In one of my previous post i showed how we can inject a backdoor in an ORACLE database based on Dennis Yurichev findings.The described method required the modification of the oracle executable files. Few days ago Rodrigo Jorge shared a blog post explaining how we can add another layer of security to the oracle binaries files to protect them against improper changes. That motivated me to check if i still can implement the hidden Trojan without modifying the oracle executable files ?
As we are interested in oracle LISTENER let’s check the required shared library :
So if i’m able to replace “libclntsh.so.12.1 ” with the one infected on my previous post the job is done.The “tnslsnr” program don’t have the set-user-ID or set-group-ID set as the “oracle” executable have so it’s not running in secure-execution mode (AT_SECURE entry) . We can then use the LD_PRELOAD Environment variables to selectively override the shared library “libclntsh.so.12.1”.
That’s it 😀