Oracle security alerts

UPDATED 23-Jan-2005I have just been made aware of the new advisory released by Integrigy. The advisory is for the bugs Steve Kost and his company have found in the Oracle E-Business suite, the Oracle database and also in the Oracle application server. The advisory is http://www.integrigy.com/alerts/OraCPU0105.htm - (broken link) High Risk Security Issues in the Oracle Database and Oracle Applications Oracle Critical Patch Update – January 2005 and details multiple bugs in the Oracle spatial package MDSYS.MD2 and a Denial of service in the Oracle Forms server and also the Oracle Reports Server leaks database passwords. Finally Steve has found multiple SQL Injection issues in the Oracle E-Business Suite.

NEW Oracle have just released the first of the new quarterly security patch updates. These are named Critical Patch Updates or (CPU). Oracles advisory details bugs found by Pete Finnigan - my advisory is included here, Alexander Kornbrust who's advisory is titled Buffer Overflow in Create Database Link in Oracle8i - 9i. David Litchfield has also released an advisory to Bugtraq titled Multiple high risk vulnerabilities in Oracle RDBMS 10g/9i. I could not find an advisory from Integrigy (Stephen Kost) yet. I will update this when i see one put out.

SQL Injection via CTXSYS.DRILOAD in Oracle 8i/9i

Buffer Overflow in DBMS_SYSTEM.KSDWRT() in Oracle8i – 9i

Buffer Overflow in SYS_CONTEXT() in Oracle 9i Rel.2

• Oracle wrapped procedure overflow (#NISR2122004J)


• Oracle multiple PL/SQL injection vulnerabilities (#NISR2122004H)


• Oracle TNS Listener DoS (#NISR2122004F)


• Oracle ISQLPlus file access vulnerability (#NISR2122004E)


• Oracle clear text passwords (#NISR2122004D)


• Oracle extproc local command execution (#NISR23122004C)


• Oracle extproc directory traversal (#NISR23122004B)


• Oracle extproc buffer overflow (#NISR23122004A)


• Oracle Character Conversion Bugs (#NISR2122004G)


• Oracle Trigger Abuse (#NISR2122004I)

UPDATED 16-Sep-2004I have just updated the links to other researchers advisories for the Oracle alert #68 as Alex Kornbrust has added detailed advisories for the three bugs that he discovered that were also fixed in Oracle alert #68. Alex found a particularly interesting SQL Injection bug in the CTXSYS.DRILOAD package where it is possible to execute almost any SQL command for instance granting yourself the DBA role. This bug can be worked around by dropping the CTXSYS user if the functionality is not needed or by revoking the PUBLIC execute privileges from CTXSYS.DRILOAD. The second bug is in the DBMS_SYSTEM.KSDWRT package procedure. This procedure can be used to write records to the alert log or to trace files or both. The DBMS_SYSTEM.KSDWRT package procedure can cause the database to crash if it can be persuaded to buffer overflow. The work around for this bug is to ensure that no user has execute privileges on DBMS_SYSTEM. The final bug Alex found is with the built in function SYS_CONTEXT. If SYS_CONTEXT is passed a crafted overly long string it can be made to cause a buffer overflow. This is an issue on Windows platforms and for 9iR2. The three links to Alex's advisories have been added here.

NEW Oracle have last night released security advisory #68 which is the first of the new monthly patch releases to be expected from Oracle. This advisory and associated patches include fixes for many bugs from many different researchers. There is little detail on the Oracle advisory as to the exact nature of the issues.

Pete Finnigan found vulnerabilities in the new scheduler functionality in 10gR1. Our advisory is included here. The bugs were found in conjunction with Jonathan Gennick of O'Reilly and Alexander Kornbrust of Red-Database-Security.

NEW If you use Oracles application server 9iR1, 9iR2 or 10gR1 then you need to be aware of a format string vulnerability announced recent by the open source community along with a fix. mod_ssl used by Oracle uses the mod_proxy hook functions used by ssl_log() so you could be vulnerable.

Check out the link above for details on the bug and the open source patches to fix the issue. Talk to Oracle about a patch to fix your installation if you do not wish to use the open source patches. Oracle have not released an advisory on this yet but as this bug is in the public domain you should be aware of it.

ZDnet UK interview with David Litchfield

NEW Just last week David Litchfield spoke at the DEFCON conference in Las Vegas and revealed yet again new Oracle security bugs. He also spoke to the press after his presentation and told the press that he had found 34 security bugs in Oracle that he had made Oracle aware of these bugs in January and February this year and that Oracle have fixed the issues but not yet released patches. He also said that about 90% of these are serious bugs. i.e an escalation of database privileges or access to the server as a privileged user is possible. Read the two links above and see for yourself what David has to say.

