Hi Whilst not accessing ect/passwd i have a paper on our companies site that shows how to read passwords from the SGA ( if any users have been added or changed ) see http://www.pentest-limited.com/utl_file.htm. I take it you mean you have accessed via a client based SQL*Plus ?? There is also a paper on there with a list of default Oracle users and passwords in http://www.pentest-limited.com/default-user.htm. Also you may be interested in a script in our downloads page that allows you to log on as any other Oracle users once you have a dba, as you do!!. see http://www.pentest-limited.com/su.sql You can gain Oracle on the OS by using the Oracle8 ExtProc facilities that allow you to call C functions in shared libraries from PL/SQL. You can create a library that calls existing C functions i.e. system(). then call it and create yourself a suid shell as Oracle. So at least you can get OS access. Because you have SYSTEM and can access any Oracle user then you can just find a user that has the system procedure CREATE LIBRARY. do SQL> select grantee from dba_sys_priv where privilege='CREATE LIBRARY'; There are also a number of exploits that allow escalation of privileges see Oracle's OTN site ( create a free user if you havent got one ) see bugtraq of course see http://www.appsecinc.com - good list of holes / exploits etc. There are some known root holes. HTH Pete Finnigan www.pentest-limited.com In article <20011130162905.60993.qmailat_private>, Andy Rees <cs61arat_private> writes >Dear All, > >I was wondering if anybody has any ideas about this >one. > >I am undertaking a security audit and have managed to >get the Oracle SYSTEM account password for an Oracle >8.0.6 server running on Solaris 2.7. This has allowed >me to login to the server via SQLPLUS. The server in >question has 'utl_file_dir = *' set in the initSID.ora >file. (It is only a test server ....). > >Whilst I can write Oracle scripts that allow me to >read and write system files (solaris file permissions >allowing) but I cannot find a way of compromising the >actual host OS from this position, I can read the >/etc/passwd file but I cannot write to it and I cannot >even read the /etc/shadow (as you would expect) > >Any ideas any of you guys have would be most >appreciated. > >Thanks in advance > >Andrew > >__________________________________________________ >Do You Yahoo!? >Everything you'll ever need on one web page from News and Sport to Email and >Music Charts >http://uk.my.yahoo.com > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus Security Intelligence Alert (SIA) >Service. For more information on SecurityFocus' SIA service which >automatically alerts you to the latest security vulnerabilities please see: >https://alerts.securityfocus.com/ > -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager at admin@pentest-limited.com -- Pete Finnigan IT Security Consultant PenTest Limited Office 01565 830 990 Fax 01565 830 889 Mobile 07974 087 885 pete.finnigan@pentest-limited.com www.pentest-limited.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 14:09:48 PST