Can the XDB Buffer Overflow Vulnerability subvert the entire database?

Can the XDB Buffer Overflow Vulnerability subvert the entire database?
This article will show you a method for hackers to intrude into the database, hoping to be vigilant. If you want to know how hackers intrude into the database, you must first explore the purpose of hacking into the database. After investigation, it is found that hackers intrude into the database. The ultimate goal is either to obtain sensitive database data, database control permissions, operating system control permissions of the database, or to obtain the network of the database. partial control permissions of the environment. Obtaining any access permission is the first step to achieve the above goal (whether it is the control of the database or the operating system where the database is located ). For hackers who do not have a user name or password, bypassing authentication is the first step in the process. There are many ways to bypass identity authentication, the most common of which is to use the data dictionary offline or online brute force password cracking. This article reveals how advanced hackers bypass Identity Authentication-using the buffer vulnerability in the oracle component XDB, attackers can directly bypass authentication to obtain the system control and ORACLE control permissions of oracle. Authentication and the XDB Component of Oracle are two key terms. 1. Authentication. Generally speaking, the database client verifies the account and password entered by the client when logging on to the database. Generally, there are two ways for a hacker to crack the authentication: method 1. Study the authentication principle and crack the authentication. Method 2: Try to log on to the database without authentication, that is, bypass authentication. The XDB Buffer Overflow Vulnerability is one of the methods to bypass identity authentication. 2. XDB components of Oracle. The XDB component is a component that provides XML service capabilities on oracle. It will be used as the default installation item after Oracle9i. After XDB is installed, two services are enabled when Oracle is started: HTTP (default port: 8080) and FTP (default port: 2100. The FTP service is an Oracle FTP service, not a standard FTP service. For identity authentication in this FTP service, the username/password of the Oracle database will be used. There is a huge buffer vulnerability in the FTP service provided by Oracle. Through this vulnerability, we can take over the operating system of Oracle. Vulnerability verification query TNS will see whether the service is started

 

In red, the FTP server in the XDB component knows the password of the user name.

Determine the database IP address through some means and access the database through FTP. FTP access is in the format of ftp: // databasehost: port number, user name, and password. Although oracle verifies the length of each parameter entered by the user, the PASS command in the XDB Identity Authentication operation lacks reasonable limits on the length of strings synthesized by user name and password and other information groups. If a long string is input to the function that executes the PASS Command, the Function Buffer Overflow occurs. Then, the stack is changed using the overflow string. For details about stack buffer overflow, refer to windows Buffer Overflow principle (stack) the return address is the initial address of shellcode. The shellcode hacker controls the operating system of the database.

As shown in:

 

The vulnerability verification tool used is Anhua gold and DBHaker. So far, we have simulated that hackers have completed the process of bypassing Identity Authentication through the buffer overflow vulnerability in XDB. In order to make everyone more intuitive about the status and port number. To exploit this vulnerability, you only need to know the IP address of the target database and the username that exists in the target database (oracle has a large number of default users, so real user names are well obtained. In this example, the hacker behavior is simulated by scott, a low-Permission user. However, you do not have to feel the hazards of this vulnerability. Please click the lower-right corner to view the operating system resources.

 

This shellcode will directly pull the console of the server where the target database is located. Through this console, we can simulate hackers to control the operating system of the target database. We run the net start command to query all services in the operating system of the target database. In this case, we can directly modify the service status to cause server downtime. As shown in:

 

Use net stop OracleOraHome92TNSListener to stop TNS listening on the target database. Simulate a valid client to access the database, and directly report an error that cannot be connected to the server. In this way, we can control the system account with administrator permissions, so we can make any changes to the entire operating system.

The following describes how to use the obtained operating system permissions to pass database authentication. Oracle Database supports two authentication methods. One of them is verified by local operating system permissions. As shown in:

 

Use the local operating system account for oracle login authentication. Because the operating system has been controlled, you can directly use the sys account with the database sysdba permission to log on. Directly query the view of all the user names and passwords of the storage database only visible to sysdba

 

The figure reads all the usernames and passwords in the database on the target machine. The password can be cracked offline. Of course, when hackers use SYS to log on to the database, they can directly modify the password of any user by executing "alter user scott identified by new password.

If a hacker cannot log on to the system through sqlplus "/as sysdba. The error message is as follows:

 

This is because "sqlnet. AUTHENTICATION_SERVICES = (ETS)" is missing in SQLNET on the target machine )". Oracle does not allow this local login method. Hackers only need to execute:

Type C: \ oacle address \ network \ admin \ sqlnet. ora can be used to query whether the target database allows permission verification through the local operating system. For example:

 

Delete the original sqlnet del/f/s/q C: \ oacle address \ network \ admin \ sqlnet. ora and re-write a sqlnet address, allowing you to log on with a local operating system:

Echo SQLNET. AUTHENTICATION_SERVICES = (CNT)> C: \ oacle address \ network \ admin \ sqlnet. ora

 

A small vulnerability allows hackers to step-by-step control the entire machine, the entire database, and even the entire network. Although this vulnerability was detected in oracle, it eventually obtained the operating system permission. Likewise, some software or hardware vulnerabilities may ultimately harm the database. Therefore, we need to be aware of all vulnerabilities. Maybe these vulnerabilities have little to do with our core business, but if they are not fixed in time, it is likely to be a time bomb for the entire database, server, or even the network, which may erupt at any time.

How to defend against XDB Vulnerabilities

We recommend that you:

1. if you do not need the Oracle XML database function, we recommend that you do not install it. If it is already installed, but it is useless, we recommend that you disable XDB as follows: Edit $ ORACLE_HOME/dbs/initSID. remove the following lines from the ora file: dispatchers = '(PROTOCOL = TCP) (SERVICE = XDB); then restart the database. You can also Log On As A system in Oracle and run: drop user xdb cascade;
2. If you need services provided by XDB, go to the oracle official website to download patches to fix the possible buffer overflow vulnerability in XDB. 3. if you cannot patch and upgrade the database for various reasons, and you still need to use the services provided by XDB, please add a database firewall with the VPATCH function between your database and the network, to protect your database from XDB attacks.