Full Disclosure mailing list archives
Re: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow
From: Cesar <cesarc56 () yahoo com>
Date: Thu, 5 Feb 2004 15:23:41 -0800 (PST)
Hey Chris. First of all, your advisories are a bit wrong: ...Systems Affected: Oracle 9 prior to 9.2.0.3 Actually Systems affected are Oracle 9 prior to 9.2.0.4 (Patchset 3). The date in Metalink site of the Patch that fixes these vulnerabilities is January 2 and your advisories are from December. I could be wrong, Oracle patches numeration, dates, etc. really sucks, but you could be wrong too as the version of Oracle your advisory said it was affected :). The fact is that i contacted Oracle before the fix was available, they released the fix and they didn't told me anything, they didn't released any public alert and your advisory isn't in any public list, it's only on your site. Finally, given that the date of the patch that fixes these vulns is January 2, you published the advisories in your site before the fix was available. Again i could be wrong. BTW: i'm curious, Why you didn't posted those advisories to public mailing lists? Cesar. --- Chris Anley <chris () ngssoftware com> wrote:
Hey Cesar. These are known bugs. We (NGS) found and reported them last year. As you say, Oracle has already fixed them and released a patch. Check out http://www.nextgenss.com/research.html ...where we posted advisories on these bugs in December, along with another couple in from_tz and time_zone. We've historically found a lot of issues in Oracle, so if you want to eliminate the stuff that's already fixed from your list of 60+ issues it's a good place to look; the fine detail isn't always available in the Oracle alerts. -chris. On Thu, 5 Feb 2004, Cesar wrote:Security Advisory Name: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow. System Affected : Oracle Database 9ir2, previous versions could be affected too. Severity : High Remote exploitable : Yes Author: Cesar Cerrudo. Date: 02/05/04 Advisory Number: CC020401 Legal Notice: This Advisory is Copyright (c) 2003 Cesar Cerrudo. You may distribute it unmodified and for free. YoumayNOT modify it and distribute it or distribute parts of it without the author's writtenpermission.You may NOT use it for commercial intentions (this means include it in vulnerabilitiesdatabases,vulnerabilities scanners, any paid service, etc.) without the author's written permission. Youarefree to use Oracle details for commercialintentions.Disclaimer: The information in this advisory is believed to be true though it may be false. The opinions expressed in this advisory are my ownandnot of any company. The usual standard disclaimer applies, especially the fact that Cesar Cerrudo is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory. Cesar Cerrudo bears no responsibility for contentormisuse of this advisory or any derivativesthereof.!!!!!!!!!!!ALERT!!!!!!!!!!!: Oracle was contacted about these vulnerabilities,buttheir Security Response Team is one of the worstthati have deal with, they don't care about securityandthey don't even follow OISafety rules(Oracle is a member). Because this reason we only have told to Oracleaboutjust a couple of bugs, i think i won't contactthemanymore, or maybe if i get a letter from Larry Ellisonaskingfor apologies...:). Anyways if Oracle would spend more money onsecuritythan in marketing saying that their products are unbreakable everything would be different. Right now Oracle database server and other Oracle products are some kind of backdoor. These vulnerabilities are just only a bit of +60thatwe have identified (yes more than 60 issues and most of these issues can be exploited by any low privileged user to take complete control over the database and probably OS, also for some of themtherearen't any workarounds). If you are running Oracleirecomend you to start praying to not being hackedandto start complaining to Oracle to improve thequalityof their products and to release patches. BTW: if someone from Oracle dares to say that i'mnottelling the true, then probably i will release alltheholes information to shut their mouths. Some workaround to protect your Oracle serversuntilmaybe next year when Oracle probably could fixtheirbuggy database server: -Check packages permissions and remove public permission, set minimal permissions that fit your needs. -Check Directory Objects permissions and removepublicpermission, set minimal permissions that fit your need, remove Directory Objecs if not used. -Restrict users to execute directly PL/SQLstatementsover the server. -Periodically audit users permissions on alldatabaseobjects. -Lock users that aren't used. -Change default passwords. If you want automation, i really like AppDetectiveforOracle:
http://www.appsecinc.com/products/appdetective/oracle/
Overview: Oracle Database Server is one of the most used database servers in the world, it was marketed as being unbreakable and many people thinks thatisone of the most secure database server in the market. Larry Ellison (Oracle CEO) says that Oracle is used by NSA, CIA, russian intelligence, goverments, etc.
(www.commonwealthclub.org/archive/96/96-03ellison-qa.html),
so it must be really secure!!! Oracle Database Server provides two functions thatcanbe used with PL/SQL to convert numbers to date/time intervals, these functions havebufferoverflow vulnerebilities. Details: When any of these conversion funcions are calledwitha long string as a second parameter a buffer overflow occurs. To reproduce the overflow execute the next PL/SQL: SELECT NUMTOYMINTERVAL(1,'longstringhere') fromdual;SELECT NUMTODSINTERVAL(1,'longstringhere') fromdual;This vulnerability can be exploited by any Oracle Database user because access to these functions can't be restricted. Explotation of this vulnerability allow anattacker toexecute arbitrary code, also it can be exploited to cause DOS (Denial of service) killing Oracle server process. An attacker can complete compromise the OS and database if Oracleis
=== message truncated === __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow Cesar (Feb 05)
- Re: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow Chris Anley (Feb 05)
- Re: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow Cesar (Feb 05)
- Re: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow Chris Anley (Feb 05)
- Re: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow Cesar (Feb 05)
- Re: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow Cesar (Feb 05)
- Re: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow Cesar (Feb 05)
- Re: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow Chris Anley (Feb 05)