Oracle Holes Exploited

Friday, October 5, 2012 @ 04:10 PM gHale

Oracle databases and SQL servers are open for attacks, some of which were previously unknown, researchers said.

In “Hacking the Oracle Client” at the DerbyCon 2.0 conference, security researcher Laszlo Toth demonstrated while Oracle saves the user name and password for a database connection in encrypted form in the client’s main memory, this data remains in memory after the session has ended and can easily end up decrypted.

New Java Flaw Affects 1 Billion
Blackhole Updates Product Offering
Oracle Patches Java Zero Day
Second Hole in Java Zero Day

A Trojan, for example, could exploit this to harvest plain-text passwords from the client, which he demonstrated by the ocioralog meterpreter extension.

Toth and another security researcher, Ferenc Spala, demonstrated how to hijack and exploit Oracle connections. Due to the unpatched TNS poisoning security vulnerability, their approach works with any standard Oracle database, unless special security measures for the TNS listener are in place.

They presented pytnsproxy TNS proxy, combined with a suitable Metasploit module called tnspoison, which allows unauthenticated attackers to sniff out or modify the connections to the database; arbitrary SQL commands can even go out using the TNS proxy.

The researchers presented a meterpreter extension called oralog; this extension is a password sniffer that writes the database passwords of all users who sign into the database server to a file in unencrypted form. Another Metasploit module that allows attackers to execute operating system commands is available for the oradebug hole.

The researchers made the extension for the Metasploit penetration testing platform available to other security testers and administrators.

Leave a Reply

You must be logged in to post a comment.