Team Report for DBS401 - Oracle DB at FPT University (2018 - 07 - 25)
This report belongs to:
- Lai Trung Minh Duc
- Tran Long Nhat Phuong
- Hoang Dinh Tuan
- Dao Nguyen Van Thanh
Oracle DB 11g R2 Research (Installation, Users and Privileges, Audit Trail, Exploitations)
1. Lai Trung Minh Duc | Tran Long Nhat Phuong |
Hoang Dinh Tuan | Dao Nguyen Van Thanh
FPT UNIVERSITY IA1161 – Summer 2018
Instructor: Prof. Mai Hoang Dinh
DBS401 REPORT – IA1161
ORACLE DATABASE
2. 1
ASSIGNMENT
Lai Trung Minh Duc (SE62220) - Leader
- 1. Scenario
- 2.2. Create Oracle DB
- 3.2. Manually shell uploading via Oracle 11g R2 vulnerability (CVE-
2010-3600) with Python script and create Reverse connection
- 4.2. Review | 5.2. Solution
- 6. Conclusion
Tran Long Nhat Phuong (SE62164)
- 3.1. Metasploit remote access by exploiting the CVE-2010-3600
(Oracle Database Client System Analyzer Arbitrary File Upload)
- 4.1. Review | 5.1. Solution
- Grammar, Spelling check and English translator and reviewer.
Hoang Dinh Tuan (SE62146)
- 2.1. Setup
Dao Nguyen Van Thanh (SE62254)
- 3.3. ODAT
- 4.3. Review | 5.3. Solution
3. 2
Table of Contents
1. Scenario..................................................................................................................................4
1.1. System:.............................................................................................................................4
1.2. Create Oracle DB Account:......................................................................................4
1.3. System testing: .............................................................................................................5
2. Scenario Implementation................................................................................................6
2.1. Setup Oracle DB System...........................................................................................6
2.2. Create Oracle DB Account.................................................................................... 18
2.3. System testing ........................................................................................................... 19
2.3.1. Connect to Oracle DB from Local and Remote at port 1521.......... 19
2.3.2. Connect to Oracle DB Enterprise Management (Web Admin)....... 21
2.3.3. Connect to Web Server at port 80 ............................................................. 22
2.3.4. Connect to Web Server at port 8080........................................................ 23
3. Security Penetration Testing for Scenario............................................................. 25
3.1. Metasploit remote access by exploiting the CVE-2010-3600 (Oracle
Database Client System Analyzer Arbitrary File Upload).................................. 25
3.2. Manually shell uploading via Oracle 11g R2 vulnerability (CVE-2010-
3600) with Python script and create Reverse connection................................ 28
3.3. Using Oracle Database Attacking Tool (ODAT -
https://github.com/quentinhardy/odat) ................................................................. 33
4. Security Review for Scenario....................................................................................... 37
4.1. Review for Metasploit exploitation................................................................... 37
4.2. Review for Manually shell uploading via Oracle 11g R2 and remote
shell......................................................................................................................................... 37
4.3. Review for ODAT ...................................................................................................... 37
5. Security Solution.............................................................................................................. 39
4. 3
5.1. Solution for Metasploit exploitation................................................................. 39
5.2. Solution for Manually shell uploading via Oracle 11g R2 and Reverse
shell......................................................................................................................................... 39
5.2.1. Create Roles and Add Privileges to Roles............................................... 40
5.2.3. Testing role and its effect on user.............................................................. 42
5.3. Solution for ODAT.................................................................................................... 44
5.3.1. Database configuring ...................................................................................... 44
5.3.2. Database updating ........................................................................................... 44
5.3.3. Database Policies............................................................................................... 45
6. Conclusion.......................................................................................................................... 50
5. 4
1. Scenario
LOVEHUB is a technology company created from the dream of connecting
people together. To be more specific, LOVEHUB use matching algorithm
based on AI technology to help search for lovers and make dates. During
development, LOVEHUB needs to build a database system using Oracle
Database Enterprise. Below are requirements from LOVEHUB to evaluate
Oracle DB:
1.1. System:
- Software DB: Oracle DB 11gR2 - 32-bit (with sample database HR, OE, PM,
IX, SH)
- OS: Windows Server 2008 - 64-bit (Public IP: 13.76.132.5)
- Software Web Server: IIS on Windows 2003 and XAMPP (Apache at port
8080 – IIS at port 80).
