Accessing the Network

The Oracle RDBMS is a perfect platform for launching attacks against other systems on the network. This may be as simple as using database links to gain access to other Oracle databases or using some of the default PL/SQL packages to gain access to web or mail servers. If you have the CREATE PROCEDURE privilege, and most accounts do have this system privilege, you can even code your own PL/SQL network library allowing you to access any kind of server whether the protocol used is text-based or binary in nature.

Database Links

One Oracle database can communicate with another by using database links. Database links can be created as PUBLIC, which means that anyone can use the link, or nonpublic. Nonpublic links are for the use of the owner. When a database link is created there are two options for authentication against the remote system. First, a user ID and password can be embedded. These credentials are stored in the SYS.LINK$ table so anyone that can access this table can gather credentials for the remote system. The other option is to create the link with the CURRENT_USER keyword, which specifies that when the link is accessed the current user 's credentials are used. This is a safer option to use when creating links. The syntax for creating a database link is as follows :

 CREATE DATABASE LINK linkname CONNECT TO user IDENTIFIED BY passwd USING 'tnsentry' 

or

 CREATE DATABASE LINK linkname CONNECT TO CURRENT_USER USING 'tnsentry' 

Once a link is created it is possible to run SQL queries against the remote system. For example, assuming there's a table called foobar on the remote system, it is possible to select data from it with

 SELECT * FROM FOOBAR@LINKNAME 

Once an Oracle server has been compromised an attacker will be able to access other database servers that are linked to from the compromised system in this way. Incidentally, there's a buffer overflow in database links ”though a patch is available. By specifying an overly long tnsentry when creating the link and then selecting from the link, a stack-based buffer is overflowed allowing the attacker to gain control. See http://www.ngssoftware.com/advisories/ora-dblink.txt for more details.



Database Hacker's Handbook. Defending Database Servers
The Database Hackers Handbook: Defending Database Servers
ISBN: 0764578014
EAN: 2147483647
Year: 2003
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net