Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: redirect listener log

Re: redirect listener log

From: joel garry <joel-garry_at_home.com>
Date: 21 Aug 2006 13:47:03 -0700
Message-ID: <1156193223.401320.34350@i42g2000cwa.googlegroups.com> 






Frank van Bortel wrote:


> astalavista schreef:

> >> You heart the bell ring, but do not know

> >> where it hangs (or similar, I try to transform a

> >> Dutch saying here).

> >> It's about redirecting the traffic, and inserting TCP/IP

> >> packets when a logon is ongoing.

> >>

> >> Patched in the January CPU, René Nyffenegger and Pete

> >> Finnigan wrote about it. Here's René's article:

> >> http://www.adp-gmbh.ch/blog/2006/01/24.php, for

> >> completeness, here's Pete's:

> >> http://www.petefinnigan.com/weblog/archives/00000699.htm

> >> --

> >       This is what I read (from  Arup Nanda )

> >

> >       Log File Redirection

> >       One of the breaches comes from the exploit available in the listener

> > code, in which case a hacker might change the log directory to something

> > other than the default, and then use that to gain valuable information about

> > the listener, the services, the database, and so on. In a more serious

> > exploit, the hacker might direct certain commands to be placed in the trace

> > files that creates a user and grants it a DBA role. These commands are then

> > placed in the glogin.sql file, which is executed automatically every time

> > someone on the server connects to the database using SQL*Plus. When the DBA

> > logs in, the code is also executed, which creates this Trojan horse user. To

> > prevent such an exploit, you should place a password on the listener. When

> > the user tries to modify these values, the correct password must be

> > specified. If the wrong password is supplied, the user gets a TNS-1190

> > error, which also goes to the log file. Here are two sample entries in the

> > log file, when an incorrect password was issued:

> >

> >

> >

>

> In both cases, the cracker has access to your machine.




http://download-west.oracle.com/docs/cd/B19306_01/network.102/b14213/lsnrctl.htm#i551583
says:



"All commands except START can be issued when a listener is
administered remotely."



And any recent version including XE:



LSNRCTL> help set log_directory


set|show log_{ } [<value>]: set|show log parameters of current listener



So really, "access to the machine" might be something that otherwise
appears benign, not necessarily the dba group, although to do the
glogin thing would.  Unless of course one could figure out how to use
the listener itself to put arbitrary commands into glogin, like by
making glogin the log file.  Oops, did I say something bad?
http://www.red-database-security.com/exploits/oracle_exploit_tns_listener.html



jg

--
@home.com is bogus.
The IRS is friendlier and more cost-effective than private enterprise:
http://www.signonsandiego.com/uniontrib/20060820/news_1n20irs.html


Received on Mon Aug 21 2006 - 15:47:03 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US