Re: [Full-Disclosure] [SHATTER Team Security Alert] Multiple vulnerabilities in Oracle Database Server

From: Mark Shirley (mshirley_at_gmail.com)
Date: 09/02/04

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Response to comments on Security and Obscurity"
    To: SHATTER <shatter@appsecinc.com>
    Date: Thu, 2 Sep 2004 09:32:05 -0400
    
    

    Now that's what i've been waiting for :)

    On Wed, 01 Sep 2004 19:20:25 -0400, SHATTER <shatter@appsecinc.com> wrote:
    > AppSecInc Advisory: Multiple vulnerabilities in Oracle Database Server
    >
    > Date:
    > August 31, 2004
    >
    > Detailed Information Provided Online At:
    > http://www.appsecinc.com/resources/alerts/oracle/2004-0001/
    >
    > Credit:
    > These vulnerabilities were researched and discovered by Cesar Cerrudo
    > and Esteban Martinez Fayo of Application Security, Inc. (www.appsecinc.com)
    >
    > Risk Level:
    > High
    >
    > Abstract:
    > Multiple buffer overflow and denial of service (DoS) vulnerabilities
    > exist in the Oracle Database Server which allow database users to take
    > complete control over the database and optionally cause denial of service.
    >
    > The official advisory from Oracle Corporation can be obtained from:
    > http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
    >
    > Details:
    >
    > http://www.appsecinc.com/resources/alerts/oracle/2004-0001/
    >
    > #1 - Buffer overflow in public procedure DROP_SITE_INSTANTIATION of
    > DBMS_REPCAT_INSTANTIATE package
    >
    > #2 - Buffer overflow in public function INSTANTIATE_OFFLINE of
    > DBMS_REPCAT_INSTANTIATE package
    >
    > #3 - Buffer overflow in public function INSTANTIATE_ONLINE of
    > DBMS_REPCAT_INSTANTIATE package
    >
    > #4 - Buffer overflow on "gname" parameter on procedures of Replication
    > Management API Packages
    >
    > #5 - Buffer overflow on "sname" and "oname" parameters on procedures of
    > DBMS_REPCAT package
    >
    > #6 - Buffer overflow on "type" parameter on procedures of DBMS_REPCAT
    > package
    >
    > #7 - Buffer overflow on "gowner" parameter on procedures of the
    > DBMS_REPCAT package
    >
    > #8 - Buffer overflow on "operation" parameter on procedures of
    > DBMS_REPCAT package
    >
    > #9 - Buffer overflow in procedure CREATE_MVIEW_REPGROUP of DBMS_REPCAT
    > package
    >
    > #10 - Buffer overflow in procedure GENERATE_REPLICATION_SUPPORT of
    > DBMS_REPCAT package
    >
    > #11 - Buffer overflow in procedures REGISTER_USER_REPGROUP and
    > UNREGISTER_USER_REPGROUP of DBMS_REPCAT_ADMIN package
    >
    > #12 - Buffer overflow in functions INSTANTIATE_OFFLINE,
    > INSTANTIATE_ONLINE and procedure DROP_SITE_INSTANTIATION of
    > DBMS_REPCAT_RGT package
    >
    > #13 - Buffer overflow on TEMPFILE parameter
    >
    > #14 - Buffer overflow on LOGFILE parameter
    >
    > #15 - Buffer overflow on CONTROLFILE parameter
    >
    > #16 - Buffer overflow on FILE parameter
    >
    > #17 - Buffer overflow in Interval Conversion Functions
    >
    > #18 - Buffer overflow in String Conversion Function
    >
    > #19 - Buffer overflow in CTX_OUTPUT Package Function
    >
    > #21 - Buffer overflow on DATAFILE parameter
    >
    > #22 - Buffer overflow in DBMS_SYSTEM package function
    >
    > #24 - Buffer overflow on "fname" parameter of the DBMS_REPCAT* packages
    >
    > #25 - Buffer overflow on procedures of the Replication Management API
    > packages
    >
    > #26 - Heap based buffer overflow Vulnerability in Oracle 10g iSQL*PLus
    > Service
    >
    > #27 - Buffer overflow in procedure AQ_TABLE_DEFN_UPDATE of
    > DBMS_AQ_IMPORT_INTERNAL package
    >
    > #28 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_GET_NRP of
    > DBMS_AQADM package
    >
    > #29 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_NO_QUEUE of
    > DBMS_AQADM package
    >
