11GR2 Oracle数据库的远程投毒VNCR方式修复

【环境介绍】

系统环境：Solaris + Oracle 11GR2 + 单机/RAC

 

【背景描述】

基于集团数据库安全检查项，需要数据库的远程投毒漏洞进行修复。

根据Oracle官方提供的修复文档：

Using Class of Secure Transport (COST) to Restrict Instance Registration (Doc ID 1453883.1)

Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC (Doc ID 1340831.1)

对于低于11GR2版本的修复方法这里不做介绍，单机比较简单，但是RAC环境修复相对比较复杂，同时会触发其他的BUG，在11GR2版本中建议使用VNCR的配置进行修复，且方法非常简单。

Valid Node Checking For Registration (VNCR) (Doc ID 1600630.1)

listener.ora文件添加如下内容（单机）：

VALID_NODE_CHECKING_REGISTRATION_LISTENER =ON
REGISTRATION_INVITED_NODES_LISTENER=(host的IP都列进来)

listener.ora文件添加如下内容（RAC）：

VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN3=ON
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN2=ON
VALID_NODE_CHECKING_REGISTRATION_LISTENER_SCAN1=ON
VALID_NODE_CHECKING_REGISTRATION_LISTENER =ON
REGISTRATION_INVITED_NODES_LISTENER=(两台host的IP都列进来)

该功能在12C以上的版本是默认打开的，所以不存在该漏洞。

PS：添加白名单方式也可以修复改漏洞，前提是IP列表得是具体的IP，不是IP网段的方式。

sqlnet.ora文件添加如下内容：

tcp.validnode_checking=yes
tcp.invited_nodes=(具体的IP信息，或者网段)
tcp.excluded_nodes=(具体的IP信息，或者网段)

 

【问题处理】

这里使用单机进行测试信息：

数据库主机：192.168.142.140

扫描工具主机：192.168.142.141（必须不在同一主机上）

远程漏洞投毒扫描工具：metasploit-framework 是比较普遍的检查工具

安装方法：

linux：https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers

Windows：https://windows.metasploit.com/（32位）

[root@mysqldb2 soft]# curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  5525  100  5525    0     0   2291      0  0:00:02  0:00:02 --:--:--  2291
[root@mysqldb2 soft]# ls -trl
总用量 5525
-rw-r--r-- 1 root root      5525 6月  15 18:00 msfinstall
[root@mysqldb2 soft]# chmod 755 msfinstall
[root@mysqldb2 soft]# ./msfinstall
Checking for and installing update..
Adding metasploit-framework to your repository list..已加载插件：product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
base                                                                                                                                                                  | 4.1 kB  00:00:00    
metasploit                                                                                                                                                            | 2.9 kB  00:00:00    
metasploit/primary_db                                                                                                                                                 |  11 kB  00:00:05    
正在解决依赖关系
--> 正在检查事务
---> 软件包 metasploit-framework.x86_64.0.4.17.24+20181103093740~1rapid7-1.el6 将被 安装
--> 解决依赖关系完成

依赖关系解决

=============================================================================================================================================================================================
 Package                                        架构                             版本                                                             源                                    大小
=============================================================================================================================================================================================
正在安装:
 metasploit-framework                           x86_64                           4.17.24+20181103093740~1rapid7-1.el6                             metasploit                           158 M

事务概要
=============================================================================================================================================================================================
安装  1 软件包

总下载量：158 M
安装大小：368 M
Downloading packages:
metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm            31% [=====================-                                                ] 1.4 MB/s |  49 MB  00:01:16 ETA metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm            31% [======================    警告：/var/cache/yum/x86_64/7Server/metasploit/packages/metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm: 头V4 RSA/SHA256 Signature, 密钥 ID 2007b954: NOKEY
metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm 的公钥尚未安装
metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64.rpm                    | 158 MB  00:02:25    
从 file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Metasploit 检索密钥
导入 GPG key 0x2007B954:
 用户ID     : "Metasploit <[email protected]>"
 指纹       : 09e5 5faf 4f78 62cd 6d55 8997 cdfb 5fa5 2007 b954
 来自       : /etc/pki/rpm-gpg/RPM-GPG-KEY-Metasploit
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  正在安装    : metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64                                                                                                         1/1
Run msfconsole to get started
  验证中      : metasploit-framework-4.17.24+20181103093740~1rapid7-1.el6.x86_64                                                                                                         1/1

