lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 10 Jan 2009 11:11:41 +0000 (UTC)
From: security curmudgeon <jericho@...rition.org>
To: Team SHATTER <shatter@...secinc.com>
Cc: bugtraq@...urityfocus.com, secalert_us@...cle.com
Subject: Re: Team SHATTER Security Advisory: Oracle Database Buffer Overflow
 in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11)


Hi Team SHATTER,

Apologies for the very late reply, but I had a question regarding your 
advisory. I am CC'ing Oracle's security contact in hopes they can also 
reply with clarification.

: Oracle Database Buffer Overflow in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11)

: Details:
: Oracle Database Server provides the SYS.KUPF$FILE_INT package. This
: package contains the procedure GET_FULL_FILENAME which is vulnerable to
: buffer overflow attacks.
: 
: Impact:
: Any Oracle database user with EXECUTE privilege on the package
: SYS.KUPF$FILE_INT can exploit this vulnerability. By default, users
: granted EXECUTE_CATALOG_ROLE have the required privilege. Exploitation
: of this vulnerability allows an attacker to execute arbitrary code. It
: can also be exploited to cause DoS (Denial of service) killing the
: Oracle server process.

Cliff notes: SYS.KUPF$FILE_INT.GET_FULL_FILENAME remote overflow, "execute 
arbitrary code .. also .. cause DoS". CVE-2008-1820

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html

>From the Oracle advisory:

DB11	Data Pump	Oracle Net	Execute on KUPF$FILE_INT	No	4.0	Network	Low	Single	None	None	Partial

Cliff notes: Confidentiality = None. Integrity = None. Availability = 
Partial.

Summary: Team SHATTER says this is a remote overflow that allows for the 
execution of arbitrary code (CVSS2 9.0). Oracle says this is a limited 
DoS condition (CVSS2 4.0). That is a big discrepancy.

Based on disclosure history, Team SHATTER has a higher confidence rating 
and is generally considered more trustworthy than Oracle. As a responsible 
security professional, I have to assume their research is accurate and 
their advisory should be taken more seriously than Oracle's.

Any input from either side to help clarify?

- security curmudgeon


p.s. Same exact question and CVSS2 scores for SYS.DBMS_AQJMS_INTERNAL 
(DB15), CVE-2008-1821, same Oracle CPU.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