lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: xbud at g0thead.com (xbud)
Subject: [SHATTER Team Security Alert] Multiple vulnerabilities in Oracle Database Server

Actually this sounds like someone stole Litchfield's research - but what do I 
know.  Just seems like too much coincidence since his last talk dealt with 
procedure based vulns.


On Thursday 02 September 2004 08:32 am, Mark Shirley wrote:
> Now that's what i've been waiting for :)
>
> On Wed, 01 Sep 2004 19:20:25 -0400, SHATTER <shatter@...secinc.com> wrote:
> > AppSecInc Advisory: Multiple vulnerabilities in Oracle Database Server
> >
> > Date:
> > August 31, 2004
> >
> > Detailed Information Provided Online At:
> > http://www.appsecinc.com/resources/alerts/oracle/2004-0001/
> >
> > Credit:
> > These vulnerabilities were researched and discovered by Cesar Cerrudo
> > and Esteban Martinez Fayo of Application Security, Inc.
> > (www.appsecinc.com)
> >
> > Risk Level:
> > High
> >
> > Abstract:
> > Multiple buffer overflow and denial of service (DoS) vulnerabilities
> > exist in the Oracle Database Server which allow database users to take
> > complete control over the database and optionally cause denial of
> > service.
> >
> > The official advisory from Oracle Corporation can be obtained from:
> > http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
> >
> > Details:
> >
> > http://www.appsecinc.com/resources/alerts/oracle/2004-0001/
> >
> > #1 - Buffer overflow in public procedure DROP_SITE_INSTANTIATION of
> > DBMS_REPCAT_INSTANTIATE package
> >
> > #2 - Buffer overflow in public function INSTANTIATE_OFFLINE of
> > DBMS_REPCAT_INSTANTIATE package
> >
> > #3 - Buffer overflow in public function INSTANTIATE_ONLINE of
> > DBMS_REPCAT_INSTANTIATE package
> >
> > #4 - Buffer overflow on "gname" parameter on procedures of Replication
> > Management API Packages
> >
> > #5 - Buffer overflow on "sname" and "oname" parameters on procedures of
> > DBMS_REPCAT package
> >
> > #6 - Buffer overflow on "type" parameter on procedures of DBMS_REPCAT
> > package
> >
> > #7 - Buffer overflow on "gowner" parameter on procedures of the
> > DBMS_REPCAT package
> >
> > #8 - Buffer overflow on "operation" parameter on procedures of
> > DBMS_REPCAT package
> >
> > #9 - Buffer overflow in procedure CREATE_MVIEW_REPGROUP of DBMS_REPCAT
> > package
> >
> > #10 - Buffer overflow in procedure GENERATE_REPLICATION_SUPPORT of
> > DBMS_REPCAT package
> >
> > #11 - Buffer overflow in procedures REGISTER_USER_REPGROUP and
> > UNREGISTER_USER_REPGROUP of DBMS_REPCAT_ADMIN package
> >
> > #12 - Buffer overflow in functions INSTANTIATE_OFFLINE,
> > INSTANTIATE_ONLINE and procedure DROP_SITE_INSTANTIATION of
> > DBMS_REPCAT_RGT package
> >
> > #13 - Buffer overflow on TEMPFILE parameter
> >
> > #14 - Buffer overflow on LOGFILE parameter
> >
> > #15 - Buffer overflow on CONTROLFILE parameter
> >
> > #16 - Buffer overflow on FILE parameter
> >
> > #17 - Buffer overflow in Interval Conversion Functions
> >
> > #18 - Buffer overflow in String Conversion Function
> >
> > #19 - Buffer overflow in CTX_OUTPUT Package Function
> >
> > #21 - Buffer overflow on DATAFILE parameter
> >
> > #22 - Buffer overflow in DBMS_SYSTEM package function
> >
> > #24 - Buffer overflow on "fname" parameter of the DBMS_REPCAT* packages
> >
> > #25 - Buffer overflow on procedures of the Replication Management API
> > packages
> >
> > #26 - Heap based buffer overflow Vulnerability in Oracle 10g iSQL*PLus
> > Service
> >
> > #27 - Buffer overflow in procedure AQ_TABLE_DEFN_UPDATE of
> > DBMS_AQ_IMPORT_INTERNAL package
> >
> > #28 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_GET_NRP of
> > DBMS_AQADM package
> >
> > #29 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_NO_QUEUE of
> > DBMS_AQADM package
> >
> > #30 - Buffer overflow in procedure VERIFY_QUEUE_TYPES of DBMS_AQADM_SYS
> > package
> >
> > #31 - Buffer overflow in procedure PARALLEL_PUSH_RECOVERY of
> > DBMS_DEFER_INTERNAL_SYS package
> >
> > #32 - Buffer overflow in procedure ENABLE_PROPAGATION_TO_DBLINK of
> > DBMS_DEFER_REPCAT package
> >
> > #33 - Buffer overflow in procedure DISABLE_RECEIVER_TRACE of
> > DBMS_INTERNAL_REPCAT package
> >
> > #34 - Buffer overflow in procedure ENABLE_RECEIVER_TRACE of
> > DBMS_INTERNAL_REPCAT package
> >
> > #35 - Buffer overflow in procedure VALIDATE of DBMS_INTERNAL_REPCAT
> > package
> >
> > #36 - Buffer overflow in procedure DIFFERENCES of DBMS_RECTIFIER_DIFF
> > package
> >
> > #37 - Buffer overflow in procedure ADD_COLUMN of DBMS_REPCAT_RQ package
> >
> > #39 - Buffer overflow in procedure IS_MASTER of DBMS_REPCAT_UTL package
> >
> > #40 - Buffer overflow in procedure PUSHDEFERREDTXNS of LTUTIL package
> >
> > #41 - Buffer overflow in public procedure SDO_CODE_SIZE of MD2 package
> >
> > #42 - Buffer overflow in public procedure VALIDATE_GEOM of MD2 package
> >
> > #43 - Buffer overflow in public procedure SDO_CODE_SIZE of SDO_ADMIN
> > package
> >
> > #44 - Buffer overflow in procedure SUBINDEXPOPULATE of DRIDDLR package
> >
> > To determine if you are vulnerable, please download AppDetective from:
> >
> > http://www.appsecinc.com/products/appdetective/oracle/
> >
> > Comments:
> >
> > Exploitation of these vulnerabilities will allow an attacker to
> > completely compromise the OS and the database if Oracle is running on
> > Windows platform, because Oracle must run under the local System account
> > or under an administrative account. If Oracle is running on *nix then
> > only the database would be compromised because Oracle runs mostly under
> > oracle user which has restricted permissions.
> >
> > Workaround:
> >
> > -Check packages permissions and remove public permissions. Set minimal
> > permissions that fit your needs.
> > -Restrict users to execute PL/SQL statements directly over the server.
> > -Periodically audit user permissions on all database objects.
> > -Lock users that aren't used.
> > -Change default passwords.
> > -Keep Oracle up to date with patches.
> >
> > Vendor Contact:
> > Vendor was contacted and has released fixes.
> >
> > Credit:
> >
> > Esteban Martinez Fayo of Application Security, Inc. (www.appsecinc.com)
> > discovered all of the following issues:
> > #1,#2,#3,#4,#5,#6,#7,#8,#9,#10,#11,#12,#24,#25,#26,#27,#28,#29,#30,#31,#3
> >2,#33,#34,#35,#36,#37,#39,#40,#41,#42,#43,and #44
> >
> > Cesar Cerrudo of Application Security, Inc. (www.appsecinc.com)
> > discovered all of the following issues:
> > #13,#14,#15,#16,#17,#18,#19,#21,#22
> >
> > --
> > Thank you,
> > shatter@...secinc.com
> > Application Security, Inc.
> > phone: 212-947-8787
> > fax: 212-947-8788
> >
> > ----------------------------------------------------------------------
> > Application Security, Inc.
> > www.appsecinc.com
> >
> > AppSecInc is the leading provider of database security solutions for
> > the enterprise. AppSecInc products proactively secure enterprise
> > applications at more than 200 organizations around the world by
> > discovering, assessing, and protecting the database against rapidly
> > changing security threats. By securing data at its source, we enable
> > organizations to more confidently extend their business with
> > customers, partners and suppliers. Our security experts, combined
> > with our strong support team, deliver up-to-date application
> > safeguards that minimize risk and eliminate its impact on business.
> > ----------------------------------------------------------------------
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists