Skip to content

CVE-2012-1675 tns poison fix for oracle (rac) >=11.2.0.4

CVE-2012-1675 tns poison fix for oracle (rac) >=11.2.0.4 published on 1 комментарий к записи CVE-2012-1675 tns poison fix for oracle (rac) >=11.2.0.4

for check i use nmap and
Nmap script to test Oracle DB for «TNS poison vulnerability»

oracle-tns-poison.nse

local bin = require "bin"
local io = require "io"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"

description = [[
Simple module to test Oracle DB server for TNS Poison vulnerability.
Module sends to server a packet with command to register new TNS Listener and check response
To more details about this bug see http://seclists.org/fulldisclosure/2012/Apr/204
]]

--
-- @usage
-- nmap --script=oracle-tns-poison -p 1521 <host>
-- 
-- @output
-- PORT     STATE SERVICE REASON
-- 1521/tcp open  oracle  syn-ack
-- | oracle-tns-poison: Host is vulnerable!
--
--
-- This module is based on sid-brute script. Thanks to author: Patrik Karlsson.
--

author = "Ivan Chalykin"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"vuln"}

portrule = shortport.port_or_service(1521, 'oracle-tns')

local tns_type = {CONNECT=1, REFUSE=4, REDIRECT=5, RESEND=11}

local function create_tns_header(packetType, packetLength)

  local request = bin.pack( ">SSCCS",
    packetLength + 34, -- Packet Length
    0, -- Packet Checksum
    tns_type[packetType], -- Packet Type
    0, -- Reserved Byte
    0 -- Header Checksum
    )

  return request

end

local function create_connect_packet()

  local connect_data =  "(CONNECT_DATA=(COMMAND=service_register_NSGR))"

  local data = bin.pack(">SSSSSSSSSSICCA",
    308, -- Version
    300, -- Version (Compatibility)
    0, -- Service Options
    2048, -- Session Data Unit Size
    32767, -- Maximum Transmission Data Unit Size
    20376, -- NT Protocol Characteristics
    0, -- Line Turnaround Value
    1, -- Value of 1 in Hardware
    connect_data:len(), -- Length of connect data
    34, -- Offset to connect data
    0, -- Maximum Receivable Connect Data
    1, -- Connect Flags 0
    1, -- Connect Flags 1
    connect_data
    )


  local header = create_tns_header("CONNECT", connect_data:len() )

  return header .. data

end

action = function(host, port)

  local socket = nmap.new_socket()
  local catch = function() socket:close() end
  local try = nmap.new_try(catch)
  local request, response, tns_packet
  local indicator

  socket:set_timeout(2000)

      try(socket:connect(host, port))
      request = create_connect_packet( host.ip, port.number)
      try(socket:send(request))
      response = try(socket:receive_bytes(1))
 
      if response:match("ERROR_STACK") then 
        indicator="Not Vulnerable"
        else indicator="Host is vulnerable!"
        end
 
      return indicator
end

[свернуть]

check :

nmap --script=oracle-tns-poison.nse -p 1521 oel6-2

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-29 10:54 MSK
Nmap scan report for oel6-2 (10.0.0.62)
Host is up (0.00018s latency).
rDNS record for 10.0.0.62: oel6-2.djeday.lan
PORT     STATE SERVICE
1521/tcp open  oracle
|_oracle-tns-poison: Host is vulnerable!

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

solution is described by MOS: Valid Node Checking For Registration (VNCR) (Doc ID 1600630.1)
How to Enable VNCR on RAC Database to Register only Local Instances (Doc ID 1914282.1)
fixup:
add to grid listener.ora

[grid@oel6-2 admin]$ cat listener.ora
LISTENER_SCAN3=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN3))))		# line added by Agent
LISTENER_SCAN2=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN2))))		# line added by Agent
LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER))))		# line added by Agent
LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1))))		# line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN1=ON		# line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON		# line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN2=ON		# line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN3=ON		# line added by Agent

VALID_NODE_CHECKING_REGISTRATION_LISTENER=1

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(oel6-1.djeday.lan,oel6-2.djeday.lan,oel6-3.djeday.lan)
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(oel6-1.djeday.lan,oel6-2.djeday.lan,oel6-3.djeday.lan)
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(oel6-1.djeday.lan,oel6-2.djeday.lan,oel6-3.djeday.lan)
  • REGISTRATION_INVITED_NODES_LISTENER_SCAN*=( list of public ip’s of all nodes)
  • reload listener conf

    [grid@oel6-2 admin]$ lsnrctl reload
    

    check one more time:

     nmap --script=oracle-tns-poison.nse -p 1521 oel6-2
    
    Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-29 10:55 MSK
    Nmap scan report for oel6-2 (10.0.0.62)
    Host is up (0.00021s latency).
    rDNS record for 10.0.0.62: oel6-2.djeday.lan
    PORT     STATE SERVICE
    1521/tcp open  oracle
    |_oracle-tns-poison: Not Vulnerable
    
    Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
    

    Job done =)

    1 комментарий

    VALID_NODE_CHECKING_REGISTRATION_LISTENER=LOCAL

    nmap --script=oracle-tns-poison.nse -p 1521 XXXXXXXXXXX
    
    Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-13 21:35 MSK
    Nmap scan report for XXXXXXXXXXX
    Host is up (0.0057s latency).
    PORT     STATE SERVICE
    1521/tcp open  oracle
    |_oracle-tns-poison: Host is vulnerable!
    
    Nmap done: 1 IP address (1 host up) scanned in 0.74 seconds
    

    after:

     nmap --script=oracle-tns-poison.nse -p 1521 p00pgpdbstb01
    
    Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-13 21:36 MSK
    Nmap scan report for XXXXXXXXXXX
    Host is up (0.0049s latency).
    PORT     STATE SERVICE
    1521/tcp open  oracle
    |_oracle-tns-poison: Not Vulnerable
    
    Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds
    

    Добавить комментарий

    Ваш e-mail не будет опубликован. Обязательные поля помечены *

    Primary Sidebar

    Яндекс.Метрика