Tuesday, November 01, 2005

Oracle Worm "Proof-of-Concept" published

Joshua Wright writes over on the SANS ISC Incident Hander's Daily Diary:

On Monday (31-OCT-2005), an anonymous developer on the Full-Disclosure mailing list contributed a post titled "Trick or Treat Larry", disclosing a proof-of-concept worm that targets Oracle databases with default user accounts and passwords.

The worm uses the UTL_TCP package to scan for remote Oracle databases on the same local network. Upon finding another database, the SID is retrieved and the worm uses several default username and password combinations to attempt to login to the remote database. Currently, the default/username password list includes:

  • system/manager
  • sys/change_on_install
  • dbsnmp/dbsnmp
  • outln/outln
  • scott/tiger
  • mdsys/mdsys
  • ordcommon/ordcommon

When the worm discovers a default username and password, it creates a table "X" in the current user's schema with a date column called "Y". This could easily be changed to a more dramatic payload.

In its current state, the worm isn't a terribly significant threat. However, is can be treated as an early warning sign for future variants of the worm that include additional propagation methods. Oracle DBA's can take several actions to mitigate the effect of this worm and possible future variants:

  • Change the Oracle listener from the default port of TCP/1521 (and set a listener password while you are at it)
  • Drop or lock default user accounts if possible. Ensure all default accounts do not use default passwords.
  • Revoke PUBLIC privileges to the UTL_TCP, UTL_INADDR packages.
  • Revoke CREATE DATABASE LINK privileges granted to users who do not need to link to remote databases, including the CONNECT role.

More information is available at the following resources:

http://www.red-database-security.com/advisory/oracle_worm_voyager.html
http://www.petefinnigan.com/weblog/archives/00000606.htm

If you are concerned or interested about Oracle security issues, a wonderful resource for keeping current is Pete Finnigan's blog at www.petefinnigan.com/weblog/. I make it a point to check Pete's blog every day and I'm never disappointed.

0 Comments:

Post a Comment

<< Home