Oracle GLOGIN.SQL Exploit Versions: ALL |
---|
Overview | |
Is there anything more frightening than someone taking total control of your database without having login credentials? Every copy of the Oracle Database installed for decades has installed a file named GLOGIN.SQL at $ORACLE_HOME/sqlplus/admin .
This file can be used as part of a step in an attack strategy because they can run transparently malicious code, with DBA privileges.
The fact that it exists, and can be invaluable has not had much of an impact on the DBA community which rarely utilizes this tool and thus never considers what might be in it.Warning: glogin.sql executes whether you use it or not! Any time any user, no matter their privileges, starts SQL*Plus on a database server glogin.sql runs and executes whatever SQL*Plus formatting or database commands the file contains. If the user has insufficient privileges an error may occur but the overwhelming majority of connections made with SQL*Plus are made by users with escalated privs such as DBAs assuring that if something is in the file ... it will execute successfully. |
|
Exploit Demo | |
This demo consists of two separate sessions. The one on the left will use vi and edit the glogin.sql file, the one on the right will use SQL*Plus. To avoid verbosity below, the demo assumes that every change to the glogin.sql file is followed by a save-write. | |
vi | SQL*Plus |
# cd $ORACLE_HOME/sqlplus/admin |
|
SQL> conn / as sysdba |
|
-- verify that user SCOTT does not have the DBA |
|
vi glogin.sql
-- add the following line and save the file
set termout off |
|
SQL> conn scott/tiger |
|
Conclusion | |
Could a system or network admin initiate this hack? How about a contractor or vendor? How about an orchestration tool such as Ansible, Chef, or Puppet? How many seconds would it take to cd to the right directory and paste in those 48 characters? You should be using glogin.sql ... it is an extremely valuable tool. We never deploy a database without configuring it. But someone responsible for IT security should be alerted immediately to any changes to the file's timestamp or hash value the instant it is altered, |
Related Topics |
Block the GLOGIN Exploit |