    > #30 - Buffer overflow in procedure VERIFY_QUEUE_TYPES of DBMS_AQADM_SYS
    > package
    >
    > #31 - Buffer overflow in procedure PARALLEL_PUSH_RECOVERY of
    > DBMS_DEFER_INTERNAL_SYS package
    >
    > #32 - Buffer overflow in procedure ENABLE_PROPAGATION_TO_DBLINK of
    > DBMS_DEFER_REPCAT package
    >
    > #33 - Buffer overflow in procedure DISABLE_RECEIVER_TRACE of
    > DBMS_INTERNAL_REPCAT package
    >
    > #34 - Buffer overflow in procedure ENABLE_RECEIVER_TRACE of
    > DBMS_INTERNAL_REPCAT package
    >
    > #35 - Buffer overflow in procedure VALIDATE of DBMS_INTERNAL_REPCAT package
    >
    > #36 - Buffer overflow in procedure DIFFERENCES of DBMS_RECTIFIER_DIFF
    > package
    >
    > #37 - Buffer overflow in procedure ADD_COLUMN of DBMS_REPCAT_RQ package
    >
    > #39 - Buffer overflow in procedure IS_MASTER of DBMS_REPCAT_UTL package
    >
    > #40 - Buffer overflow in procedure PUSHDEFERREDTXNS of LTUTIL package
    >
    > #41 - Buffer overflow in public procedure SDO_CODE_SIZE of MD2 package
    >
    > #42 - Buffer overflow in public procedure VALIDATE_GEOM of MD2 package
    >
    > #43 - Buffer overflow in public procedure SDO_CODE_SIZE of SDO_ADMIN package
    >
    > #44 - Buffer overflow in procedure SUBINDEXPOPULATE of DRIDDLR package
    >
    > To determine if you are vulnerable, please download AppDetective from:
    >
    > http://www.appsecinc.com/products/appdetective/oracle/
    >
    > Comments:
    >
    > Exploitation of these vulnerabilities will allow an attacker to
    > completely compromise the OS and the database if Oracle is running on
    > Windows platform, because Oracle must run under the local System account
    > or under an administrative account. If Oracle is running on *nix then
    > only the database would be compromised because Oracle runs mostly under
    > oracle user which has restricted permissions.
    >
    > Workaround:
    >
    > -Check packages permissions and remove public permissions. Set minimal
    > permissions that fit your needs.
    > -Restrict users to execute PL/SQL statements directly over the server.
    > -Periodically audit user permissions on all database objects.
    > -Lock users that aren't used.
    > -Change default passwords.
    > -Keep Oracle up to date with patches.
    >
    > Vendor Contact:
    > Vendor was contacted and has released fixes.
    >
    > Credit:
    >
    > Esteban Martinez Fayo of Application Security, Inc. (www.appsecinc.com)
    > discovered all of the following issues:
    > #1,#2,#3,#4,#5,#6,#7,#8,#9,#10,#11,#12,#24,#25,#26,#27,#28,#29,#30,#31,#32,#33,#34,#35,#36,#37,#39,#40,#41,#42,#43,and
    > #44
    >
    > Cesar Cerrudo of Application Security, Inc. (www.appsecinc.com)
    > discovered all of the following issues: #13,#14,#15,#16,#17,#18,#19,#21,#22
    >
    > --
    > Thank you,
    > shatter@appsecinc.com
    > Application Security, Inc.
    > phone: 212-947-8787
    > fax: 212-947-8788
    >
    > ----------------------------------------------------------------------
    > Application Security, Inc.
    > www.appsecinc.com
    >
    > AppSecInc is the leading provider of database security solutions for
    > the enterprise. AppSecInc products proactively secure enterprise
    > applications at more than 200 organizations around the world by
    > discovering, assessing, and protecting the database against rapidly
    > changing security threats. By securing data at its source, we enable
    > organizations to more confidently extend their business with
    > customers, partners and suppliers. Our security experts, combined
    > with our strong support team, deliver up-to-date application
    > safeguards that minimize risk and eliminate its impact on business.
    > ----------------------------------------------------------------------
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Response to comments on Security and Obscurity"

    Relevant Pages