Injecting a Backdoor in an ORACLE database

Mahmoud Hatem 12C, security

In this blog post i wanted to test some of Dennis Yurichev findings described in “Oracle RDBMS rootkits and other modifications” in recent oracle database 12.1.0.2  (The same can be done with 12.2) .So the idea here is to inject a backdoor in oracle LISTENER so that we can access Linux shell remotely.

The basic idea  is to write a wrapper for the function “snttread”. For that we gonna first rename the original function “snttread” to “Snttread” in the object file “sntt.o” and then inject a new wrapper function named “snttread” in the library “lib/libntcp12.a”  which will do all the amazing stuff if it detect the magic word in this case “/bin/sh”. Read the doc for more detailed and amazing info !

Enough talking here is a test :

Capture 01

Using sqlplus :

Capture 02

Using netcat :

Capture 07

Amazing  ! 😀

Are you sure there is no backdoor in your ORACLE installation ? eniinnnhh

That’s it 😀

One thought on “Injecting a Backdoor in an ORACLE database

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s