- Windows Firewall (Turn off for evaluation and security testing)
1.2. Create Oracle DB Account:
- SYSTEM | Abc#12345 (Default at Setup)
- LOVEHUB_APP | 12345#Abc | Roles and Privileges equal to SYSTEM
- LOVEHUB_ADMIN | 12345#Abc | Roles and Privileges equal to SYSTEM
- LOVEHUB_BI | 1234567890 | Roles and Privileges equal to SYSTEM
6. 5
1.3. System testing:
- Can connect to Oracle DB from Local and Remote at port 1521
- Can connect to Oracle DB Enterprise Management (Web Admin) from
Local and Remote at port 1158 (or 5500)
- Can connect to Web Server at port 80
Team Oracle-IA1161 begin following the requirements, evaluating system
security for LOVEHUB and suggesting safer options.
7. 6
2. Scenario Implementation
2.1. Setup Oracle DB System
Expand the Database folder. Right-click and select “Run as administrator”.
Click Yes in the User Account Control window to continue with the
installation.
8. 7
The oracle universal installer is starting…
The Configure Security Updates window appears. Enter your email
address and My Oracle Support password to receive security issue
notifications via email. If you do not wish to receive notifications via email,
9. 8
deselect "I wish to receive security updates via My Oracle Support".
Click Next to continue. Click "Yes" in the confirmation window to confirm
your preference.
The Select Installation Option window appears with the following options:
- Select "Create and configure a database" to install the
database, create database instance and configure the database.
- Select "Install database software only" to only install the
database software.
- Select "Upgrade an existing database" to upgrade the
database that is already installed.
10. 9
In this lab, we create and configure the database. Select the Create and
configure a database option and click Next.
The System Class window appears. Select Desktop Class or Server Class
depending on the type of system you are using:
- Select “Desktop class” if you are installing on a laptop or
desktop class. This option includes a starter database and allows
minimal configuration.
- Select “Server class” if you are installing on a server class
system. This option allows more advanced configuration option.
11. 10
During the Desktop Class installation, you will only make some basic
choices. For the Server Class installation, you choose either typical
installation (where you only make basic choices) or advanced installation.
During a Desktop Class or a typical installation, Oracle Database
automatically installs the sample schemas.
In this lab, we will perform the installation on a desktop/laptop. Select
Desktop class and click Next.
The Typical Install Configuration window appears.
- Oracle Base Location - The Oracle base directory helps to
facilitate the organization of multiple Oracle software installations.
12. 11
- Software Location - The software location is the Oracle home
for your database. You must specify a new Oracle home directory for
each new installation of Oracle Database software. By default, the
Oracle home directory is a subdirectory of the Oracle base directory.
- The Database file location is the location where Oracle
Database files are stored. By default, this location is user/oradata.
- Database Edition: Select either Enterprise Edition, Standard
Edition, Standard Edition One, or Personal Edition:
o Enterprise Edition—This installation type is the full-
featured Oracle Database product that provides data
management for enterprise-level applications. It is intended for
mission-critical, high-security online transaction processing
(OLTP) and data warehousing environments.
o Standard Edition—This installation type is suitable for
workgroup or department-level applications, and for small to
medium-sized enterprises. It provides core relational database
management services and options and includes an integrated
set of management tools, replication, Web features, and
facilities for building business-critical applications.
o Standard One Edition—This installation type is suitable
for workgroup, department, or web applications. It provides
core relational database management services for single-server
environments or highly distributed branch environments. Oracle
13. 12
Standard Edition One includes all the facilities necessary to
build business-critical applications.
o Personal Edition (Microsoft Windows operating systems
only)—This installation type installs the same software as the
Enterprise Edition, but supports only a single-user, development
and deployment environment.
- Character Set—Choose the character set to use to store the
data within the database. You can choose between the Default, which
is based on the operating system language settings, or Unicode.
- Global Database Name—Enter the fully qualified global
database name.
- Administrative Password—Specify the initial password for the
SYS, SYSTEM, SYSMAN, and DBSNMP administrator accounts. If the
password you choose is not a secure password, a warning message
will be displayed.
After you enter the required information, click Next.
14. 13
The Prerequisite checks will be performed to verify that the target
environment meets minimum installation and configuration requirements
for products you have selected.
16. 15
The progress window appears.
The Oracle Database Configuration Assistant is starting…
17. 16
The Oracle Database Configuration Assistant is creating and starting
Oracle instance and completing Database Creation.
18. 17
You can click "Password Management..." to unlock accounts or reset
password. Click OK to continue.
The Finish window appears. Click Close to exit the Oracle Universal
Installer.
19. 18
2.2. Create Oracle DB Account
Login to Oracle with SYSTEM account in DBeaver (Database Tool) and use
this script in SQL Editor of DBeaver:
26. 25
3. Security Penetration Testing for Scenario
After installing Oracle and testing Oracle and Web App, IA1161-Oracle
Team will evaluate this system by attacking with Metasploit, ODAT (Oracle
Database Attacking Tool) and Manually shell attack to IIS via Oracle DB.
