<< Previous Next >>
Oracle database
Risk Level:
Medium
Affected versions:
Oracle Database Server version 10gR1, 10gR2 and 11gR1
Remote exploitable:
Yes (Authentication to Database Server is needed)
Credits:
Risk Level:
High
Affected versions:
Oracle Database Server version 10gR1, 10gR2 (10.2.0.4 and previous
patchsets) and 11gR1 (11.1.0.7 and previous patchsets)
Remote exploitable:
Yes (No authentication is required)
Risk Level:
High
Affected versions:
Oracle Database Server version 10gR1, 10gR2 (10.2.0.4 and previous
patchsets) and 11gR1 (11.1.0.7 and previous patchsets)
Remote exploitable:
Yes (No authentication is required)
Apologies for the very late reply, but I had a question regarding your
advisory. I am CC'ing Oracle's security contact in hopes they can also
reply with clarification.
: Oracle Database Buffer Overflow in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11)
: Details:
: Oracle Database Server provides the SYS.KUPF$FILE_INT package. This
: package contains the procedure GET_FULL_FILENAME which is vulnerable to
: buffer overflow attacks.
> allows a user in the OINSTALL/DBA group to scalate privileges to root.
>
> Scalating Privileges from "oracle" to "root"
> --------------------------------------------
>
> In Oracle 10g R2 and later (Oracle11g is also vulnerable) the affected
> binary, $ORACLE_HOME/bin/extjob, is SUID root and must be suid root. In
> the following forum from Oracle you will found a note at the bottom of
> the page:
>
> (...)
4. Affected Components Description
================================ ==
"Oracle VM is server virtualization software which fully supports both Oracle and non-Oracle applications. Oracle VM offers scalable, low-cost server
virtualization that is three times more efficient than existing server virtualization products from other vendors. Oracle has also announced
certification of key Oracle products including Oracle Database, Oracle Fusion Middleware, Oracle Applications, and Oracle Real Application Clusters
with Oracle VM."
"Oracle VM Manager communicates with Oracle VM Agent to create and manage guests on an Oracle VM Server. Oracle VM Agent is installed and configured
during the installation of Oracle VM Server."
Hi! Since I
need to audit the clients program used to access to my Oracle Database
(feature not supported by Oracle audit), I created the following trigger to do
it. I Hope it will be helpful for
somebody else…
allows a user in the OINSTALL/DBA group to scalate privileges to root.
Scalating Privileges from "oracle" to "root"
--------------------------------------------
In Oracle 10g R2 and later (Oracle11g is also vulnerable) the affected
binary, $ORACLE_HOME/bin/extjob, is SUID root and must be suid root. In
the following forum from Oracle you will found a note at the bottom of
the page:
(...)
Hi All,
I have been posting a few entries to my blog over the last few weeks on Oracle 11g Security and have been looking at the new SHA-1 password algorithm used in Oracle 11g.
The password algorithm is simple and very easy to guess once you realise that the sha1 verifier stored in the database is 80 bits too long. Its also obvious from other testing I documented on my blog that a salt is indeed used. Once these facts are known the algoritm can be guessed. The algorithm is simply SHA1(pwd||salt) = 160 bit verifier||salt (stored in sys.user$spare4.
To create a simple function to test a verifier you simply need to do:
SYS.USER$.SPARE4 = SHA1("pwd guess" || substr(sys.user$.spare4,43,10)) || substr(sys.user$.spare4,43,10)
Risk Level:
Medium
Affected versions:
Oracle Enterprise Manager Grid Control versions 10.1.0.6
Oracle Enterprise Manager control included in Oracle Database versions 10.1.0.5, 10.2.0.3, 10.2.0.4
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Esteban Martinez Fayo of Application Security, Inc.
4. Affected Components Description
================================ ==
"Oracle VM is server virtualization software which fully supports both Oracle and non-Oracle applications. Oracle VM offers scalable, low-cost server
virtualization that is three times more efficient than existing server virtualization products from other vendors. Oracle has also announced
certification of key Oracle products including Oracle Database, Oracle Fusion Middleware, Oracle Applications, and Oracle Real Application Clusters
with Oracle VM."
"Oracle VM Manager communicates with Oracle VM Agent to create and manage guests on an Oracle VM Server. Oracle VM Agent is installed and configured
during the installation of Oracle VM Server."
Risk Level:
Medium
Affected versions:
Oracle Enterprise Manager Grid Control versions 10.1.0.6
Oracle Enterprise Manager control included in Oracle Database versions 10.1.0.5, 10.2.0.3, 10.2.0.4, 11.1.0.7
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Esteban Martinez Fayo of Application Security, Inc.
