Databases Reference
In-Depth Information
tener. If I'm a hacker I can install Oracle on my laptop and use the utility to
connect to a remote listener. All I need to do is update
listener.ora
on
my machine to include an alias for the remote server, and then I can fire up
the
lsnrctl
utility. If the remote listener is not protected with a password,
I can connect to it remotely!
Once I'm connected to a remote listener, I can do the following damage:
I can stop the listener, making the database unreachable for any net-
worked application. This in effect means I can bring the database
down.
I can get at information that is available to the listener, which will
help me in hacking other parts of the database.
I can write trace and log files that can impact the database or even the
operating system.
The first attack type is self-explanatory and serious. I can even write a
tiny script that runs in a loop and tries to connect to the remote listener
every second. If it sees an active listener, it can then proceed to stop it. This
can drive a DBA crazy because it seems like the listener can never start up. I
can mix this up with another
lsnrctl
command—
set
startup_waittime
—that causes the listener to wait before it starts up. In
this case my script will certainly stop the listener before it has had a chance
to start.
The second vulnerability is based on the fact that the listener can tell me
many things about the system. For example, if I run the
services
com-
mand, I can learn of the services running on the server, including path and
environment variables.
The third vulnerability is based on the fact that I can cause log files to be
written to disk in any location open to the operating system user with
which Oracle was installed. I can initiate traces that would be placed in
directories that I could access. I can write to any location to which the Ora-
cle user has permissions and can even overwrite files that affect the data-
base's operations and even the Oracle account (e.g., .rhosts .cshrc .profile)
on UNIX. I can place files under the root of a Web server and then down-
load the file using a browser. Because the trace files are detailed, they can be
used to steal information or mount an additional attack on the database.
Search WWH ::
Custom Search