3.1. Metasploit remote access by exploiting the CVE-2010-3600 (Oracle
Database Client System Analyzer Arbitrary File Upload)
- Brief information on this exploitation: This module exploits an arbitrary file
upload vulnerability on the Client Analyzer component as included in
Oracle Database 11g, which allows remote attackers to upload and execute
arbitrary code. This module has been tested successfully on Oracle
Database 11g 11.2.0.1.0 on Windows 2003 SP2, where execution through
the Windows Management Instrumentation service has been used. This
module is written by: juan vazquez <juan.vazquez [at] metasploit.com>
- Open MSFCONSOLE on Kali Linux and “use
exploit/windows/oracle/client_system_analyzer_upload”
- Set RHOST (remote host) and RPORT (remote port – default 1158) to
attack then exploit.
- Because of some issues with port 1158 after several days, we changed the
port to 5500.
27. 26
Exploit completed but no session was created because the target system is
using Windows Server 2008, but the exploitation is for Windows Server
2003 → Can upload malicious script (VBS) but cannot run it.
According to IA1161-Oracle team research several days ago, this
exploitation can use for Windows Server 2003, and here is the proof.
To the case of Windows 2003, this attack was made by executing through
the Windows Management Instrumentation, that’s why we can see why
there are an involvement of a .vbs file and a .mof file. And that exploit was
made through an unidentified vulnerability in the Client System Analyzer
28. 27
component in Oracle Database Server. Hence, the pentester can gain full
access into the victim machine.
For example, the pentester can screenshot the screen of server:
Or can dump the data password:
29. 28
3.2. Manually shell uploading via Oracle 11g R2 vulnerability (CVE-2010-
3600) with Python script and create Reverse connection
- Brief information about this exploitation: This Python script is written by
LAI TRUNG MINH DUC (ducltm@outlook.com) and it is inspired by the
Metasploit module of Juan Vazquez by Ruby script:
https://github.com/rapid7/metasploit-
framework/blob/master/modules/exploits/windows/oracle/client_system_a
nalyzer_upload.rb. The purpose of this script is injecting ASPX or PHP shell
into the system by uploading shell via Oracle Enterprise Manager in Oracle
11g R2.
- Script can be downloaded here:
https://github.com/LAITRUNGMINHDUC/CVE-2010-3600-
PythonHackOracle11gR2
- Screenshot of script and meaning:
30. 29
- Now edit the code, change IP_ADDR to 13.76.132.5 and IP_PORT to 1158,
then run the script without any other change because knowing that this
system is running on Windows and has IIS on that.
31. 30
- And then, browse to http://13.76.132.5/aspx-shell.aspx
- Having the simple shell now, when evaluating and the pentester see
XAMPP → Upload B374K.php (very powerful PHP shell) to XAMPP at
C:XAMPPhtdocs
- Browse new shell at: http://13.76.132.5:8080/B374K.php
32. 31
Another thing the pentester see in the C:XAMPPhtdocs is Oracle account
(LOVEHUB_APP, 12345@Abc).
The pentester also can use this B347K shell to upload the PHP reverse shell
(although B347K has remote shell internally, it is not good enough) for
33. 32
remoting control the Command line of the server.
(https://github.com/Dhayalanb/windows-php-reverse-shell)
And bingo, pentester can truly get into the system now
34. 33
From here, he can dump the database or do worse job.
3.3. Using Oracle Database Attacking Tool (ODAT -
https://github.com/quentinhardy/odat)
First, we will run the command all to have an overview of the system
38. 37
4. Security Review for Scenario
4.1. Review for Metasploit exploitation
- CVE-2010-3600: Unspecified vulnerability in the Client System Analyzer
component in Oracle Database Server 11.1.0.7 and 11.2.0.1 and Enterprise
Manager Grid Control 10.2.0.5 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.
- There is a Metasploit module to exploit this CVE vulnerability.
- The combination of Windows Server 2003 and Oracle 11g R2 will be
exploit by Metasploit -> Create a session using Meterpreter.
- Luckily our system doesn’t use Windows Server 2003 so we will not be
affected by this attack.
4.2. Review for Manually shell uploading via Oracle 11g R2 and remote
shell.
- Hackers make use of illegal Upload file function to upload a shell file to
IIS, then upload a better shell to Apache to upload Reverse shell.
- When the shell is on the server, hackers can get information about
accounts on Oracle DB and use Reverse shell to clone the DB or take
control of the server and make it into C&C server.
- Unfortunately, our system will be affected by this attack.
