SQL Injection in package DBMS_AQIN

2009-04-16 Thread ak 
NameSQL Injection in package DBMS_AQIN [CVE-2009-0992]
Systems AffectedOracle 10.1.0.5 - 11.1.0.7
SeverityHigh Risk
CategorySQL Injection
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
CVE CVE-2009-0992
Advisory14 April 2009 (V 1.00)

Details:
The package DBMS_AQIN contains a SQL injection vulnerability in the procedure 
DEQ_EXEJOB. 
Additional information is available in the following advisory.


Advisory:
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html


Patch Information:
Apply the patches for Oracle CPU April 2009.


Verification:
Our Oracle database scanner Repscan was updated with the information from the 
Oracle
CPU April 2009 and can identify vulnerable databases. 
More Information about Repscan can be found here:
http://www.sentrigo.com/repscan


History:
14-apr-2009 Oracle published CPU April 2009 [CVE-]
14-apr-2009 Advisory published


About Red-Database-Security:
Red-Database-Security is the leading company for Oracle security. Within the 
last 
6 years we reported several hundred vulnerabilities to Oracle.

--
(c) 2009 by Red-Database-Security GmbH
http://www.red-database-security.com

Unprivileged DB users can see APEX password hashes

2009-04-16 Thread ak 
Name  Unprivileged DB users can see APEX password hashes
Systems Affected  APEX 3.0 (optional component of 11.1.0.7 installation)
Severity  High Risk
Category  Password Disclosure
Vendor URLhttp://www.oracle.com/
AuthorAlexander Kornbrust (ak at red-database-security.com)
CVE   CVE-2009-0981
Advisory  14 April 2009 (V 1.00)


Details:
Unprivileged database users can see APEX password hashes in 
FLOWS_03.WWV_FLOW_USER.

SQL select user_name,web_password2 from FLOWS_03.WWV_FLOW_USERS

USER_NAMEWEB_PASSWORD2
--
YURI 141FA790354FB6C72802FDEA86353F31

This password hash can be checked using a tool like Repscan.


Additional information is available in the following advisory.


Advisory:
http://www.red-database-security.com/advisory/apex_password_hashes.html


Patch Information:
Upgrade to Oracle APEX 3.2.


Verification:
Our Oracle database scanner Repscan was updated with the information from the 
Oracle
CPU April 2009 and can identify vulnerable databases. 
More Information about Repscan can be found here:
http://www.sentrigo.com/repscan


History:
13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Advisory published


About Red-Database-Security:
Red-Database-Security is the leading company for Oracle security. Within the 
last 
6 years we reported several hundred vulnerabilities to Oracle.

--
(c) 2009 by Red-Database-Security GmbH
http://www.red-database-security.com

SQL Injection in package DBMS_AQADM_SYS

2009-04-16 Thread ak 
Name  SQL Injection in package DBMS_AQADM_SYS [CVE-2009-0977]
Systems Affected  Oracle 9.2.0.8 - 10.2.0.3
Severity  Medium Risk
Category  SQL Injection
Vendor URLhttp://www.oracle.com/
AuthorFranz Hüll (fh at red-database-security.com)
CVE   CVE-2009-0977
Advisory  14 April 2009 (V 1.00)


Details:
The package DBMS_AQADM_SYS contains a SQL injection vulnerability in the 
procedure
GRANT_TYPE_ACCESS.

Additional information is available in the following advisory.

Advisory:
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html


Patch Information:
Apply the patches for Oracle CPU April 2009.


Verification:
Our Oracle database scanner Repscan was updated with the information from the 
Oracle
CPU April 2009 and can identify vulnerable databases. 
More Information about Repscan can be found here:
http://www.sentrigo.com/repscan


History:
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0977]
14-apr-2009 Advisory published


About Red-Database-Security:
Red-Database-Security is the leading company for Oracle security. Within the 
last 
6 years we reported several hundred vulnerabilities to Oracle.


--
(c) 2009 by Red-Database-Security GmbH
http://www.red-database-security.com

Oracle - SQL Injection in package SDO_GEOM [DB06]

2008-04-16 Thread ak 
Systems Affected   9i Rel. 1 - 10g Rel. 2

Severity   High Risk

Category   SQL Injection

Vendor URL http://www.oracle.com/

Author Alexander Kornbrust

Advisory   16 April 2008 (V 1.00)

Advisory URL   
http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_geom.html

Details

The package SDO_GEOM is vulnerable against SQL injection.



