|
|
Oracle Forensics tips by Paul Wright
|
Scenario 2 Exploiting an OS level
vulnerability to gain OSDBA account
"Via the OS" is
a common method of attacking an Oracle database as there may be many
services running on the OS which are insecurely configured and
therefore more possibilities to gain privileged access. Even on
Solaris with a reputation as being one of the more secure operating
systems there are opportunities to gain complete control. For
instance the SADMIND exploit which is built into the Metasploit
Framework works against many Solaris servers found in the field.
http://www.metasploit.com/projects/Framework/exploits.html#solaris_sadmind_exec
Metasploit has already been
explained in this GIAC practical by Brandon Greenwood which I
recommend you to read for the purposes of understanding Metasploit
based pentesting.
http://www.giac.org/certified_professionals/practicals/gsec/4363.php
Once root is
gained via the OS, then connection to the Oracle database via the
OSDBA account mapping of root to the ?SYS as SYSDBA? login, gives
complete control to the attacker. For this reason it is imperative
that the OS is locked down and OS services are minimized. It would
be preferable to only run the Oracle software on that physical
machine so that other software cannot be exploited to gain OS
privilege which in turn grants access to Oracle.
If there is no
remote root exploit then a less privileged account can still be used
to escalate privilege to root and then gain access to Oracle through
OSDBA. This could be by using the do_brk() exploit on Linux for
instance. Again this is explained in a previous GIAC paper by the
author.
http://www.giac.org/certified_professionals/practicals/gcih/0525.php
Additionally there have been a
number of security issues where Oracle credentials have been
insecurely stored in the OS files. There is the Orapwd password file
listed in 4.7 as well as many other small files littered around the
Oracle installation directories that contain either hashes, weakly
encrypted hashes or in some cases clear text passwords. This can be
confirmed by grepping the Oracle installation OS directories for
known Oracle password hashes. This will take a long time but will be
done offline by the attacker beforehand. The cure to this problem is
to set all the privileges in the Oracle installation directory to a
level at which no one except the Oracle DBA?s/account can read them.
This is an excerpt from the book "Oracle
Forensics: Oracle Security Best Practices", by Paul M. Wright,
the father of Oracle Forensics.