Pete Finnigan's Oracle Security Weblog

Today Alex Kornbrust has released new advisories for security bugs that Oracle has not fixed and has known about in most cases for around 2 years. The longest period is 718 days and the lowest 663 days. Three of the bugs are high risk, two that are medium risk and one that is low risk.

This is what Alex said in his announcement:

"3 months ago (15-april-2005) I informed the Oracle Security Team (secalert_us@oracle.com) that I will publish bug details if the bugs are not fixed with the next critical patch update (CPU July 2005). I know that Oracle products are complex and a good patch quality need some time. That's why I offered Oracle additional time if 3 months are not sufficient for fixing the bugs. Oracle never asked for more time.

Oracle's behaviour not fixing critical security bugs for a long time (over 650 days) is not acceptable for their customers. Oracle put their customers in danger. At least one critical vulnerability can be abused from any attacker via internet.

I decided to publish these vulnerabilities because it is possible to mitigate the risk of these vulnerabilities by using the workarounds provided in the advisories.

Kind Regards

Alexander Kornbrust



The bug details are:

"Overwrite any file via desname in Oracle Reports" - high risk - a hacker can overwrite any file on the application server (Windows) and any file owned by the Oracle software owner (Unix). Alex provides a work around but no exploit although the exploit is obvious.

"Run any OS Command via unauthorized Oracle Forms" - high risk - A hacker can create a special form that allows him to run OS commands as the Application server owner. The hacker needs to upload the form but complete server control is possible. Alex gives an example and workaround.

"Run any OS Command via unauthorized Oracle Reports" - high risk - This issue is essentially the same as the one above but this time for the Reports server - Again Alex gives an example and workarounds.

"Read parts of any file via desformat in Oracle Reports" - medium risk - In this bug the parameter desformat can be used to display the contents of any file on the server. Alex gives an example and a potential workaround.

"Read parts of any XML-file via customize parameter in Oracle Reports" - medium risk - The parameter CUSTOMIZE can be used to read any file on the server. Again Alex gives an example and also a workaround.

"Various Cross-Site-Scripting Vulnerabilities in Oracle Reports" - Low risk - In this advisory Alex shows some 4 examples and this time no possible workarounds.

This is a significant announcement as Alex has told us about 6 security bugs that are not fixed (let's re-iterate, these are not fixed) and he tells us that Oracle are not interested in fixing these bugs. If you use Oracle Forms or Oracle Reports or any product that uses them in the background then you need to be aware of these bugs as your systems are in danger. Please use the workarounds suggested and ask Oracle for proper patched fixes. If your systems are internet facing then be aware that each of these advisories includes enough information to exploit them and that hackers will find your systems using Google hacking techniques.