Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security tools >> New TNS client written in C
        
(Message started by: Pete Finnigan on Aug 12th, 2005, 6:42pm)
Title: New TNS client written in C
Post by Pete Finnigan on Aug 12th, 2005, 6:42pm
I found a new free TNS client written in C and supplied free. The tool is based on James Abendschan's previous tnscmd.pl tool and supports all the commands that the Oracle supplied tool lsnrctl does. This tool also supports fully crafted TNS packets.

It looks like a useful tool for auditing and exploiting the listener. It is available from [url http://www.dokfleed.net/duh/modules.php?name=News&file=article&sid=35]here[/url].

I downloaded it last night and had a play. If anyone has used it in anger, please let us known.

cheers

Pete
Title: Re: New TNS client written in C
Post by Pete Finnigan on Aug 15th, 2005, 12:49pm
I could not resist to try this out. However, I think some work has to be done on this tool. For example, I think commands of two words or more don't work.

Some examples of output:

ping
(DESCRIPTION=(TMP=)(VSNNUM=1539312)(ERR=)(ALIAS=LISTENER))

version
(DESCRIPTION=(TMP=)(VSNNUM=1539312)(ERR=))
W00
00000TNSLSNR for Linux: Version 9.2..4. - Production

TNS for Linux: Version 9.2..4. - Production

Unix Domain Socket IPC NT Protocol Adaptor for Linux: Version 9.2..4. - Production

Oracle Bequeath NT Protocol Adapter for Linux: Version 9.2..4. - Production

TCP/IP NT Protocol Adapter for Linux: Version 9.2..4. - Production,,0
00
0000@

Command: status
Result:
(DESCRIPTION=(TMP=)(VSNNUM=1539312)(ERR=)(ALIAS=LISTENER)(SECURITY=OFF)(VERSION=TNSLSNR for Linux: Version 9.2..4. - Production)(START_DATE=12-AUG-25 9:48:35)(SIDNUM=1)(LOGFILE=/oracle/product/9.2./network/log/listener.log)(PRMFILE=/oracle/product/9.2./network/admin/listener.ora)(TRACING=off)(UPTIME=2626261)(SNMP=OFF)(PID=2447))
=00
00000(ENDPOINT=(HANDLER=(HANDLER_MAXLOAD=)(HANDLER_LOAD=)(ESTABLISHED=)(REFUSED=)(HANDLER_ID=EF9FBDAE3A14-C6E8-E4-AA17198F)(PRE=any)(SESSION=NS)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=testserver)(PORT=1521))))),,(SERVICE=(SERVICE_NAME=TEST)(INSTANCE=(INSTANCE_NAME=TEST2)(NUM=1)(NUMREL=1))),,0
00
0000@

Here I noticed an interesting bug in this tool. It removes 0. Just look at the version. This also happens in returned errorcodes.

The error in this returned output:
(DESCRIPTION=(ERR=1258)(VSNNUM=1539312)(ERROR_STACK=(ERROR=(CODE=1258)(EMFI=4))))
is actually this error in the listener.log:
TNS-12508: TNS:listener could not resolve the COMMAND given

With a 2-word command like "show log_directory" the client hangs and with "set log_directory /tmp" an error was chalked up in Windows 2000's event viewer.

All these quirks set aside, it is now very easy to remotely stop a listener (starting after that is harder ;), since you have no connection). So the idea is very promising. A bit too promising if you ask me. I mean, how many listeners are running without a password these days? Many I guess.
Title: Re: New TNS client written in C
Post by Pete Finnigan on Aug 15th, 2005, 8:28pm
Hi Marcel-Jan,

Thanks for the feedback on this tool. I just downloaded it last night and had a short play to see if it worked.

I have not had the time to test it fully though. It seems a pity that there seems to be some problems. I got the same issue with the ping command as well.

I have sent an email to DokFLeed to see if he can shed some light on the issues.

cheers

Pete


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board