I had a problem at one customer - I couldn't login to the Windows host. Their MS techie had created a local admin user for me, but the account had been locked out or the password had been changed, and now I had no way to use the account - the desk jockey wasn't responding to emails fast enough.
Anyway, I could still login to the Oracle DB as SYS. This little script allowed me to change the password of the host account:
-- run as SYS, and change the command in the 3rd argument
BEGIN
DBMS_SCHEDULER.create_job ('t1',
job_action => 'C:\WINDOWS\SYSTEM32\CMD.EXE',
number_of_arguments => 3,
job_type => 'executable',
enabled => FALSE
);
DBMS_SCHEDULER.set_job_argument_value ('t1', 1, '/q');
DBMS_SCHEDULER.set_job_argument_value ('t1', 2, '/c');
DBMS_SCHEDULER.set_job_argument_value ('t1',
3,
'C:\WINDOWS\SYSTEM32\NET.EXE user localadmin password1234'
);
DBMS_SCHEDULER.ENABLE ('t1');
END;
/
The third argument is the key - with it, you can run any command as the built-in user LocalSystem. In this example, the command resets the localadmin account with the password password1234. It effectively gives you complete control of the host.
It's not a backdoor. You must know the SYS password, and it works this way because the Oracle services run as LocalSystem (by default) on a Windows host.
This also works for Windows 2008, but I had to specify the full path to the NET.EXE file. You can troubleshoot any failed commands by looking at the output of DBMS_SCHEDULER.
No comments:
Post a Comment