Hi,
I write a presentation for a friend about how to bypass Oracle
Database Vault. It may be interesting for someone else...
You can download the presentation "Oracle Database Vault: The world is not
pink and I'm root" at:
http://inguma.sourceforge.net/docs/oracle_database_vault_en.pdf
Credits:
This vulnerability was discovered and researched by Esteban Martinez Fayo of Application Security Inc.
Details:
SQL Injection works by attempting to modify the parameters passed to an application to change the SQL statements that are passed to a database. SQL injection can be used to insert additional SQL statements to be executed.
The 'targetType' parameter used in web page /em/console/target/svclvl/slrule and 'serviceType' parameter used in web page /em/console/target/svclvl/sldetails are vulnerable to SQL Injection attacks. These web pages are part of Oracle Enterprise Manager web application that is included with Oracle Database 11g Release 1. It may be possible for a malicious Enterprise Manager user to execute a function with the elevated privileges of the SYSMAN database user in the repository database. This user has the DBA role granted.
Impact:
This vulnerability allows an Oracle Enterprise Manager web user with VIEW (or more) privileges to execute a function call with the elevated privileges of the SYSMAN database user. This may also be exploited by an attacker that convinces a valid user to click or open a malicious link.
Vendor Status:
Risk Level:
Medium
Affected versions:
Oracle Enterprise Manager Grid Control versions 10.1.0.6, 10.2.0.5
Oracle Enterprise Manager control included in Oracle Database versions 10.1.0.5, 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, 11.2.0.2
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Esteban Martinez Fayo of Application Security, Inc.
4. Affected Components Description
================================ ==
"Oracle VM is server virtualization software which fully supports both Oracle and non-Oracle applications. Oracle VM offers scalable, low-cost server
virtualization that is three times more efficient than existing server virtualization products from other vendors. Oracle has also announced
certification of key Oracle products including Oracle Database, Oracle Fusion Middleware, Oracle Applications, and Oracle Real Application Clusters
with Oracle VM."
"Oracle VM Manager communicates with Oracle VM Agent to create and manage guests on an Oracle VM Server. Oracle VM Agent is installed and configured
during the installation of Oracle VM Server."
This vulnerability was discovered and researched by Esteban Martnez
Fay of Application Security Inc.
Details:
Oracle Application Server installs the PL/SQL package WWEXP_API_ENGINE
owned by PORTAL in the backend Oracle database server. The 'ACTION'
procedure of this package has an instance of SQL Injection that allows
attackers to create anonymous PL/SQL programs and execute any kind of
PL/SQL statements. The statements are executed with the privileges of
the PORTAL user, that has DBA privileges. The vulnerability can be
exploited using a web application and without authentication.
Hi All,
I have been posting a few entries to my blog over the last few weeks on Oracle 11g Security and have been looking at the new SHA-1 password algorithm used in Oracle 11g.
The password algorithm is simple and very easy to guess once you realise that the sha1 verifier stored in the database is 80 bits too long. Its also obvious from other testing I documented on my blog that a salt is indeed used. Once these facts are known the algoritm can be guessed. The algorithm is simply SHA1(pwd||salt) = 160 bit verifier||salt (stored in sys.user$spare4.
To create a simple function to test a verifier you simply need to do:
SYS.USER$.SPARE4 = SHA1("pwd guess" || substr(sys.user$.spare4,43,10)) || substr(sys.user$.spare4,43,10)
BugTraq, the Japan 2008 briefings audio is now on-line, plus a webinar from
Dave Litchfield is about to happen:
NEW FREE WEBCAST - Oracle Database Forensics
Black Hat's webcast series continues with another powerful presentation from
a popular Black Hat speaker. This month's presenter is David Litchfield of
NGS software, speaking on Oracle database forensics, and he will be
releasing a new tool called orablock which he describes this way:
McKesson Horizon Clinical Infrastructure, also known as McKesson HCI, utilizes hardcoded passwords
for Oracle database access. HCI serves as the patient record datastore for the majority of McKesson applications. There are two components to an HCI implementation: the Infrastructure (or Master) server
and the database back-end. The HCI Infrastructure Server has an Oracle client installed that initializes
OCI/sqlplus connections to the Oracle database back-end. A file on each HCI Infrastructure server
contains the database account usernames and their respective passwords, /usr/local/bin/password. Content from /usr/local/bin/password is shown:
# cat /usr/local/bin/password
AMBU:hacschema
QUEUE_USER:qmanager
SYS:alLp0ver2
The main problem with the Oracle CVSS base scores is more with CVSS than
Oracle. Under the CVSSv2 definition of
Confidentiality/Integrity/Availability impact, if the entire database is
compromised but not the "entire system" then the metric value will be
Partial rather than Complete. Since the large majority of Oracle database
vulnerabilities require a valid database session unless exploited via a
blended threat (i.e., such as SQL injection which is completely ignored by
Oracle in any analysis), the maximum realistic score for an Oracle database
vulnerability is 6.5 since CIA impact will only ever be Partial except in
rare occasions. Oracle does include a "Partial+" in the advisories to
Hey all,
After investigating 11g the other day I came across an interesting issue.
