From: Chris McNab (chris.mcnab@trustmatta.com)
Date: Thu Mar 25 2004 - 07:25:11 EST
Hi,
For Oracle you have a few remote options. I'm assuming you have remote IP
access to the TNS Listener, which if so, you can use tnscmd.pl to issue
commands (if the default non-existent TNS Listener authentication model is
in place), available from http://www.jammed.com/~jwa/hacks/security/tnscmd/.
Oracle 8.1.7 is also susceptible to a remote COMMAND stack overflow
(CVE-2001-0499) through the TNS Listener, and 8.1.6 and prior are
susceptible to a file creation bug by changing the log_file variable on the
server.
One tool that nobody has mentioned is MetaCortex
(http://www.metacoretex.com), which has a bunch of neat features including:
- TCP bounce port scanning through the Oracle database using UTL_TCP
- Oracle SID enumeration
- Various TNS Listener probes, security settings, status, etc.
Of course, this info is all taken from my forthcoming ORA book
(http://www.oreilly.com/catalog/networksa/) ;]
Chris
Chris McNab
Technical Director
Matta Consulting Limited
18 Noel Street
London W1F 8GN
08700 77 11 00
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT