Re: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow

[Cesar <cesarc56 () yahoo com>]

Hey Chris.

First of all, your advisories are a bit wrong:
...Systems Affected:    Oracle 9 prior to 9.2.0.3

Actually Systems affected are Oracle 9 prior to
9.2.0.4 (Patchset 3).

The date in Metalink site of the Patch that fixes
these vulnerabilities is January 2 and your advisories
are from December.

I could be wrong, Oracle patches numeration, dates,
etc. really sucks, but you could be wrong too as the
version of Oracle your advisory said it was affected
:).

The fact is that i contacted Oracle before the fix was
available, they released the fix and they didn't told
me anything, they didn't released any public alert and
your advisory isn't in any public list, it's only on
your site. Finally, given that the date of the patch
that fixes these vulns is January 2, you published the
advisories in your site before the fix was available.
Again i could be wrong.

BTW: i'm curious, Why you didn't posted those
advisories to public mailing lists?


Cesar.

--- Chris Anley <chris () ngssoftware com> wrote:
> Hey Cesar.
>
> These are known bugs.
>
> We (NGS) found and reported them last year. As you
> say, Oracle has
> already fixed them and released a patch. Check out
>
> http://www.nextgenss.com/research.html
>
> ...where we posted advisories on these bugs in
> December, along with
> another couple in from_tz and time_zone. We've
> historically found a lot
> of issues in Oracle, so if you want to eliminate the
> stuff that's already
> fixed from your list of 60+ issues it's a good place
> to look; the fine
> detail isn't always available in the Oracle alerts.
>
>      -chris.
>
>
> On Thu, 5 Feb 2004, Cesar wrote:
>
> > Security Advisory
> >
> > Name:  Oracle Database 9ir2 Interval Conversion
> > Functions Buffer Overflow.
> > System Affected :  Oracle Database 9ir2, previous
> > versions could be affected too.
> > Severity :  High
> > Remote exploitable : Yes
> > Author:    Cesar Cerrudo.
> > Date:    02/05/04
> > Advisory Number:    CC020401
> >
> >
> > Legal Notice:
> >
> > This Advisory is Copyright (c) 2003 Cesar Cerrudo.
> > You may distribute it unmodified and for free. You
> may
> > NOT modify it and distribute it or distribute
> > parts of it without the author's written
> permission.
> > You may NOT use it for commercial intentions
> > (this means include it in vulnerabilities
> databases,
> > vulnerabilities scanners, any paid service,
> > etc.) without the author's written permission. You
> are
> > free to use Oracle details for commercial
> intentions.
> > Disclaimer:
> >
> > The information in this advisory is believed to be
> > true though it may be false.
> > The opinions expressed in this advisory are my own
> and
> > not of any company. The usual standard
> > disclaimer applies, especially the fact that Cesar
> > Cerrudo is not liable for any damages caused
> > by direct or indirect use of the information or
> > functionality provided by this advisory.
> > Cesar Cerrudo bears no responsibility for content
> or
> > misuse of this advisory or any derivatives
> thereof.
> > !!!!!!!!!!!ALERT!!!!!!!!!!!:
> >
> > Oracle was contacted about these vulnerabilities,
> but
> > their Security Response Team is one of the worst
> that
> > i have deal with, they don't care about security
> and
> > they don't even follow OISafety rules(Oracle is a
> > member).
> > Because this reason we only have told to Oracle
> about
> > just a couple of bugs, i think i won't contact
> them
> > anymore,
> > or maybe if i get a letter from Larry Ellison
> asking
> > for apologies...:).
> > Anyways if Oracle would spend more money on
> security
> > than in marketing saying that their products are
> > unbreakable
> > everything would be different. Right now Oracle
> > database server and other Oracle products are some
> > kind of backdoor.
> > These vulnerabilities are just only a bit of +60
> that
> > we have identified (yes more than 60 issues and
> > most of these issues can be exploited by any low
> > privileged user to take complete control over the
> > database and probably OS, also for some of them
> there
> > aren't any workarounds). If you are running Oracle
> i
> > recomend you to start praying to not being hacked
> and
> > to start complaining to Oracle to improve the
> quality
> > of
> > their products and to release patches.
> >
> > BTW: if someone from Oracle dares to say that i'm
> not
> > telling the true, then probably i will release all
> the
> > holes
> > information to shut their mouths.
> >
> > Some workaround to protect your Oracle servers
> until
> > maybe next year when Oracle probably could fix
> their
> > buggy
> > database server:
> >
> > -Check packages permissions and remove public
> > permission, set minimal permissions
> > that fit your needs.
> > -Check Directory Objects permissions and remove
> public
> > permission, set minimal permissions
> > that fit your need, remove Directory Objecs if not
> > used.
> > -Restrict users to execute directly PL/SQL
> statements
> > over the server.
> > -Periodically audit users permissions on all
> database
> > objects.
> > -Lock users that aren't used.
> > -Change default passwords.
> > If you want automation, i really like AppDetective
> for
> > Oracle:
http://www.appsecinc.com/products/appdetective/oracle/
> > Overview:
> >
> > Oracle Database Server is one of the most used
> > database servers in the world, it was marketed
> > as being unbreakable and many people thinks that
> is
> > one of the most secure database server in
> > the market. Larry Ellison (Oracle CEO) says that
> > Oracle is used by NSA, CIA, russian intelligence,
> > goverments, etc.
(www.commonwealthclub.org/archive/96/96-03ellison-qa.html),
> > so it must be really secure!!!
> > Oracle Database Server provides two functions that
> can
> > be used with PL/SQL to convert numbers
> > to date/time intervals, these functions have
> buffer
> > overflow vulnerebilities.
> >
> >
> >
> > Details:
> >
> > When any of these conversion funcions are called
> with
> > a long string as a second
> > parameter a buffer overflow occurs.
> >
> > To reproduce the overflow execute the next PL/SQL:
> >
> > SELECT NUMTOYMINTERVAL(1,'longstringhere') from
> dual;
> > SELECT NUMTODSINTERVAL(1,'longstringhere') from
> dual;
> > This vulnerability can be exploited by any Oracle
> > Database user because access to these
> > functions can't be restricted.
> > Explotation of this vulnerability allow an
> attacker to
> > execute arbitrary code, also it
> > can be exploited to cause DOS (Denial of service)
> > killing Oracle server process. An attacker can
> > complete compromise the OS and database if Oracle
> is
=== message truncated ===


__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html