for check i use nmap and
Nmap script to test Oracle DB for «TNS poison vulnerability»
[code language=»bash»]
local bin = require "bin"
local io = require "io"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"
description = [[
Simple module to test Oracle DB server for TNS Poison vulnerability.
Module sends to server a packet with command to register new TNS Listener and check response
To more details about this bug see http://seclists.org/fulldisclosure/2012/Apr/204
]]
—
— @usage
— nmap —script=oracle-tns-poison -p 1521 <host>
—
— @output
— PORT STATE SERVICE REASON
— 1521/tcp open oracle syn-ack
— | oracle-tns-poison: Host is vulnerable!
—
—
— This module is based on sid-brute script. Thanks to author: Patrik Karlsson.
—
author = "Ivan Chalykin"
license = "Same as Nmap—See http://nmap.org/book/man-legal.html"
categories = {"vuln"}
portrule = shortport.port_or_service(1521, ‘oracle-tns’)
local tns_type = {CONNECT=1, REFUSE=4, REDIRECT=5, RESEND=11}
local function create_tns_header(packetType, packetLength)
local request = bin.pack( ">SSCCS",
packetLength + 34, — Packet Length
0, — Packet Checksum
tns_type[packetType], — Packet Type
0, — Reserved Byte
0 — Header Checksum
)
return request
end
local function create_connect_packet()
local connect_data = "(CONNECT_DATA=(COMMAND=service_register_NSGR))"
local data = bin.pack(">SSSSSSSSSSICCA",
308, — Version
300, — Version (Compatibility)
0, — Service Options
2048, — Session Data Unit Size
32767, — Maximum Transmission Data Unit Size
20376, — NT Protocol Characteristics
0, — Line Turnaround Value
1, — Value of 1 in Hardware
connect_data:len(), — Length of connect data
34, — Offset to connect data
0, — Maximum Receivable Connect Data
1, — Connect Flags 0
1, — Connect Flags 1
connect_data
)
local header = create_tns_header("CONNECT", connect_data:len() )
return header .. data
end
action = function(host, port)
local socket = nmap.new_socket()
local catch = function() socket:close() end
local try = nmap.new_try(catch)
local request, response, tns_packet
local indicator
socket:set_timeout(2000)
try(socket:connect(host, port))
request = create_connect_packet( host.ip, port.number)
try(socket:send(request))
response = try(socket:receive_bytes(1))
if response:match("ERROR_STACK") then
indicator="Not Vulnerable"
else indicator="Host is vulnerable!"
end
return indicator
end
[/code]
check :
nmap --script=oracle-tns-poison.nse -p 1521 oel6-2 Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-29 10:54 MSK Nmap scan report for oel6-2 (10.0.0.62) Host is up (0.00018s latency). rDNS record for 10.0.0.62: oel6-2.djeday.lan PORT STATE SERVICE 1521/tcp open oracle |_oracle-tns-poison: Host is vulnerable! Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
solution is described by MOS: Valid Node Checking For Registration (VNCR) (Doc ID 1600630.1)
How to Enable VNCR on RAC Database to Register only Local Instances (Doc ID 1914282.1)
fixup:
add to grid listener.ora
[grid@oel6-2 admin]$ cat listener.ora LISTENER_SCAN3=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN3)))) # line added by Agent LISTENER_SCAN2=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN2)))) # line added by Agent LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))) # line added by Agent LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))) # line added by Agent ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN1=ON # line added by Agent ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON # line added by Agent ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN2=ON # line added by Agent ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN3=ON # line added by Agent VALID_NODE_CHECKING_REGISTRATION_LISTENER=1 VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=1 REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(oel6-1.djeday.lan,oel6-2.djeday.lan,oel6-3.djeday.lan) VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=1 REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(oel6-1.djeday.lan,oel6-2.djeday.lan,oel6-3.djeday.lan) VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=1 REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(oel6-1.djeday.lan,oel6-2.djeday.lan,oel6-3.djeday.lan)
reload listener conf
[grid@oel6-2 admin]$ lsnrctl reload
check one more time:
nmap --script=oracle-tns-poison.nse -p 1521 oel6-2 Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-29 10:55 MSK Nmap scan report for oel6-2 (10.0.0.62) Host is up (0.00021s latency). rDNS record for 10.0.0.62: oel6-2.djeday.lan PORT STATE SERVICE 1521/tcp open oracle |_oracle-tns-poison: Not Vulnerable Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
Job done =)
1 комментарий
VALID_NODE_CHECKING_REGISTRATION_LISTENER=LOCAL
after: