lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <c31ca9c604090206325eee844@mail.gmail.com>
From: mshirley at gmail.com (Mark Shirley)
Subject: [SHATTER Team Security Alert] Multiple vulnerabilities in Oracle Database Server

Now that's what i've been waiting for :)

On Wed, 01 Sep 2004 19:20:25 -0400, SHATTER <shatter@...secinc.com> wrote:
> AppSecInc Advisory: Multiple vulnerabilities in Oracle Database Server
> 
> Date:
> August 31, 2004
> 
> Detailed Information Provided Online At:
> http://www.appsecinc.com/resources/alerts/oracle/2004-0001/
> 
> Credit:
> These vulnerabilities were researched and discovered by Cesar Cerrudo
> and Esteban Martinez Fayo of Application Security, Inc. (www.appsecinc.com)
> 
> Risk Level:
> High
> 
> Abstract:
> Multiple buffer overflow and denial of service (DoS) vulnerabilities
> exist in the Oracle Database Server which allow database users to take
> complete control over the database and optionally cause denial of service.
> 
> The official advisory from Oracle Corporation can be obtained from:
> http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
> 
> Details:
> 
> http://www.appsecinc.com/resources/alerts/oracle/2004-0001/
> 
> #1 - Buffer overflow in public procedure DROP_SITE_INSTANTIATION of
> DBMS_REPCAT_INSTANTIATE package
> 
> #2 - Buffer overflow in public function INSTANTIATE_OFFLINE of
> DBMS_REPCAT_INSTANTIATE package
> 
> #3 - Buffer overflow in public function INSTANTIATE_ONLINE of
> DBMS_REPCAT_INSTANTIATE package
> 
> #4 - Buffer overflow on "gname" parameter on procedures of Replication
> Management API Packages
> 
> #5 - Buffer overflow on "sname" and "oname" parameters on procedures of
> DBMS_REPCAT package
> 
> #6 - Buffer overflow on "type" parameter on procedures of DBMS_REPCAT
> package
> 
> #7 - Buffer overflow on "gowner" parameter on procedures of the
> DBMS_REPCAT package
> 
> #8 - Buffer overflow on "operation" parameter on procedures of
> DBMS_REPCAT package
> 
> #9 - Buffer overflow in procedure CREATE_MVIEW_REPGROUP of DBMS_REPCAT
> package
> 
> #10 - Buffer overflow in procedure GENERATE_REPLICATION_SUPPORT of
> DBMS_REPCAT package
> 
> #11 - Buffer overflow in procedures REGISTER_USER_REPGROUP and
> UNREGISTER_USER_REPGROUP of DBMS_REPCAT_ADMIN package
> 
> #12 - Buffer overflow in functions INSTANTIATE_OFFLINE,
> INSTANTIATE_ONLINE and procedure DROP_SITE_INSTANTIATION of
> DBMS_REPCAT_RGT package
> 
> #13 - Buffer overflow on TEMPFILE parameter
> 
> #14 - Buffer overflow on LOGFILE parameter
> 
> #15 - Buffer overflow on CONTROLFILE parameter
> 
> #16 - Buffer overflow on FILE parameter
> 
> #17 - Buffer overflow in Interval Conversion Functions
> 
> #18 - Buffer overflow in String Conversion Function
> 
> #19 - Buffer overflow in CTX_OUTPUT Package Function
> 
> #21 - Buffer overflow on DATAFILE parameter
> 
> #22 - Buffer overflow in DBMS_SYSTEM package function
> 
> #24 - Buffer overflow on "fname" parameter of the DBMS_REPCAT* packages
> 
> #25 - Buffer overflow on procedures of the Replication Management API
> packages
> 
> #26 - Heap based buffer overflow Vulnerability in Oracle 10g iSQL*PLus
> Service
> 
> #27 - Buffer overflow in procedure AQ_TABLE_DEFN_UPDATE of
> DBMS_AQ_IMPORT_INTERNAL package
> 
> #28 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_GET_NRP of
> DBMS_AQADM package
> 
> #29 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_NO_QUEUE of
> DBMS_AQADM package
> 
> #30 - Buffer overflow in procedure VERIFY_QUEUE_TYPES of DBMS_AQADM_SYS