Patch Information

Apply the patches for Oracle CPU April 2008.



History

6-jun-2007 Oracle secalert was informed

15-apr-2008 Oracle published CPU April 2008 [DB06]

16-apr-2008 Advisory published



© 2008 by Red-Database-Security GmbH

http://www.red-database-security.com

Oracle - SQL Injection in package SDO_IDX [DB07]

2008-04-16 Thread ak 
Oracle - SQL Injection in package SDO_IDX [DB07]


Systems Affected   9i Rel. 1 - 11g Rel. 1

Severity   High Risk

Category   SQL Injection

Vendor URL http://www.oracle.com/

Author Alexander Kornbrust

Advisory   16 April 2008 (V 1.00)

Advisory URL   
http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_idx.html


Details

The package SDO_IDX is vulnerable against SQL injection.



Patch Information

Apply the patches for Oracle CPU April 2008.



History

6-jun-2007 Oracle secalert was informed

15-apr-2008 Oracle published CPU April 2008 [DB07]

16-apr-2008 Advisory published



© 2008 by Red-Database-Security GmbH

http://www.red-database-security.com

Oracle - SQL Injection Vulnerability in SDO_UTIL [DB05]

2008-04-16 Thread ak 
Systems Affected   10g Rel. 1, 10g Rel. 2

Severity   High Risk

Category   SQL Injection

Vendor URL http://www.oracle.com/

Author Alexander Kornbrust

Advisory   16 April 2008 (V 1.00)

Advisory URL   
http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_util.html


Details

The package SDO_UTIL is vulnerable against SQL injection.



Patch Information

Apply the patches for Oracle CPU April 2008.



History

6-jun-2007 Oracle secalert was informed

15-apr-2008 Oracle published CPU April 2008 [DB05]

16-apr-2008 Advisory published



© 2008 by Red-Database-Security GmbH

http://www.red-database-security.com

Oracle - Hardcoded Password and Password Reset of OUTLN User [DB13]

2008-04-16 Thread ak 
Oracle - Hardcoded Password and Password Reset of OUTLN User [DB13]


Systems Affected   9i Rel. 1 - 10g Rel. 2

Severity   High Risk

Category   Hardcoded Default Password  Password Reset

Vendor URL http://www.oracle.com/

Author Alexander Kornbrust

Advisory   16 April 2008 (V 1.00)

Advisory URL   
http://www.red-database-security.com/advisory/oracle_outln_password_change.html




Details

During the creation of a materialized view the package DBMS_STATS_INTERNAL is 
called and resets the password of the user OUTLN to OUTLN and grants DBA 
privileges to this user. 


[...]

GRANT_DBA_OUTLN:= 'grant dba to outln identified by outln';

[...]

GRANT_DBA_OUTLN:= 'grant on commit refresh to outln identified by outln';

[...]


Many people are not aware that the GRANT command (GRANT CONNECT TO SYS 
IDENTIFIED BY ALEX) can be used to change passwords in Oracle instead of using 
the ALTER USER command . It's a bad idea to hardcode passwords and it took 
only 1 year to fix this issue. 


In most Oracle default installations the account OUTLN is locked but some 
security guidelines (e.g. Oracle Practical Security from Syngress) recommend to 
unlock the account OUTLN and set an invalid password (to avoid the error 
message ORA-28000 account is locked). 

Following this advisory and setting an invalid password is opening a default 
user with default password with DBA privileges in the Oracle database 
(OUTLN/OUTLN) if a materialized view was created. 


I found this vulnerability during the search for backdoors in Oracle databases 
for the Oracle malware report of our vulnerability scanner Repscan. I was 
looking for the strings like grant dba to and found that dbms_stats_internal 
is executing these commands in an internal package. In Oracle 9i you can find 
these strings using the grep command in $ORACLE_HOME/rdbms/admin because 
strings literals are not encrypted in wrapped PL/SQL 9i Code. 


BTW: During this research I found also 3 Oracle procedures modifying the Oracle 
Audit-Table (Insert/Update/Delete rows from SYS.AUD$). I think procedures 
modifying the Audit-Log (especially delete and update) are a bad coding 
practice.



Patch Information

Apply the patches for Oracle CPU April 2008.



History

4-apr-2007 Oracle secalert was informed

15-apr-2008 Oracle published CPU April 2008 [DB13]

16-apr-2008 Advisory published

Re: Oracle 11g Password algorithm revealed

2007-09-24 Thread ak 
Different people identified the algorithm at the same time.

Recurity Labs GmbH (Tnx to Thorsten Schröder and Fx) did the research for us. A 
very interesting analysis about the 11g password algorithm can be found at the 
following URL:

http://www.phenoelit.net/lablog/oracle.sl


Regards

 Alexander Kornbrust
 www.red-database-security.com

Oracle Security: Insert / Update / Delete Data via Views

2007-07-18 Thread ak 
Insert / Update / Delete Data via Views
###

This advisory 
http://www.red-database-security.com/advisory/oracle_view_vulnerability.html

Name Insert / Update / Delete Data via Views [DB17]
Systems  Oracle 8i - 10g Rel. 2
Severity High Risk
Category Bypass Access Control
Author   Alexander Kornbrust (ak at red-database-security.com)
Advisory 17 July 2007 (V 1.00)


Details

Updates, deletes and inserts are possible via specially crafted views without 
having the right privileges.

This vulnerability is not identical with similar vulnerabilities fixed with 
April 2006 CPU
and October 2006 CPU.


Samples
###
delete from (specially crafted view)
insert into (specially crafted view)
update (specially crafted view)

Testcases will be released if we can verify that the problem is really fixed.


Patch Information
#
Apply the patches for Oracle CPU July 2007.


History
###
24-oct-2006 Oracle secalert was informed
25-oct-2006 Bug confirmed
18-jul-2007 Oracle published CPU July 2007 [DB17]
18-jul-2007 Advisory published


Analysis and CVE entries of the Oracle CPU
###
http://www.red-database-security.com/advisory/oracle_cpu_jul_2007.html

(c) 2007 by Red-Database-Security GmbH - last update 17-jul-2007

Oracle Security: SQL Injection in package DBMS_PRVTAQIS

2007-07-18 Thread ak 
SQL Injection in package DBMS_PRVTAQIS
##
This advisory 
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_prvtaqis.html

Name SQL Injection in package DBMS_PRVTAQIS [DB02]
Systems  Oracle 9i Rel.1 - 10g Rel. 1
Severity High Risk
Category SQL Injection
Author   Alexander Kornbrust (ak at red-database-security.com)
Advisory 17 July 2007 (V 1.00)


Details
###
The package DBMS_PRVTAQIS contains a SQL injection vulnerability.


Patch Information
#
Apply the patches for Oracle CPU July 2007.


History
###
1-nov-2005 Oracle secalert was informed
17-jul-2007 Oracle published CPU July 2007 [DB02]
17-jul-2007 Advisory published


Analysis and CVE entries of the Oracle CPU
###
http://www.red-database-security.com/advisory/oracle_cpu_jul_2007.html



(c) 2007 by Red-Database-Security GmbH

Oracle Security: SQL Injection in APEX CHECK_DB_PASSWORD

2007-07-18 Thread ak 
SQL Injection Vulnerability in Oracle APEX CHECK_DB_PASSWORD
###
This advisory
http://www.red-database-security.com/advisory/oracle_apex_sql_injection_check_db_password.html

NameSQL Injection Vulnerability in Oracle CHECK_DB_PASSWORD
Systems  Oracle APEX
Severity Medium Risk
Category SQL Injection
Author   Alexander Kornbrust (ak at red-database-security.com)
Date 17 July 2007 (V 1.00)


Details

The function wwv_flow_security.check_db_password contains a SQL injection 
vulnerability. 
Oracle is using the ALTER USER command to change the password of a database 
user without
doing an input validation of the password (=typical Oracle PL/SQL programming 
fault).

APEX 3.0.1 is now doing an input validation on the user password. Apex 3.0.1 is 
used in
Oracle 11g.


