lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <002101c3536e$25822520$2601010a@recovery>
Date: Sat, 26 Jul 2003 13:05:03 +0100
From: "David Litchfield" <david@...software.com>
To: "Tina Bird" <tbird@...cision-guesswork.com>,
	<bugtraq@...urityfocus.com>
Subject: Re: question about oracle advisory


Hello all,
In our testing this bug can be exploited without a user ID and password. In
fact I demonstrated exploit code for this vulnerability at the Blackhat
Security Breifings in Amsterdam in the May of this year. [Normally I don't
do such demonstrations unless a patch is available for a problem. Oracle had
informed me a patch would be available in time, but I think they found some
regression problems with the patches or something along those lines and were
unable to release the patch. We initially informed Oracle about this issue
around the end of September/start of October 2002.]

So, to put the record straight, as far as NGSSoftware is concerned, this bug
_can_ be exploited without a user ID and password.

Oracle customers can either install the patch [Patch matrix available from
http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf]
Alternatively customers can disable external procedure functionality. To do
this edit the listener.ora file, removing the entries for extproc, and also
delete the extproc binary which can be found in $ORACLE_HOME/bin

Thanks,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/








----- Original Message -----
From: "Tina Bird" <tbird@...cision-guesswork.com>
To: <bugtraq@...urityfocus.com>
Sent: Friday, July 25, 2003 8:59 PM
Subject: question about oracle advisory


>
> Oracle's released three security-related patches today.  I'm trying to
> get my head around them to write up a Stanford Security Alert, but
> there's conflicting information.  According to
> http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf the buffer
> overflow in the EXTPROC code can only be triggered by an authenticated
> user with the CREATE LIBRARY or CREATE ANY LIBRARY privilege.
>
> According to the NGSSoftware advisory that announced the vulnerability,
> the buffer overflow can be exploited without any authentication or
> privilege-checking.
>
> Anyone have any ideas?
>
> thanks -- tbird
>
> --
> A computer lets you make more mistakes faster than any invention in human
> history - with the possible exception of handguns and tequila.
>
>                                  -- Mitch Ratliff
>
> http://www.precision-guesswork.com
> Log Analysis http://www.loganalysis.org
> VPN http://vpn.shmoo.com
> tbird's Security Alerts http://securecomputing.stanford.edu/alert.html
>
>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