lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <41372E6D.3000409__46451.9305890009$1094160254$gmane$org@appsecinc.com>
Date: Thu, 02 Sep 2004 10:30:05 -0400
From: "SHATTER (Application Security, Inc.)" <vrathod@...secinc.com>
To: bugtraq@...urityfocus.com, NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM
Subject: [SHATTER Team Security Alert] Multiple vulnerabilities in Oracle
 Database Server


AppSecInc Advisory: Multiple vulnerabilities in Oracle Database Server

Date:
August 31, 2004

Detailed Information Provided Online At:
http://www.appsecinc.com/resources/alerts/oracle/2004-0001/

Credit:
These vulnerabilities were researched and discovered by Cesar Cerrudo 
and Esteban Martinez Fayo of Application Security, Inc. (www.appsecinc.com)

Risk Level:
High

Abstract:
Multiple buffer overflow and denial of service (DoS) vulnerabilities 
exist in the Oracle Database Server which allow database users to take 
complete control over the database and optionally cause denial of service.

The official advisory from Oracle Corporation can be obtained from: 
http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf


Details:

http://www.appsecinc.com/resources/alerts/oracle/2004-0001/

#1 - Buffer overflow in public procedure DROP_SITE_INSTANTIATION of 
DBMS_REPCAT_INSTANTIATE package

#2 - Buffer overflow in public function INSTANTIATE_OFFLINE of 
DBMS_REPCAT_INSTANTIATE package

#3 - Buffer overflow in public function INSTANTIATE_ONLINE of 
DBMS_REPCAT_INSTANTIATE package

#4 - Buffer overflow on "gname" parameter on procedures of Replication 
Management API Packages

#5 - Buffer overflow on "sname" and "oname" parameters on procedures of 
DBMS_REPCAT package

#6 - Buffer overflow on "type" parameter on procedures of DBMS_REPCAT 
package

#7 - Buffer overflow on "gowner" parameter on procedures of the 
DBMS_REPCAT package

#8 - Buffer overflow on "operation" parameter on procedures of 
DBMS_REPCAT package

#9 - Buffer overflow in procedure CREATE_MVIEW_REPGROUP of DBMS_REPCAT 
package

#10 - Buffer overflow in procedure GENERATE_REPLICATION_SUPPORT of 
DBMS_REPCAT package

#11 - Buffer overflow in procedures REGISTER_USER_REPGROUP and 
UNREGISTER_USER_REPGROUP of DBMS_REPCAT_ADMIN package

#12 - Buffer overflow in functions INSTANTIATE_OFFLINE, 
INSTANTIATE_ONLINE and procedure DROP_SITE_INSTANTIATION of 
DBMS_REPCAT_RGT package

#13 - Buffer overflow on TEMPFILE parameter

#14 - Buffer overflow on LOGFILE parameter

#15 - Buffer overflow on CONTROLFILE parameter

#16 - Buffer overflow on FILE parameter

#17 - Buffer overflow in Interval Conversion Functions

#18 - Buffer overflow in String Conversion Function

#19 - Buffer overflow in CTX_OUTPUT Package Function

#21 - Buffer overflow on DATAFILE parameter

#22 - Buffer overflow in DBMS_SYSTEM package function

#24 - Buffer overflow on "fname" parameter of the DBMS_REPCAT* packages

#25 - Buffer overflow on procedures of the Replication Management API 
packages

#26 - Heap based buffer overflow Vulnerability in Oracle 10g iSQL*PLus 
Service

#27 - Buffer overflow in procedure AQ_TABLE_DEFN_UPDATE of 
DBMS_AQ_IMPORT_INTERNAL package

#28 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_GET_NRP of 
DBMS_AQADM package

#29 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_NO_QUEUE of 
DBMS_AQADM package

#30 - Buffer overflow in procedure VERIFY_QUEUE_TYPES of DBMS_AQADM_SYS 
package

#31 - Buffer overflow in procedure PARALLEL_PUSH_RECOVERY of 
DBMS_DEFER_INTERNAL_SYS package

#32 - Buffer overflow in procedure ENABLE_PROPAGATION_TO_DBLINK of 
DBMS_DEFER_REPCAT package

#33 - Buffer overflow in procedure DISABLE_RECEIVER_TRACE of 
DBMS_INTERNAL_REPCAT package

#34 - Buffer overflow in procedure ENABLE_RECEIVER_TRACE of 
DBMS_INTERNAL_REPCAT package

#35 - Buffer overflow in procedure VALIDATE of DBMS_INTERNAL_REPCAT package

#36 - Buffer overflow in procedure DIFFERENCES of DBMS_RECTIFIER_DIFF 
package

#37 - Buffer overflow in procedure ADD_COLUMN of DBMS_REPCAT_RQ package

#39 - Buffer overflow in procedure IS_MASTER of DBMS_REPCAT_UTL package

#40 - Buffer overflow in procedure PUSHDEFERREDTXNS of LTUTIL package

#41 - Buffer overflow in public procedure SDO_CODE_SIZE of MD2 package

#42 - Buffer overflow in public procedure VALIDATE_GEOM of MD2 package
 
#43 - Buffer overflow in public procedure SDO_CODE_SIZE of SDO_ADMIN package

#44 - Buffer overflow in procedure SUBINDEXPOPULATE of DRIDDLR package


To determine if you are vulnerable, please download AppDetective from:

http://www.appsecinc.com/products/appdetective/oracle/


Comments:

Exploitation of these vulnerabilities will allow an attacker to 
completely compromise the OS and the database if Oracle is running on 
Windows platform, because Oracle must run under the local System account 
or under an administrative account. If Oracle is running on *nix then 
only the database would be compromised because Oracle runs mostly under 
oracle user which has restricted permissions.


Workaround:

-Check packages permissions and remove public permissions. Set minimal 
permissions that fit your needs.
-Restrict users to execute PL/SQL statements directly over the server.
-Periodically audit user permissions on all database objects.
-Lock users that aren't used.
-Change default passwords.
-Keep Oracle up to date with patches.

Vendor Contact:
Vendor was contacted and has released fixes.


Credit:

Esteban Martinez Fayo of Application Security, Inc. (www.appsecinc.com) 
discovered all of the following issues: 
#1,#2,#3,#4,#5,#6,#7,#8,#9,#10,#11,#12,#24,#25,#26,#27,#28,#29,#30,#31,#32,#33,#34,#35,#36,#37,#39,#40,#41,#42,#43,and 
#44

Cesar Cerrudo of Application Security, Inc. (www.appsecinc.com) 
discovered all of the following issues: #13,#14,#15,#16,#17,#18,#19,#21,#22

-- 
Thank you,
shatter[at]appsecinc(dot)com
Application Security, Inc.
phone: 212-947-8787
fax: 212-947-8788
 
----------------------------------------------------------------------
Application Security, Inc.
www.appsecinc.com
 
AppSecInc is the leading provider of database security solutions for
the enterprise. AppSecInc products proactively secure enterprise
applications at more than 200 organizations around the world by
discovering, assessing, and protecting the database against rapidly
changing security threats. By securing data at its source, we enable
organizations to more confidently extend their business with
customers, partners and suppliers. Our security experts, combined
with our strong support team, deliver up-to-date application
safeguards that minimize risk and eliminate its impact on business. 
----------------------------------------------------------------------



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