Old, vulnerable code

FUNCTION CHECK_DB_PASSWORD (P_USER_NAME VARCHAR2, P_PASSWORD VARCHAR2) RETURN 
BOOLEAN IS
BEGIN
IF P_USER_NAME IS NULL OR P_PASSWORD IS NULL THEN
RETURN FALSE;END IF;
BEGIN
EXCEPTION
WHEN NO_DATA_FOUND THEN RETURN FALSE;END;
BEGIN
EXCEPTION
WHEN NO_DATA_FOUND THEN RETURN FALSE;END;
L_STMT:= 'ALTER USER ' || P_USER_NAME || ' IDENTIFIED BY ' || 
P_PASSWORD||'';
EXECUTE IMMEDIATE L_STMT;


New code

Oracle is now doing a length check of the password (30 characters). Good idea. 
I'm 
interested to see if this is changed in 11g where passwords up to 50 characters 
are 
allowed. One part of the input validation is stupid code. If the password 
contains a 
chr(34) Oracle throws an error message.
chr(34) is never executed. Even if this code would be executed this could be 
bypassed 
quite easily (e.g. chr( 34) or chr(34 ) or chr(35-1) or ...)


FUNCTION CHECK_DB_PASSWORD (P_USER_NAME VARCHAR2, P_PASSWORD VARCHAR2) RETURN 
BOOLEAN IS
BEGIN
IF P_USER_NAME IS NULL OR P_PASSWORD IS NULL THEN
RETURN FALSE;END IF;
IF LENGTH(P_PASSWORD)  30 OR INSTR(P_PASSWORD,'')  0 OR 
INSTR(LOWER(P_PASSWORD),'chr(34)')  0 THEN RETURN FALSE;END IF;

BEGIN
EXCEPTION
WHEN NO_DATA_FOUND THEN RETURN FALSE;END;
BEGIN
EXCEPTION
WHEN NO_DATA_FOUND THEN RETURN FALSE;END;
L_STMT:= 'ALTER USER ' || P_USER_NAME || ' IDENTIFIED BY ' || 
P_PASSWORD||'';
EXECUTE IMMEDIATE L_STMT;



Affected Products
#
This bug is fixed with 3.0.1 of APEX which is not part of the Critical Patch 
Update July 2006. It's necessary to upgrade your APE installation to 3.0.1 or 
higher. Apex 3.0.1 is compatible with Oracle Application Express.

Patch Information
#
This bug is fixed with Apex 3.0.1 or higher.



History
###
07-may-2007 Oracle secalert was informed
07-may-2007 Bug confirmed
29-jun-2007 Oracle released APEX 3.0.1
17-jul-2007 Oracle published CPU July 2007 and recommends to update to 3.0.1
17-jul-2007 Red-Database-Security published this advisory


Analysis and CVE entries of the Oracle CPU
###
http://www.red-database-security.com/advisory/oracle_cpu_jul_2007.html


(c) 2007 by Red-Database-Security GmbH

Advisory: Bypass Oracle Logon Trigger

2007-04-18 Thread ak 
NameBypass Oracle Logon Trigger (7826485) [DB05]
Systems AffectedOracle 8-10g Rel. 2
SeverityHigh Risk
CategoryBypass Security Feature Database Logon Trigger
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)   
 
Advisory17 April 2007 (V 1.00)


Details
###
It is possible to bypass the Oracle database logon trigger. This can cause 
severe security problems.

Oracle database logon trigger are often used to restrict user access (e.g. 
based on time or ip addresses) and/or to do audit entries into (custom) tables. 
This can be bypassed on unpatched systems.

This advisory is available at
http://www.red-database-security.com/advisory/bypass_oracle_logon_trigger.html

Patch Information
#
Apply the patches for Oracle CPU April 2007.


History
###
07-jun-2006 Oracle secalert was informed
08-jun-2006 Bug confirmed
17-apr-2007 Oracle published CPU April 2007 [DB05]
17-apr-2007 Advisory published


Additional Information
##
An analysis of the Oracle CPU April 2007 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html

This document will be updated during the next few days and weeks with the 
latest information.


(c) 2007 by Red-Database-Security GmbH
--
http://www.red-database-security.com

Advisory: SQL Injection in package SYS.DBMS_AQADM_SYS

2007-04-18 Thread ak 
NameSQL Injection in package SYS.DBMS_AQADM_SYS [DB04]
Systems AffectedOracle 8i-10g Rel. 2
SeverityHigh Risk
CategorySQL Injection
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)   
 
Advisory17 April 2007 (V 1.00)


Details
###
The package DBMS_AQADM_SYS contains SQL injection vulnerabilities.

