Skip to content

CVE-2012-1675 tns poison fix for oracle (rac) >=11.2.0.4

CVE-2012-1675 tns poison fix for oracle (rac) >=11.2.0.4 published on 1 комментарий к записи CVE-2012-1675 tns poison fix for oracle (rac) >=11.2.0.4

for check i use nmap and
Nmap script to test Oracle DB for «TNS poison vulnerability»

oracle-tns-poison.nse

[code language=»bash»]
local bin = require "bin"
local io = require "io"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"

description = [[
Simple module to test Oracle DB server for TNS Poison vulnerability.
Module sends to server a packet with command to register new TNS Listener and check response
To more details about this bug see http://seclists.org/fulldisclosure/2012/Apr/204
]]


— @usage
— nmap —script=oracle-tns-poison -p 1521 <host>

— @output
— PORT STATE SERVICE REASON
— 1521/tcp open oracle syn-ack
— | oracle-tns-poison: Host is vulnerable!


— This module is based on sid-brute script. Thanks to author: Patrik Karlsson.

author = "Ivan Chalykin"
license = "Same as Nmap—See http://nmap.org/book/man-legal.html"
categories = {"vuln"}

portrule = shortport.port_or_service(1521, ‘oracle-tns’)

local tns_type = {CONNECT=1, REFUSE=4, REDIRECT=5, RESEND=11}

local function create_tns_header(packetType, packetLength)

local request = bin.pack( ">SSCCS",
packetLength + 34, — Packet Length
0, — Packet Checksum
tns_type[packetType], — Packet Type
0, — Reserved Byte
0 — Header Checksum
)

return request

end

local function create_connect_packet()

local connect_data = "(CONNECT_DATA=(COMMAND=service_register_NSGR))"

local data = bin.pack(">SSSSSSSSSSICCA",
308, — Version
300, — Version (Compatibility)
0, — Service Options
2048, — Session Data Unit Size
32767, — Maximum Transmission Data Unit Size
20376, — NT Protocol Characteristics
0, — Line Turnaround Value
1, — Value of 1 in Hardware
connect_data:len(), — Length of connect data
34, — Offset to connect data
0, — Maximum Receivable Connect Data
1, — Connect Flags 0
1, — Connect Flags 1
connect_data
)

local header = create_tns_header("CONNECT", connect_data:len() )

return header .. data

end

action = function(host, port)

local socket = nmap.new_socket()
local catch = function() socket:close() end
local try = nmap.new_try(catch)
local request, response, tns_packet
local indicator

socket:set_timeout(2000)

try(socket:connect(host, port))
request = create_connect_packet( host.ip, port.number)
try(socket:send(request))
response = try(socket:receive_bytes(1))

if response:match("ERROR_STACK") then
indicator="Not Vulnerable"
else indicator="Host is vulnerable!"
end

return indicator
end
[/code]

[свернуть]

check :

nmap --script=oracle-tns-poison.nse -p 1521 oel6-2

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-29 10:54 MSK
Nmap scan report for oel6-2 (10.0.0.62)
Host is up (0.00018s latency).
rDNS record for 10.0.0.62: oel6-2.djeday.lan
PORT     STATE SERVICE
1521/tcp open  oracle
|_oracle-tns-poison: Host is vulnerable!

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

solution is described by MOS: Valid Node Checking For Registration (VNCR) (Doc ID 1600630.1)
How to Enable VNCR on RAC Database to Register only Local Instances (Doc ID 1914282.1)
fixup:
add to grid listener.ora

[grid@oel6-2 admin]$ cat listener.ora
LISTENER_SCAN3=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN3))))		# line added by Agent
LISTENER_SCAN2=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN2))))		# line added by Agent
LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER))))		# line added by Agent
LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1))))		# line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN1=ON		# line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON		# line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN2=ON		# line added by Agent
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN3=ON		# line added by Agent

VALID_NODE_CHECKING_REGISTRATION_LISTENER=1

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(oel6-1.djeday.lan,oel6-2.djeday.lan,oel6-3.djeday.lan)
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(oel6-1.djeday.lan,oel6-2.djeday.lan,oel6-3.djeday.lan)
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=1
REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(oel6-1.djeday.lan,oel6-2.djeday.lan,oel6-3.djeday.lan)
  • REGISTRATION_INVITED_NODES_LISTENER_SCAN*=( list of public ip’s of all nodes)
  • reload listener conf

    [grid@oel6-2 admin]$ lsnrctl reload
    

    check one more time:

     nmap --script=oracle-tns-poison.nse -p 1521 oel6-2
    
    Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-29 10:55 MSK
    Nmap scan report for oel6-2 (10.0.0.62)
    Host is up (0.00021s latency).
    rDNS record for 10.0.0.62: oel6-2.djeday.lan
    PORT     STATE SERVICE
    1521/tcp open  oracle
    |_oracle-tns-poison: Not Vulnerable
    
    Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
    

    Job done =)

    1 комментарий

    VALID_NODE_CHECKING_REGISTRATION_LISTENER=LOCAL

    nmap --script=oracle-tns-poison.nse -p 1521 XXXXXXXXXXX
    
    Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-13 21:35 MSK
    Nmap scan report for XXXXXXXXXXX
    Host is up (0.0057s latency).
    PORT     STATE SERVICE
    1521/tcp open  oracle
    |_oracle-tns-poison: Host is vulnerable!
    
    Nmap done: 1 IP address (1 host up) scanned in 0.74 seconds
    

    after:

     nmap --script=oracle-tns-poison.nse -p 1521 p00pgpdbstb01
    
    Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-13 21:36 MSK
    Nmap scan report for XXXXXXXXXXX
    Host is up (0.0049s latency).
    PORT     STATE SERVICE
    1521/tcp open  oracle
    |_oracle-tns-poison: Not Vulnerable
    
    Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds
    

    Добавить комментарий

    Ваш адрес email не будет опубликован. Обязательные поля помечены *

    Этот сайт использует Akismet для борьбы со спамом. Узнайте, как обрабатываются ваши данные комментариев.

    Primary Sidebar