已安装:
  metasploit-framework.x86_64 0:4.17.24+20181103093740~1rapid7-1.el6                                                                                                                        

完毕！
[root@mysqldb2 soft]# 

验证是否正常：

[root@mysqldb2 soft]# msfconsole
.....》》》省略部分显示

       =[ metasploit v4.17.24-dev-                        ]
+ -- --=[ 1824 exploits - 1033 auxiliary - 318 post       ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf >

msf > use auxiliary/scanner/oracle/tnspoison_checker
msf auxiliary(scanner/oracle/tnspoison_checker) > set rhosts 192.168.142.140 》》》设置为需要测试的数据库IP
rhosts => 192.168.142.140
msf auxiliary(scanner/oracle/tnspoison_checker) > show options

Module options (auxiliary/scanner/oracle/tnspoison_checker):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   192.168.142.140  yes       The target address range or CIDR identifier
   RPORT    1521             yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads
msf auxiliary(scanner/oracle/tnspoison_checker) > run

[+] 192.168.142.140:1521 - 192.168.142.140:1521 is vulnerable 》》》说明远程投毒漏洞存在
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(scanner/oracle/tnspoison_checker) > use auxiliary/admin/oracle/tnscmd 》》》具体进行渗透测试
msf auxiliary(admin/oracle/tnscmd) > set rhost 192.168.142.140
rhost => 192.168.142.140
msf auxiliary(admin/oracle/tnscmd) > show options

Module options (auxiliary/admin/oracle/tnscmd):

   Name   Current Setting                   Required  Description
   ----   ---------------                   --------  -----------
   CMD    (CONNECT_DATA=(COMMAND=VERSION))  no        Something like ping, version, status, etc..
   RHOST  192.168.142.140                   yes       The target address
   RPORT  1521                              yes       The target port (TCP)

msf auxiliary(admin/oracle/tnscmd) > run

[*] 192.168.142.140:1521 - Sending '(CONNECT_DATA=(COMMAND=VERSION))' to 192.168.142.140:1521
[*] 192.168.142.140:1521 - writing 90 bytes.
[*] 192.168.142.140:1521 - reading
[*] 192.168.142.140:1521 - .e......"..Y(DESCRIPTION=(TMP=)(VSNNUM=186647552)(ERR=1189)(ERROR_STACK=(ERROR=(CODE=1189)(EMFI=4))))
[*] Auxiliary module execution completed
msf auxiliary(admin/oracle/tnscmd) >

 

以上显示该数据库存在远程投毒的漏洞。

现在对数据库的配置进行修改：

[oracle@mysqldb1 admin]$ cat listener.ora
# listener.ora Network Configuration File: /u01/app/oracle/product/12.2.0/db_1/network/admin/listener.ora
# Generated by Oracle configuration tools.

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = mysqldb1)(PORT = 1521))
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
  )

ADR_BASE_LISTENER = /u01/app/oracle

VALID_NODE_CHECKING_REGISTRATION_LISTENER =ON
REGISTRATION_INVITED_NODES_LISTENER=(192.168.142.140)
[oracle@mysqldb1 admin]$

然后重启监听即可。

现在再用软件进程测试：

[root@mysqldb2 ~]# msfconsole
.....》》》忽略部分显示内容
       =[ metasploit v4.17.24-dev-                        ]
+ -- --=[ 1824 exploits - 1033 auxiliary - 318 post       ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use auxiliary/scanner/oracle/tnspoison_checker
msf auxiliary(scanner/oracle/tnspoison_checker) > set rhosts 192.168.142.140
rhosts => 192.168.142.140
msf auxiliary(scanner/oracle/tnspoison_checker) > show options

Module options (auxiliary/scanner/oracle/tnspoison_checker):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   192.168.142.140  yes       The target address range or CIDR identifier
   RPORT    1521             yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads

msf auxiliary(scanner/oracle/tnspoison_checker) > run

[-] 192.168.142.140:1521 - 192.168.142.140:1521 is not vulnerable》》》已经不存在该漏洞
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/oracle/tnspoison_checker) > 

 

PS：由于无法截图，于是贴的文字较多。