4.3. Review for ODAT
39. 38
As we can see from the result, not much can be exploited on this database.
And the available attacks are man-in-the-middle attacks and some
dictionary and bruteforce attacks.
40. 39
5. Security Solution
5.1. Solution for Metasploit exploitation
- Because Metasploit can’t be used to attack system at the moment so
there are no solutions needed.
5.2. Solution for Manually shell uploading via Oracle 11g R2 and Reverse
shell.
- Download newer versions of Oracle Patch here:
https://www.oracle.com/technetwork/topics/security/cpujan2011-
194091.html
- In case there are no applications connect from outside the Internet to
Oracle DB, only turn on LISTENING for LOCALHOST:1158 (or use Firewall to
block Incoming from port 1158).
- Limit Roles and Privileges for accounts, specifically LOVEHUB_APP and
LOVEHUB_BI.
- Suggestion: Create Roles to manage databases, add LOVEHUB_APP and
LOVEHUB_BI to those roles.
Role:
- DATA_ANALYST | Privilege of SELECT on HR, OE, PM, IX, SH
- DATA_ENGINEER | Privilege of DML on HR, OE, PM, IX, SH
- APPLICATION | Privilege of DML on HR, OE, PM, IX, SH
41. 40
- DEVELOPER | Privilege of DML on HR, OE, PM, IX, SH
Oracle DB Script for Role, Account and Testing
5.2.1. Create Roles and Add Privileges to Roles
(Full script:
https://gist.github.com/LAITRUNGMINHDUC/fdd8b80bd7f0ad48927876810
96355a3)
42. 41
5.2.2. Revoke SYSDBA Privileges from LOVEHUB_ADMIN and
LOVEHUB_APP, then add roles to those accounts.
45. 44
5.3. Solution for ODAT
5.3.1. Database configuring
Some of the configurations are recommended to mitigate TNS poisoning
attack:
o Switching off dynamic registration in listener.ora file and use
static configuration instead to prevent unknown registration.
o In case the database need to use Oracle Real Application
Clusters, dynamic registration is a must. Therefore, the database
should be configured with SSL/TLS to provide better security.
o In case only some IP addresses can access the database, you
can configure TCP.INVITED_NODES in sqlnet.ora to only allow a
set of hostnames and IP addresses to connect to the database.
o Properly configure the network.
5.3.2. Database updating
The CVE-2012-3137 Session key stealing can be exploited on these
products and versions of Oracle:
o Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.2
o Oracle Database 11g Release 1, versions 11.1.0.7
o Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4,
10.0.2.5
Therefore, it should be noted that the Oracle Database should be up-to-
date to prevent the attacker from exploiting any old vulnerability.
46. 45
5.3.3. Database Policies
The passwords for accessible accounts should be well-made and hard to
crack to prevent the attacker from obtaining the password from brute-force
attacking.
Configuring the database listener on a different port aside from the default
port 1521 is also a way to prevent the attacker from discovering a port to
connect to the database. The firewall on the database server should also be
configured to prevent port scanning.
Another way to keep the database safe is to create profiles to set the
number of attempts to connect to an account. At the first step of the attack,
brute-forcing into the database to get a valid SID, and after that a valid
login, is a crucial part of the penetration. Therefore, it would be wise to limit
the amount of time a user can enter password before being locked. But the
lock should only be for some time in case a real user forgotten the
password. This will certainly give the attacker more attempts to try the
password, but they will have to spend more time.
47. 46
Also, the database administrator should also check the audit trail from time
to time to check for unfamiliar connections and actions.
▪ Start auditing login attempt:
AUDIT SESSION;
48. 47
▪ View the login attempt (either successful or failed) and logoff time of
a user
SELECT USERNAME, ACTION_NAME, RETURNCODE,
to_char(timestamp,'MM-DD-YYYY HH24:MI:SS') FROM
DBA_AUDIT_TRAIL WHERE USERNAME=<User>;
As can be seen from below, there are multiple login session created by
user LOVEHUB_ADMIN, which mean that the attacker is using that
account to find an exploit.
49. 48
We can see a large number of login attempts to connect with the
username SYS, therefore we can say that someone is bruteforcing the
SYS account.
51. 50
6. Conclusion
LOVEHUB proposed a typical proposal on building their System (Using
highest privileges for all users). This has security flaw. Together with the
version of Oracle DB 11g R2, and allow all incoming connection to Web
Admin port, attackers can benefit from this.
IA1161-Oracle team has implemented the system from the proposal,
proposed the security plan and execution to harden the system for
LOVEHUB. From now then, LOVEHUB will be safe until the world discover
Zero-day vulnerability of Oracle 11g.