6 Replies Latest reply: Mar 4, 2013 3:42 AM by 993886 RSS

    Oracle 8 tns-listener security

    993886
      Hi list,

      premise that an upgrade to a newer Oracle version is recommended... I noticed setting a tns-listener password in Oracle 8.1.7* ("SECURITY=ON"), the SIDs are anyway enumerable (via "Command=status").

      According to you, is firewall filtering the only possible solution?
      As for "Oracle8 tns security" I did not find information on google. For Oracle 9 is different.

      Thanks in advance,
      Al
        • 1. Re: Oracle 8 tns-listener security
          EdStevens
          user8798619 wrote:
          Hi list,

          premise that an upgrade to a newer Oracle version is recommended... I noticed setting a tns-listener password in Oracle 8.1.7* ("SECURITY=ON"), the SIDs are anyway enumerable (via "Command=status").

          According to you, is firewall filtering the only possible solution?
          As for "Oracle8 tns security" I did not find information on google. For Oracle 9 is different.

          Thanks in advance,
          Al
          The security would/should be that no one but a DBA or SA should have an account with which to log on to the db server in the first place. If you can't trust them with knowing the names of the SIDs you've got bigger problems.

          Also, I assume your implied upgrade to 9 is just a stepping stone. Even 9 is two generations out of support.
          • 2. Re: Oracle 8 tns-listener security
            993886
            The problem is that a remote user, without any authentication, has the ability to enumerate the sids.
            I guess credentials bruteforces + sid enumeration... could be a security problem :(
            • 3. Re: Oracle 8 tns-listener security
              EdStevens
              user8798619 wrote:
              The problem is that a remote user, without any authentication, has the ability to enumerate the sids.
              Please demonstrate

              I guess credentials bruteforces + sid enumeration... could be a security problem :(
              • 4. Re: Oracle 8 tns-listener security
                993886
                Using metasploit modules tnscmd and sid_enum (http://www.metasploit.com) or tnscmd (www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd). The request to Oracle 8.1.7.0.0 tns-listener: (COMMAND=STATUS).

                The result (* obscured):

                (DESCRIPTION=(TMP=)(VSNNUM=*********)(ERR=0)(ALIAS=LISTENER)(SECURITY=ON)(VERSION=TNSLSNR for Solaris: Version 8.1.7.0.0 - Production)(START_DATE=********)(SIDNUM=1)(LOGFILE=***********)(PRMFILE=************)(TRACING=off)(UPTIME=321588456)(SNMP=OFF))(ENDPOINT=(HANDLER=(STA=ready)(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)(HANDLER_ID=**************)(PRE=ttc)(SESSION=NS)(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=TEST123))))),,(ENDPOINT=(HANDLER=(STA=ready)(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)(HANDLER_ID=**************)(PRE=ttc)(SESSION=NS)(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC))))),,(ENDPOINT=(HANDLER=(STA=ready)(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)(HANDLER_ID=*********************)(PRE=ttc)(SESSION=NS)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=testlab)(PORT=1521))))),,(SERVICE=(SERVICE_NAME=TEST123)(INSTANCE=(INSTANCE_NAME=TEST123)(NUM=1)(INSTANCE_CLASS=ORACLE)(NUMREL=1))),,

                Without credentials but with "SECURITY=ON" are obtained:

                Version: TNSLSNR for Solaris: Version 8.1.7.0.0 - Production
                Logfile: *********
                Sid: TEST123
                Hostname: testlab
                Uptime: 321588456

                According to "documentation in internet", with "SECURITY=ON", the password is configured (for example http://www.integrigy.com/files/Integrigy_Oracle_Listener_TNS_Security.pdf).

                I hope I am wrong :)
                • 5. Re: Oracle 8 tns-listener security
                  EdStevens
                  user8798619 wrote:
                  Using metasploit modules tnscmd and sid_enum (http://www.metasploit.com) or tnscmd (www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd). The request to Oracle 8.1.7.0.0 tns-listener: (COMMAND=STATUS).

                  The result (* obscured):

                  (DESCRIPTION=(TMP=)(VSNNUM=*********)(ERR=0)(ALIAS=LISTENER)(SECURITY=ON)(VERSION=TNSLSNR for Solaris: Version 8.1.7.0.0 - Production)(START_DATE=********)(SIDNUM=1)(LOGFILE=***********)(PRMFILE=************)(TRACING=off)(UPTIME=321588456)(SNMP=OFF))(ENDPOINT=(HANDLER=(STA=ready)(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)(HANDLER_ID=**************)(PRE=ttc)(SESSION=NS)(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=TEST123))))),,(ENDPOINT=(HANDLER=(STA=ready)(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)(HANDLER_ID=**************)(PRE=ttc)(SESSION=NS)(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC))))),,(ENDPOINT=(HANDLER=(STA=ready)(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)(HANDLER_ID=*********************)(PRE=ttc)(SESSION=NS)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=testlab)(PORT=1521))))),,(SERVICE=(SERVICE_NAME=TEST123)(INSTANCE=(INSTANCE_NAME=TEST123)(NUM=1)(INSTANCE_CLASS=ORACLE)(NUMREL=1))),,

                  Without credentials but with "SECURITY=ON" are obtained:

                  Version: TNSLSNR for Solaris: Version 8.1.7.0.0 - Production
                  Logfile: *********
                  Sid: TEST123
                  Hostname: testlab
                  Uptime: 321588456

                  According to "documentation in internet", with "SECURITY=ON", the password is configured (for example http://www.integrigy.com/files/Integrigy_Oracle_Listener_TNS_Security.pdf).

                  I hope I am wrong :)
                  Having no knowledge of how the cited tools work, I'll have to defer ...
                  • 6. Re: Oracle 8 tns-listener security
                    993886
                    If you want you can use this simple Perl script www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd. It works on Unix-like system or Windows. The script is not invasive; send a command via socket. Use it with an Oracle 8.* without credentials.

                    Run it: ./tnscmd.pl status -h <ip address>

                    ("status" is the command to send to tns-listener)

                    Into the output you could see "SECURITY=ON" (the password is configured) and "INSTANCE_NAME=" (SID name).