> package
> 
> #31 - Buffer overflow in procedure PARALLEL_PUSH_RECOVERY of
> DBMS_DEFER_INTERNAL_SYS package
> 
> #32 - Buffer overflow in procedure ENABLE_PROPAGATION_TO_DBLINK of
> DBMS_DEFER_REPCAT package
> 
> #33 - Buffer overflow in procedure DISABLE_RECEIVER_TRACE of
> DBMS_INTERNAL_REPCAT package
> 
> #34 - Buffer overflow in procedure ENABLE_RECEIVER_TRACE of
> DBMS_INTERNAL_REPCAT package
> 
> #35 - Buffer overflow in procedure VALIDATE of DBMS_INTERNAL_REPCAT package
> 
> #36 - Buffer overflow in procedure DIFFERENCES of DBMS_RECTIFIER_DIFF
> package
> 
> #37 - Buffer overflow in procedure ADD_COLUMN of DBMS_REPCAT_RQ package
> 
> #39 - Buffer overflow in procedure IS_MASTER of DBMS_REPCAT_UTL package
> 
> #40 - Buffer overflow in procedure PUSHDEFERREDTXNS of LTUTIL package
> 
> #41 - Buffer overflow in public procedure SDO_CODE_SIZE of MD2 package
> 
> #42 - Buffer overflow in public procedure VALIDATE_GEOM of MD2 package
> 
> #43 - Buffer overflow in public procedure SDO_CODE_SIZE of SDO_ADMIN package
> 
> #44 - Buffer overflow in procedure SUBINDEXPOPULATE of DRIDDLR package
> 
> To determine if you are vulnerable, please download AppDetective from:
> 
> http://www.appsecinc.com/products/appdetective/oracle/
> 
> Comments:
> 
> Exploitation of these vulnerabilities will allow an attacker to
> completely compromise the OS and the database if Oracle is running on
> Windows platform, because Oracle must run under the local System account
> or under an administrative account. If Oracle is running on *nix then
> only the database would be compromised because Oracle runs mostly under
> oracle user which has restricted permissions.
> 
> Workaround:
> 
> -Check packages permissions and remove public permissions. Set minimal
> permissions that fit your needs.
> -Restrict users to execute PL/SQL statements directly over the server.
> -Periodically audit user permissions on all database objects.
> -Lock users that aren't used.
> -Change default passwords.
> -Keep Oracle up to date with patches.
> 
> Vendor Contact:
> Vendor was contacted and has released fixes.
> 
> Credit:
> 
> Esteban Martinez Fayo of Application Security, Inc. (www.appsecinc.com)
> discovered all of the following issues:
> #1,#2,#3,#4,#5,#6,#7,#8,#9,#10,#11,#12,#24,#25,#26,#27,#28,#29,#30,#31,#32,#33,#34,#35,#36,#37,#39,#40,#41,#42,#43,and
> #44
> 
> Cesar Cerrudo of Application Security, Inc. (www.appsecinc.com)
> discovered all of the following issues: #13,#14,#15,#16,#17,#18,#19,#21,#22
> 
> --
> Thank you,
> shatter@...secinc.com
> Application Security, Inc.
> phone: 212-947-8787
> fax: 212-947-8788
> 
> ----------------------------------------------------------------------
> Application Security, Inc.
> www.appsecinc.com
> 
> AppSecInc is the leading provider of database security solutions for
> the enterprise. AppSecInc products proactively secure enterprise
> applications at more than 200 organizations around the world by
> discovering, assessing, and protecting the database against rapidly
> changing security threats. By securing data at its source, we enable
> organizations to more confidently extend their business with
> customers, partners and suppliers. Our security experts, combined
> with our strong support team, deliver up-to-date application
> safeguards that minimize risk and eliminate its impact on business.
> ----------------------------------------------------------------------
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