In this blog post i wanted to test some of Dennis Yurichev findings described in “Oracle RDBMS rootkits and other modifications” in recent oracle database 22.214.171.124 (The same can be done with 12.2) .So the idea here is to inject a backdoor in oracle LISTENER so that we can access Linux shell remotely.
The basic idea is to write a wrapper for the function “snttread”. For that we gonna first rename the original function “snttread” to “Snttread” in the object file “sntt.o” and then inject a new wrapper function named “snttread” in the library “lib/libntcp12.a” which will do all the amazing stuff if it detect the magic word in this case “/bin/sh”. Read the doc for more detailed and amazing info !
Enough talking here is a test :
Using sqlplus :
Using netcat :
Amazing ! 😀
Are you sure there is no backdoor in your ORACLE installation ? eniinnnhh
That’s it 😀