Oracle TNS-poison attack

The TNS Poison attack is a type of man-in-the-middle attack. With this attack an attacker can hijack a session and can send SQL commands to database from this session. If the hijacked session user has some critical privileges ( like DBA roles )  the attacker can completely manipulate Oracle database.

 

At this note, I will show you; how you can check that an Oracle database has this vulnerability and the solution for Oracle databases at Oracle 11.2 version.

 

With nmap ( at Kali ) we can check The TNS Poison attack.   We can use; oracle-tns-poison.nse nmap script .This script has not been included in standard distribution. Therefore we add this script into nmap environment and after updating nmap we can use it

First; get oracle-tns-poison.nse script from

https://gist.github.com/JukArkadiy/3d6cff222d1b87e963e7   link.

Nmap is a free and open source (license) utility for network discovery and security auditing. That’s why you can get all source from github .

Get the script and put it in a file called oracle-tns-poison.nse  at /usr/share/nmap directory.

 

1.png

And update nmap with this new script

1.png

Now we are ready to use; oracle-tns-poison.nse script.

But first I will show you the target database which has this vulnerability. This is an Oracle 11.2.0.4 database; at standard installation all databases have this vulnerability.  And the solution for this vulnerability is to change the listener configuration

Therefore the initial configuration of the listener are given below.

1

Now check the vulnerability with this command;

nmap –script=oracle-tns-poison.nse -p 1521 192.200.11.9

As you see we have the vulnerability at this site.

1.png

The solution for this is to use Valid Node Checking For Registration for the all listeners ; (Metalink Doc ID 1600630.1)

Simply add this parameter for all listeners ( we have one listener only )

VALID_NODE_CHECKING_REGISTRATION_LISTENER=on

1.png

 

And rebounce the listener

lsnrctl stop

lsnrctl start

1.png

 

Now check the vulnerability again

1.png

 

It is done, It is not vulnerable.

 

If  there was a scan listener  In this case ; we would use below configuration

 

VALID_NODE_CHECKING_REGISTRATION_LISTENER=1

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=1

REGISTRATION_INVITED_NODES_LISTENER_SCAN1=(node1,node2)

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=1

REGISTRATION_INVITED_NODES_LISTENER_SCAN2=(node1,node2)

 

For Oracle 12c database there is no tns-poison vulnerability. Therefore all the time we advise DBAs to upgrade databases for the sake of security.

I will make the same test with Oracle 12c database without any configuration;

1.png

 

And the listener.ora file

1.png

Check the vulnerability against this database.

nmap –script=oracle-tns-poison.nse -p 1521 192.200.11.7

1.png

As you see ; Oracle 12c  is not vulnerable.

Simply ; If you have Oracle 11g database and below , you have tns-poison vulnerability from the beginning. To protect your database ;  use Valid Node Checking For Registration  for Oracle 11g .

if your version is Oracle 10g the solution is different and very  complicated. I do not want to mention the solution here.  Do not stay at Oracle 10g version ;  the solution is upgrade your database to 11g .

If you have Oracle 12c ; you have nothing to do. You are secure againt tns-poision attack from the beginning   .

Thanks.

Anıl Akduygu

 

Advertisements

1 thought on “Oracle TNS-poison attack”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s