This advisory is available at
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html


Patch Information
#
Apply the patches for Oracle CPU April 2007.


History
###
01-nov-2005 Oracle secalert was informed
02-nov-2005 Bug confirmed
17-apr-2007 Oracle published CPU April 2007 [DB04]
17-apr-2007 Advisory published


Additional Information
##
An analysis of the Oracle CPU April 2007 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html

This document will be updated during the next few days and weeks with the 
latest information.


(c) 2007 by Red-Database-Security GmbH
--
http://www.red-database-security.com

Advisory: XSS Vulnerability in Oracle Secure Enterprise Search [SES01]

2007-04-18 Thread ak 
NameCross-Site-Scripting Vulnerability in Oracle Secure Enterprise Search
Systems AffectedOracle Secure Enterprise Search 10.1.6- SES
SeverityMedium Risk
CategoryCross Site Scripting (XSS/CSS)
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Date17 April 2007 (V 1.00)


Details
###
Oracle Secure Enterprise Search 10g, a standalone product from Oracle, enables 
a secure, high quality, easy-to-use search across all enterprise information 
assets.

The parameter EXPTYPE in boundary_rules.jsp contains a cross site scripting 
vulnerability.

This advisory is available at
http://www.red-database-security.com/advisory/oracle_css_ses.html


Exploit
###
http://ses10106:/search/admin/sources/boundary_rules.jsp?event=deleteIncludeRulep_src=webp_mode=editp_id=3pattern=rdsexpType=%3Cscript%3Ealert(document.cookie)%3C/script%3ECC_SIMPLE_INCLUSION'


Affected Products
#
Oracle Enterprise Search


Patch Information
#
Please upgrade to the latest version of SES or apply CPU April 2007.



History
###
05-Apr-2005 Oracle secalert was informed
06-Apr-2005 Bug confirmed
17-apr-2007 Oracle published CPU April 2007
17-apr-2007 Red-Database-Security published this advisory


Additional Information
##
An analysis of the Oracle CPU April 2007 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html

This document will be updated during the next few days and weeks with the 
latest information.


(c) 2007 by Red-Database-Security GmbH
--
http://www.red-database-security.com

Advisory: Shutdown unprotected Oracle TNS Listener via Oracle Discoverer Servlet [AS01]

2007-04-18 Thread ak 
NameShutdown unprotected TNS Listener via Oracle Discoverer Servlet [AS01]
Systems AffectedOracle Discoverer Servlet
SeverityLow Risk
CategoryRemote D.o.S.
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)   
 
Advisory17 April 2007 (V 1.00)


Details
###
The Oracle Discoverer Servlet contains a field for the database/tns alias. It 
is possible to send TNS STOP commands via this field and to shutdown 
unprotected Oracle TNS Listener.

This advisory is available at
http://www.red-database-security.com/advisory/oracle_discoverer_servlet.html


Patch Information
##
Apply the patches for Oracle CPU April 2007.


History
###
28-oct-2003 Oracle secalert was informed
29-oct-2003 Bug confirmed
17-apr-2007 Oracle published CPU April 2007 [AS01]
17-apr-2007 Advisory published


Additional Information
##
An analysis of the Oracle CPU April 2007 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html

This document will be updated during the next few days and weeks with the 
latest information.


(c) 2007 by Red-Database-Security GmbH
--
http://www.red-database-security.com

SQL Injection in package SYS.DBMS_SQLTUNE_INTERNAL

2006-10-24 Thread ak 
NameSQL Injection in package SYS.DBMS_SQLTUNE_INTERNAL (6980745) [DB10]
Systems AffectedOracle 8i-10g Rel. 2
SeverityHigh Risk
CategorySQL Injection
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Advisory18 October 2006 (V 1.00)
Advisory
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_sqltune_internal.html

Details
###
The package DBMS_SQLTUNE_INTERNAL contains SQL injection vulnerabilities. in 
I_SET_TUNING_PARAMETER and SELECT_SQLSET. Oracle fixed this by using bind 
variables in their dynamic SQL statements.


Patch Information
#
Apply the patches for Oracle CPU October 2006.


