Oracle 監聽投毒COST解決

ZQqzz發表於2021-02-03
原文網址 : http://blog.itpub.net/69993859/viewspace-2755785/
Oracle

說明

Oracle Database Server 在實現上存在可允許攻擊者向遠端“TNS Listener”元件處理的資料投毒的漏洞。攻擊者可利用此漏洞將資料庫伺服器的合法“TNS Listener”元件中的資料轉向到攻擊者控制的系統,導致控制遠端元件的資料庫例項,造成元件和合法資料庫之間的攻擊者攻擊、會話劫持或拒絕服務攻擊。現以限制監聽註冊的方法來阻止該監聽投毒漏洞。

注意,該文件適用於 10.2.0.3 to 11.2.0.3 版本的單機或者rac資料庫。

如果是11204的資料庫,可以參考 文件 ID 1600630.1,參考文件最下方

 

 

 

前期準備工作

關鍵補丁檢查

存在該補丁12880299。

建立wallet 使用者

 

節點 1 Oracle 使用者下:

mkdir /oracle/grid/crs_1/network/admin/cost

 

$ orapki wallet create -wallet /oracle/grid/crs_1/network/admin/cost

Oracle PKI Tool : Version 11.2.0.3.0 - Production

Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

 

Enter password:          

  

Enter password again:

密碼設定為uni09net

 

 

 orapki wallet remove -trusted_cert_all -wallet /oracle/grid/crs_1/network/admin/cost

(該步驟可忽略,目的是刪除cost 裡面的所有內容)

將節點1 加到wallet 裡去

orapki wallet add -wallet /oracle/grid/crs_1/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650

 

$ orapki wallet add -wallet /oracle/grid/crs_1/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650

 

Oracle PKI Tool : Version 11.2.0.3.0 - Production

Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

 

Enter wallet password:  

PKI-02003: Unable to load the wallet at: /oracle/grid/crs_1/network/admin/cost

[oracle@apple1 ~]$ orapki wallet add -wallet /oracle/grid/crs_1/network/admin/cost -self_signed -dn "cn=secure_register" -keysize 1024 -validity 3650

Oracle PKI Tool : Version 11.2.0.3.0 - Production

Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

 

Enter wallet password:

 

 

展示cost內的內容:

orapki wallet display -wallet /oracle/grid/crs_1/network/admin/cost -summary

 

$ orapki wallet display -wallet /oracle/grid/crs_1/network/admin/cost -summary

Oracle PKI Tool : Version 11.2.0.3.0 - Production

Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

 

Enter wallet password:          

  

Requested Certificates:

User Certificates:

Subject:        CN=secure_register

Trusted Certificates:

Subject:        CN=secure_register

cost 檔案複製到二節點 oracle 使用者下( 提前建立好目錄)

scp /oracle/grid/crs_1/network/admin/cost/ewallet.p12 apple2:/oracle/grid/crs_1/network/admin/cost

 

使用者下,兩節點建立sso 檔案

orapki wallet create -wallet /oracle/grid/crs_1/network/admin/cost -auto_login

 

$ orapki wallet create -wallet /oracle/grid/crs_1/network/admin/cost -auto_login

Oracle PKI Tool : Version 11.2.0.3.0 - Production

Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.

 

Enter wallet password:          

  

許可權修改

 

chmod 640 cwallet.sso

 

-rw-r-----. 1 oracle oinstall 2485 Aug  2 09:09 cwallet.sso

-rw-------. 1 oracle oinstall 2408 Aug  2 09:07 ewallet.p12

 

修改listener.ora, 新增一下內容

注意, 所有節點, GI_HOME listener.ora

 

WALLET_LOCATION =

  (SOURCE =

   (METHOD = FILE)

    (METHOD_DATA =

     (DIRECTORY = /oracle/grid/crs_1/network/admin/cost)

    )

  )

#SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS)

 

#### 一個scan就寫一個,多個就繼續新增如下

#SECURE_REGISTER_LISTENER_SCAN2 = (IPC,TCPS)

#SECURE_REGISTER_LISTENER_SCAN3 = (IPC,TCPS)

 

 

配置scan_listener

$ srvctl config scan_listener

SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521

 

srvctl modify scan_listener -p TCP:1521/TCPS:1523  (grid 使用者下)

 

srvctl stop scan_listener

srvctl start scan_listener

 

srvctl config scan_listener

SCAN Listener LISTENER_SCAN1 exists. Port: TCP:1521/TCPS:1523

修改sqlnet.ora 檔案

兩節點的Oracle 使用者下:

vi $ORACLE_HOME/network/admin/sqlnet.ora  ## 沒有該檔案直接建立

 

