21pm
and i can show public function and proc with sql injection its a private code and post this on public forum...
But injection is on point like this

"... 'begin '||proc_name||'('||param1||','||param2||'...)

inject like this
select mmm.sql_func(' sql_inject_proc(...); proc_name,param1,param2,param3...) from dual
Func return string if is ok 'Y' when others 'N'
Title: Re: penetration test
Post by Pete Finnigan on Dec 7th, 2009, 8:28am
Hi DSU,

This sounds strange that DBA is not available for your exploit user. Its unlikely that the DBA role is not a default role as i have never seen a database like this in many many years. Its possible of course just not likely. The first issue is the most likely. sometimes when an exploit grants DBA to the same user running the exploit the DBA role is not available in the same session; you have to log out and log back in to see it. you showed that it was granted so logging out will not ungrant it; if you log back in and its still not enabled then it must be the case that its not a default role.

cheers

Pete
Title: Re: penetration test
Post by Pete Finnigan on Dec 7th, 2009, 8:36am
Hi Pete thanks for answer

It's a php cms coded in 2003 year, its re-login all time when perform a serach :) yes its bad but not me write scripts

I try to set the default role if i can... i find a vulnerable proc owned by sys.
Title: Re: penetration test
Post by Pete Finnigan on Dec 7th, 2009, 8:46am
GRANTED_ROLE     default_role


ADM_USER            YES
CONNECT              YES
DBA                      NO


:(
Title: Re: penetration test
Post by Pete Finnigan on Dec 7th, 2009, 9:59am
OK, so that answers the issue, we now know its because the DBA role is not a default role for the exploited user.

If you cannot issue a SET ROLE, then simply re-run the exploit, except this time dont set the payload to "GRANT DBA TO {...}" and instead modify it to ALTER USER {...} DEFAULT ROLE ALL". That way when you log back in again the DBA role will be enabled.

Let us know if it works.

cheers

Pete
Title: Re: penetration test
Post by Pete Finnigan on Dec 7th, 2009, 12:26pm
I know about alter user and default role but i do not know result. This vulnerable proc work strange, i execute from it vulnerable function owned by sys (proc is too owned by sys :) ) DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC and nothing has changed.

I open a oracle documentation to search the answer, hour later just for interes i select from role_privs and ...
GRANTED_ROLE default_role
DBA YES

I do not understand maybe i on server is installed memcashe and role is set but webserver give a respond from cache...

And Pete, exist a metod to denied "alter user" with "default role" to all? I think this is good step method to secure a oracle database...

Thanks Pete
Title: Re: penetration test
Post by Pete Finnigan on Dec 7th, 2009, 12:44pm
Hi DSU,

Glad it works!

The protection is to prevent a user from having the ALTER USER system privilege; without it he cannot set his onw default roles or any other users default roles. Oracle have silently allowed certain system privileges to work even if they are not granted such as ALTER SESSION where you can issue all comments except to set trace. With ALTER USER you can issue it to change your own password but not to set default roles:

SQL> connect system/xxxxxx@ora11
Connected.
SQL> create user rol identified by rol;

User created.

SQL> grant dba to rol;

Grant succeeded.

SQL> connect rol/rol@ora11
Connected.
SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
ROL                            DBA                            NO  YES NO

SQL> connect system/xxxxx@ora11
Connected.
SQL> alter user rol default role none;

User altered.

SQL> connect rol/rol@ora11
ERROR:
ORA-01045: user ROL lacks CREATE SESSION privilege; logon denied


Warning: You are no longer connected to ORACLE.
SQL> connect system/xxxxx@ora11
Connected.
SQL> grant create session to rol;

Grant succeeded.

SQL> connect rol/rol@ora11
Connected.
SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
ROL                            DBA                            NO  NO  NO

SQL> alter user rol default role all;
alter user rol default role all
*
ERROR at line 1:
ORA-01031: insufficient privileges


SQL> alter user rol identified by rol;

User altered.

SQL>

So basically dont allow any user to have ALTER USER.

cheers

Pete
Title: Re: penetration test
Post by Pete Finnigan on Dec 7th, 2009, 2:15pm
I understand... but if search and find sql inj. on sys or other users with dba. I search try to search on *.sql scripts and *.ora maybe exist method to complet disable a alter user "default role ..." or this is a core function of oracle?


Thanks for answers :)


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board