During the installation of Oracle 11g and 10g all accounts, including the
SYS and SYSTEM accounts, have their default passwords and only at the end of
the install are the passwords changed. This means that there is a window of
opportunity for an attacker to log into the database server during the
install process. Depending upon "which" install options you choose
determines the size of the window. Full details for those that are
interested can be found here:
http://www.davidlitchfield.com/blog/archives/00000030.htm - since I reported
Many security standards require the tracking of users' password history to
prevent password re-use. In Oracle 11g (11.1.0.6), if a security
administrator has enabled 11g passwords exclusively then tracking password
history is broken. This can affect compliance. This was addressed by Oracle
in their April 2009 Critical Patch Update and maps to the currently
unspecified vulnerability at
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0988
Cheers,
David Litchfield
NGSSoftware Ltd
Description
-----------
Oracle Appication Express (APEX) is a rapid development tool for
developing web based ineterfaces and applications that run against an
Oracle database. APEX is operated from a web browser and allows people
with limited programming experience to develop professional
applications. The issue located by PeteFinnigan.com Limited relates to
excessive privileges assigned to the FLOWS database schema/user account.
Risk
Tanel Poder has found a way to get SYSDBA access to the Oracle database by utilising a user who has the BECOME USER system privilege, execute privileges on KUPP$PROC.CHANGE_USER and CREATE SESSION. he shows how a user with these privileges can become SYS (but not SYSDBA) and then use an immediate debug event to cause a debugger to flip the SYSDBA bit in the PGA to set a dedicated server session to an SYSDBA one, from there the user can do anything else. The user needs to have these privileges so its not an open and shut case but serious in that a privilege escalation is still possible. Tanels post is here http://blog.tanelpoder.com/2007/11/10/oracle-security-all-your-dbas-are-sysdbas-and-can-have-full-os-access/ and my blog entry / analysis is here - http://www.petefinnigan.com/weblog/archives/00001126.htm
cheers
Pete
Patch Information:
Upgrade to Oracle APEX 3.2.
Verification:
Our Oracle database scanner Repscan was updated with the information from the Oracle
CPU April 2009 and can identify vulnerable databases.
More Information about Repscan can be found here:
http://www.sentrigo.com/repscan
Overview
********
Oracle has just released a fix for a flaw that, when exploited, allows an
unauthenticated attacker on the Internet to gain full control of a backend
Oracle database server via the front end web server.
Details
*******
Oracle Application Server installs a number of PLSQL packages in the backend
database server. One of these is the WWV_RENDER_REPORT package and it is
simple PoC of new malware that after it's
deployed on a computer in an internal network it will
automatically hack database servers and
steal their data. Several techniques used by Data0
will be detailed. Data0 will be targeting
Microsoft SQL Server and Oracle Database Server two of
the most used database servers.
While Data0 could be used by the bad guys for evil
purposes, it could also be used by security
professionals and organizations to determine how
strong networks, workstations, database
It looks like Oracle DBMS may be vulnerable to the "Unicode Smuggling"
attack exploiting homoglyphic translation. As outlined by David Litchfield
in an old full-disclosure post [1]:
"It didn't take long to discover that this patch could be bypassed using
the following techinque: due to internationalization, an Oracle database
server will convert the ? character (value 0xFF) to a capital Y. The PLSQL
Gateway will not. Thus, if we request:
http://www.example.com/pls/dad/S%FFS.PACKAGE.PROCEDURE
Oracle Forms Cross site Scripting in (iFcgi60.exe / f60servlet)
About: Oracle Forms is a tool (somewhat like Visual Basic in appearance, but the code inside is PL/SQL)
which allows a developer to quickly create user-interface applications which access an Oracle database
in a very efficient and tightly-coupled way. It was originally developed to run server-side in character
mode on any Unix box, before Windows existed. It was then ported to Windows to function in a client-server
environment. This could be exploited to conduct cross site scripting attacks. Attackers can run arbitrary
code that can be executed by the user's browser in the security context of an affected site. Attackers can
exploit these issues via a web client.
<<Previous Next>>
|
