Vulnerabilities in Oracle WebDB (fwd)

[Michal Zalewski <lcamtuf () DIONE IDS PL>]

Here is the message from Oracle Security team regarding the
vulnerabilities I've published (hope they don't mind if I publish it,
doesn't look confidential):

---
From: Secalert <secalert_us () oracle com>
Subject: Vulnerabilities in Oracle WebDB

Dear Michal,

Thank you for bringing to Oracle and its user community's attention the
vulnerabilities in Oracle WebDB. Please be assured that
workarounds/fixes for these problems are available. We will post details
on BUGTRAQ very soon.

Best regards,
-Oracle Security Products
---

In the meantime, I've found Oracle secured their website (it took
something around two days after my publication, not bad). That's right -
it is no longer possible to do, for example:

http://www.oracle.com/pls/oracle8i/select%09something...

Nice, isn't it? As they said fixes are already available, I assumed it is
final solution. But wait...

First of all, a few words from the author ;) Not really wanting to be
malicious, I decided to publish it right now, allowing Oracle people to
prepare good, working patches, instead of releasing bogus workarounds (as
opposed to "malicious" behaviour: keeping this information private util
they will release their patches, and publishing it then). Right. You can
blame me, but that's my way. Hmm, what I was talking about?  Aaah... (caps
lock on): IT IS STILL POSSIBLE TO DO SOMETHING LIKE:

http://www.oracle.com/pls/oracle8i/%0aselect%09something...

...sorry for the example, I am sending it to Oracle secalert before
publication. Of course, as someone pointed out, you can use for example
owa_util package (owa_util.showsource might be useful), not only abusing
plain PL/SQL queries. Nasty and tasty.

I wouldn't comment it. If you were vulnerable, you are still vulnerable.
Hey, Oracle Security, wouldn't it be more sane checking for known
procedure names, preferably rejecting all internals / standard procedures,
instead of blindly passing (almost) anything to PL/SQL interpreter and
putting some bogus checks here? And to disallow control characters in the
URL? Remember - according to your website - we are talking about the
software used by nine out of ten biggest corporations, aren't we?

When I started playing with WebDB, spaces were disallowed. I used tabs
(%09) to bypass it. So you have apparently disallowed some known keywords
in queries. I've used %0a to fool this check. Want to play more?

--
_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=