新增一下資訊:

WALLET_LOCATION =

  (SOURCE =

   (METHOD = FILE)

    (METHOD_DATA =

     (DIRECTORY = /oracle/grid/crs_1/network/admin/cost))

    )

  )

 

  新增完之後,兩節點資料庫重啟

修改remote_listener 引數

原來的:

SQL> show parameter remote_listener  

 

NAME                                 TYPE        VALUE

------------------------------------ ----------- ------------------------------

remote_listener                      string      apple-scan:1521

 

 

修改後

 

alter system set remote_listener='(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.240.195)(PORT=1523)))' scope=both sid='*';

 

SQL> show parameter remote

 

NAME                                 TYPE        VALUE

------------------------------------ ----------- ------------------------------

remote_dependencies_mode             string      TIMESTAMP

remote_listener                      string      (ADDRESS_LIST=(ADDRESS=(PROTOC

                                                 OL=TCPS)(HOST=192.168.240.195)

                                                 (PORT=1523)))

                                                                                           

2.5 

將兩個節點grid下面的listener.ora中的註釋刪掉並重啟scan監聽

#SECURE_REGISTER_LISTENER_SCAN1 = (IPC,TCPS) 

 

[oracle@rac1]$ srvctl stop scan_listener

[oracle@rac1]$ srvctl start scan_listener   

測試成果

測試1 :將其他rac庫的remote listener引數改成如下,192.168.240.195為scan ip

alter system set remote_listener ='192.168.240.195:1521';

 

可以看到日誌中如下,說明阻止了其他rac註冊到監聽中

Tue Jul 31 13:12:45 2018

31-JUL-2018 13:12:45 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=apple2)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER_SCAN1)(VERSION=186647296)) * status * 0

Tue Jul 31 13:13:45 2018

31-JUL-2018 13:13:45 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=apple2)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER_SCAN1)(VERSION=186647296)) * status * 0

Tue Jul 31 13:14:39 2018

31-JUL-2018 13:14:39 * service_register_NSGR * 1194

TNS-01194: The listener command did not arrive in a secure transport

31-JUL-2018 13:14:39 * service_register_NSGR * 1194

TNS-01194: The listener command did not arrive in a secure transport  

 

測試2:                          

C:\Users\think>sqlplus system/oracle@192.168.240.195:1521/prod

SQL*Plus: Release 11.2.0.4.0 Production on 星期二 7月 31 13:32:14 2018

Copyright (c) 1982, 2013, Oracle.  All rights reserved.

連線到:

Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production

With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,

Data Mining and Real Application Testing options

SQL> exit

 

監聽配置

 

Add the COST TCP protocol restriction "SECURE_REGISTER_[listener_name] = (TCP)" to the listener.ora.

Match the COST parameter variable listener_name with the name of the listener you are using in the listener.ora, e.g.,  If your listener name is "LISTENER_PROD" then use SECURE_REGISTER_LISTENER_PROD = (TCP)

LISTENER_PROD =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))
    )
  )

SECURE_REGISTER_LISTENER_PROD = (TCP)   ## 這個是單機的         

 

 The database must be using the TCP protocol to register with the listener. Check the value of the startup parameter local_listener to confirm.

 

Important for grid installations: The grid agent uses the IPC protocol to contact and manage the listener so both IPC and TCP must be enabled in this step.

For a grid environment use the following value,  ### 下面這個是rac的監聽

SECURE_REGISTER_LISTENER_PROD = (IPC,TCP)

 

 

1 alter system set remote_listener='apple-scan:1521' sid='*';

2 rm -rf /oracle/grid/crs_1/network/admin/cost 兩節點

3 /oracle/grid/crs_1/network/admin/listener.ora 中新增的註釋掉 兩節點

4 $ORACLE_HOME/network/amdin/sqlnet.ora 中新增的東西註釋掉 兩節點資料庫重啟

5 grid 使用者下配置scan_listener

srvctl modify scan_listener -p TCP:1521

srvctl stop scan_listener

srvctl start scan_listener

 

 

關於 11204 資料監聽偷渡的修改,

VALID_NODE_CHECKING_REGISTRATION _listener_name
Values:
     OFF/0 - Disable VNCR
     ON/1/LOCAL - The default. Enable VNCR. All local machine IPs can register.
     SUBNET/2 - All machines in the subnet are allowed registration.

 

12c 預設是 ON,11204預設是off;

 

在listener.ora 將引數新增重啟監聽即可。

。。。。=ON


來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/69993859/viewspace-2755785/,如需轉載,請註明出處,否則將追究法律責任。

相關文章