[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <9DB2703E378CB245BB3678626EDC00020256D96E@uscntnt491.us.deloitte.com>
Date: Tue, 5 Aug 2003 13:40:00 -0500
From: "McCartney, Daymon (US - Deerfield)" <dmccartney@...oitte.com>
To: "'bugtraq@...urityfocus.com'" <bugtraq@...urityfocus.com>
Subject: Re: question about oracle advisory
David:
Do you have any plans to release proof of concept code for the Oracle
exploit? The reason I ask is that "due to architectural constraints,"
Oracle is not planning on releasing a patch for 8i releases. We contacted
them about this, but they're sticking to their guns about the exploit
requiring oracle authentication, and thus being a low(er)-risk
vulnerability.
To quote the analyst that responded, "I'm not able to comment on David
Litchfield's claims, but with SECURITY ALERT 57, you need the CREATE LIBRARY
or the CREATE ANY LIBRARY privilege. The exploit is dependent on these
privileges, so if they are not granted to users, the exploit fails. How a
user could exploit these without being able to connect is difficult to even
imagine."
I'd like to see them put out a patch for this, but without some more proof
of the anonymous exploit, and motivation to fix the problem regardless of
"architectural constraints", I don't think they will.
Regards,
Daymon
----- Original Message -----
From: "David Litchfield" <david @ ngssoftware.com>
To: <bugtraq @ securityfocus.com>
Sent: Saturday, July 26, 2003 7:05 PM
Subject: question about oracle advisory
Hello all,
In our testing this bug can be exploited without a user ID and password. In
fact I demonstrated exploit code for this vulnerability at the Blackhat
Security Breifings in Amsterdam in the May of this year. [Normally I don't
do such demonstrations unless a patch is available for a problem. Oracle had
informed me a patch would be available in time, but I think they found some
regression problems with the patches or something along those lines and were
unable to release the patch. We initially informed Oracle about this issue
around the end of September/start of October 2002.]
So, to put the record straight, as far as NGSSoftware is concerned, this bug
_can_ be exploited without a user ID and password.
Oracle customers can either install the patch [Patch matrix available from
http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf]
Alternatively customers can disable external procedure functionality. To do
this edit the listener.ora file, removing the entries for extproc, and also
delete the extproc binary which can be found in $ORACLE_HOME/bin
Thanks,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
- This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law. -
If you are not the intended recipient, you should delete this message and
are hereby notified that any disclosure, copying, or distribution of this
message, or the taking of any action based on it, is strictly prohibited.
Powered by blists - more mailing lists