|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: "NERP" DoS attack possible in Oracle
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: Re: "NERP" DoS attack possible in Oracle
- From: Jon & Sheri Christiansen <jonsheriROCHESTER.RR.COM>
- Date: Thu, 27 Aug 1998 21:56:39 -0400
- Comments: To: Adam Maloney <adamiexposure.com>
- In-Reply-To: <199808271825.OAA95484node21.frontiernet.net>
- Reply-To: Jon & Sheri Christiansen <jonsheriROCHESTER.RR.COM>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
Thanks for the alert.... that's one definitely worth testing out... if I
find it I will log a call with Oracle support... I don't want such a simple
exploit just sitting there waiting for someone with too much time on their
hands.
Further info that may help you:
Ports 1521/1526 are the default port numbers Oracle will listen on for
SQL*Net (Oracle 7) or Net8 (Oracle 8) out of the box. There is a file in
directory %ORACLE_HOME%\network\admin (Oracle 7) or %ORACLE_HOME%\net8\admin
(Oracle 8) called listener.ora that specifies the ports to listen on. (if
you change it you need to change the tnsnames.ora file on all clients that
connect to it - including itself, that file usually resides in the same
location- if you don't they will not know which port to try to connect to)
On customized setups, the file may not be located in the original location,
in these cases, look under the registry entry:
KKEY_LOCAL_MACHINE/Software/Oracle for an entry called TNS_ADMIN which if
defined tells Oracle where to look for the network related *.ORA files.
I will have to test this out on my own against this specific "attack", but
there are other methods of protection, i.e. PROTOCOL.ORA will allow you to
specify which IP addresses (include/exclude rules) you will accept
connections from. There is usually a text file buried underneath the
%ORACLE_HOME%\net8 directory that gives you almost all the different entries
for the various Oracle network *.ORA files in case you need to find
syntax/examples.
Hope this helps
-Jon
-----Original Message-----
From: Windows NT BugTraq Mailing List
[mailto:NTBUGTRAQLISTSERV.NTBUGTRAQ.COM]On Behalf Of Adam Maloney
Sent: Thursday, August 27, 1998 10:41 AM
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: "NERP" DoS attack possible in Oracle
NERP DoS attack for Oracle
.
.
.
telnet localhost 1526
Connected to kilroy.intexp.com on port 1526
NERP
Disconnected from kilroy.intexp.com
As soon as I disconnected, my CPU usage jumped to 100%. Upon looking at
Taskman, I saw that a process named tnslsnr80.exe was the culprit. I could
not kill the process, and after waiting for about 5 minutes for it to go
away, I was forced to reboot my machine.
When my machine came back up, I did a search for tnslsnr80.exe, and found it
in the Oracle directory. Apparently this program listens for connections on
port 1526 (port 1521 may be vulnerable as well), and is not expecting a mere
user to telnet to it and feed it garbage.
.
.
.
A possible workaround would be to change the port that Oracle listens on to
something random (so that the script kiddies have to hunt for it at least).
I forget where, but I thought I saw a config file that allows you to specify
which port.
- Prev by Date: Alt-N MDaemon DOS attacks possible.
- Next by Date: NT 4.0 file creation date - bug
- Prev by thread: "NERP" DoS attack possible in Oracle
- Next by thread: Re: "NERP" DoS attack possible in Oracle
- Index(es):