NEW Stephen Kost of Integrigy Corporation has found multiple SQL Injection vulnerabilities in the Oracle E-Business Suite 11i and Oracle applications 11.0 These issues can be exploited remotely by adding SQL statements to URL's sent to the web server. Almost all versions of Oracle applications are vulnerable as Oracle installs the code for all product modules by default. A hacker can execute SQL statements or execute PL/SQL functions by entering them into input fields in a web page. Due to the design of Oracle applications these attacks can quickly be used to compromise the whole of the database or applications. Even worse if the application is Internet facing then a hacker can send a single specially crafted HTTP get or post to the web server and capture the database. It is also possible to evade IDS systems with these specially crafted URLs.

Apply the patches listed by Oracle if you user Oracle application or E-Business Suite. Also please visit Stephens site for more details on this and other alerts he has reported. He also has some excellent papers and free tools. This is advisory #67.

NEWS ITEMIt has become apparent recently that Oracle have moved the links to their security alerts page. Previously the link to the security alerts was on the front page of OTN. Now you need to click on the "Product centers" tab and then a link to the security alerts is on the right hand side. The URL of the alerts page has not changed and is still here.

UPDATED 18-Apr-2004Ioannis Migadakis [jmig@inaccessnetworks.com][jmig@mail.gr] has released a detailed advisory for one of the security issues addressed by this alert. Ioannis has given a very detailed description of this heap overflow vulnerability. It can be exploited remotely and some firewalls will not protect against it. Oracle advise that the patches available form metalink are applied immediately. The heap overflow exists in the webcached process. If an overly long HTTP header is sent as the HTTP request method then this issue can be triggered. Ioannis goes on to show an example of a 432 byte request being sent to a windows hosted web cache. Please have a look at Ioannis's advisory and apply the patches if you use webcache.

NEW Oracle have released, a couple of days ago on the 12th of March a new Oracle security advisory on Oracle application server web cache. Details of the versions and platforms affected are available in Oracles advisory. This issue is reported as severity 1. For the issue to be exploited Web Cache must be running and listening on the web cache listener port. The type of HTTP server used does not matter. The vulnerable request must be sent to the web cache, if it is sent direct to the HTTP server this is cannot be exploited. There are no details of the actual vulnerability other than its a request to the web cache. Oracle say that the patches available from metalink should be applied and that there are no suitable work around. Please visit metalink for the patch, this is the link patch. Oracle have not credited anyone with this discovery so it must be assumed to have been discovered internally or by contract staff. This is advisory #66

NEW Amit Klein of Sanctum Inc has discovered security vulnerabilities in the Oracle application server release 1 and 2 versions 9.0.2.1 and 9.0.3.0 and 9.0.3.1 and earlier. The issues also appear in the database server release 1 and 2 versions 9.0.1.4 and 9.2.0.2. The issues are in the processing of SOAP messages where Data Type Definitions (DTD's) have been prepared to exploit the XML. SOAP and xml are installed by default in both the application server and database server if the HTTP server is installed. Therefore many default installations will be vulnerable. The risk can be reduced by removing the SOAP jar file $ORACLE_HOME/soap/lib/soap.jar if SOAP is not needed. Otherwise patch the server asap. I could not find an advisory at this stage on the Sanctum web site. This will be added when found. This is advisory #65

NEW Security vulnerabilities have been discovered by David Litchfield in the Oracle 9iR2 and 9iR1 database servers. An authenticated user with the ability to execute SQL is required to exploit these vulnerabilities. Nextgenss has no advisory dated recently but it is assumed that these vulnerabilities are included in an earlier one. They sound like SQL buffer overflow issues. These issues cannot be worked around due the nature of SQL being a core part of the Oracle database server. This is Oracles advisory #64.

NEW Alexander Kornbrust has discovered 11 vulnerabilities in Oracle 9i Lite 5. These have all been patched. The key differences between Alex's advisory and Oracles is that Alex tells us in the history section of his advisory that there are 11 vulnerabilities and also that one of the bugs can be exploited without a valid account. Oracle say that a valid account is requird for these bugs to be exploited. If you use this product please install the patch from metalink asap. Oracle are not intending to patch versions 5.0.0.0.0 or 5.0.1.0.0 and advise customers to upgrade to 5.0.2.0.0 before applying the patches. This is Oracle alert #63.