Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Lateral SQL Injection needs no database privileges"] [Next entry: "Kurt Van MeerBeeck (jDul, DUDE) has started a blog"]

Advisories for the July 2008 Critical Patch Update and exploit code



There has been a number of emails posted to the bugtraq and full-disclosure mailing lists in the last few days detaling some of the vulnerabilities fixed in the recent Oracle Critical Patch Update July 2008. It is worth detaling some of these here. Most customers who are interested in Oracle security and the dreaded CPU cycle of release/test/patch/regression test and wait for the next one download the CPU advisory, they download the patch and read all the data supplied by Oracle.

From my experience most do not go further and seak out the advisories or additional details released by some of the researchers who found the bugs and also some that want to release exploits. This is important to do, not because I want to promote hacking but because I want to promote education. Customers of Oracle who download Oracles advisory are made aware that its the true source which is fine, it is. But we should be aware of what other people write and release whether they are "true" sources also or not. This is the information that someone who wants to crack your database could start with. It is the DBA's and security persons responsibility to understand the level of data and information out there. I am not suggesting to run any exploits or hacks but to understand whats out there, what someone could download and run against your own databases. If you understand then you have a better chance to make the database secure.

In the case of the CPU July 2008 there are a few advisories we can mention here. The first post i came across was by Andrea Purificato also known as Bunker who released details of cross site scripting in the package procedure PORTAL.WWPOB_HOME_PAGE.POPUP_NAME. The details are here.

There are three advisories released by iDefense (reported and discovered by Joxean Koret). The first is "Oracle Database Local Untrusted Library Path" which is an exploit to gain root in the extjob binary which is suid root. The second is "Oracle Internet Directory Pre-Authentication LDAP DoS Vulnerability" which is a bug in Oracles LDAP implemention that doesnt require authentication where by a crafted LDAP request can dereference a NULL pointer and cause the LDAP handler process to crash causing a Denial of Service. The third is "Oracle Database DBMS_AQELM Package Buffer Overflow Vulnerability" which is a SQL buffer overflow exploit.

HP have also released an advisory "HPSBMA02133 SSRT061201 rev.9 - HP Oracle for OpenView (OfO) Critical Patch Update"

Finally quite interestingly Joxean Koret has also released a seperate advisory for one of the iDefense bugs he reported "Oracle Database Local Untrusted Library Path Vulnerability" that also details the root user privilege escalation reported earlier. This advisory has a lot more detail than the iDefense one and includes exploit code. This is an interesting exploit as a multistaged attack is possible and this could be done remotely through the database using a number of techniques often caused by bad configurations.

As I said be aware of what people publish, this information is used by people to experiment, test and could be used against you. Be aware of whats published so that it can help you assess the risks of patching or not patching.

There has been 2 Comments posted on this article


July 22nd, 2008 at 10:22 pm

Joxean Koret says:

Hi,

Just a note: The flaw in DBMS_AQELM isn't only a buffer overflow. The overflow, after the first execution, will occur ANYTIME you issues the command ALTER DATABASE OPEN, every time you tries to start up the database system.

That's: After a successfull attack you will need to restore de SYSTEM tablespace from a backup or, otherwise, the database can't open (in my tests, you will be unable to startup it even with "STARTUP MIGRATE&quotwink.

Regards,
Joxean Koret



July 23rd, 2008 at 08:39 am

Pete says:

Hi Joxean,

Thanks for the very interesting update on your advisory. This seriousness of the attack is not apparent in the advisory or in Oracles documents.

Thanks

Pete