History
###
1-nov-2005 Oracle secalert was informed
18-oct-2006 Oracle published CPU October 2006 [DB13]
18-oct-2006 Advisory published


Additional Information
##
An analysis of the Oracle CPU Oct 2006 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html

Modify Data via Inline Views

2006-10-24 Thread ak 
NameModify Data via Inline Views (8107967) [DB09]
Systems AffectedOracle 9i - 10g Rel. 2
SeverityHigh Risk
CategoryUnauthorized Access
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Advisory18 October 2006 (V 1.00)
Advisory
http://www.red-database-security.com/advisory/oracle_modify_data_via_inline_views.html

Details
###
Updates, deletes and inserts are possible with least-privilege via inline 
views. A user with create session only can insert/update/delete data (e.g. the 
dual table). This bug is similar but not identical to the bug which was fixed 
in the July 2006 CPU (Modify Data via views). No workarounds available.


Samples
###
delete from (specially crafted inline view)
insert into (specially crafted inline view)
update (specially crafted inline view)


Patch Information
#
Apply the patches for Oracle CPU October 2006.


History
###
24-jul-2006 Oracle secalert was informed about a variant of the create view bug.
18-oct-2006 Oracle published CPU October 2006 [DB09]
18-oct-2006 Advisory published


Additional Information
##
An analysis of the Oracle CPU Oct 2006 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html

SQL Injection Vulnerability in Oracle WWV_FLOW_UTILITIES

2006-10-23 Thread ak 
###

NameSQL Injection Vulnerability in Oracle WWV_FLOW_UTILITIES
Systems Affected Oracle APEX/HTMLDB
SeverityHigh Risk
CategorySQL Injection
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Date  18 October 2006 (V 1.00)
Advisory 
http://www.red-database-security.com/advisory/oracle_apex_sql_injection_wwv_flow_utilities.html

Details
###
The list of values (LOV) in wwv_flow_utilities.gen_popup_list contains a SQL 
injection vulnerability. Depending of the APEX application it is possible 
to inject custom SQL statements. The entire SQL statement is accessible from 
the URL in the parameter P_LOV. To protect the SELECT statement in the URL 
Oracle is using a MD5 checksum. By modifying the SQL statement and 
recalculating 
the MD5 checksum P_LOV_CHECKSUM it is possible to run custom SQL statements 
from the URL.

Sample URL:
http://apex:/pls/htmldb/wwv_flow_utilities.gen_popup_list?p_filter=p_name=p_t02p_element_index=1p_hidden_elem_name=p_t01p_form_index=0p_max_elements=p_escape_html=p_ok_to_query=YESp_flow_id=100p_page_id=11p_session_id=15108399238201864297p_eval_value=p_return_key=YESp_translation=Np_lov=select%20cust_last_name%20||%20'%2C%20'%20||%20cust_first_name%20d%2C%20customer_id%20r%20from%20demo_customers%20order%20by%20cust_last_namep_lov_checksum=82C7EFB6FA3A2FA2C6E1A70FB63BB064



Affected Products
#
This bug is fixed with 2.2 of APEX which is not part of the Critical Patch 
Update October 2006. It's necessary to upgrade your APEX/HTMLDB installation 
to 2.2 or better 2.2.1.

Patches are currently not available for Oracle Application Express.

Patch Information
#
This bug is fixed with Apex 2.2 or higher.



History
###
03-oct-2005 Oracle secalert was informed
04-oct-2005 Bug confirmed
17-oct-2006 Oracle published CPU October 2006 and recommends to update to 2.2.1
18-oct-2006 Red-Database-Security published this advisory


Additional Information
##
An analysis of the Oracle CPU Oct 2006 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html

Cross-Site-Scripting Vulnerability in Oracle APEX WWV_FLOW_ITEM_HELP

2006-10-23 Thread ak 
Name  Cross-Site-Scripting Vulnerability in Oracle APEX 
WWV_FLOW_ITEM_HELP
Systems AffectedOracle APEX/HTMLDB
SeverityMedium Risk
CategoryCross Site Scripting (XSS/CSS)
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Date  18 October 2006 (V 1.00)
Advisory
http://www.red-database-security.com/advisory/oracle_apex_css_wwv_flow_item_help.html

Details
###
The package WWV_FLOW_ITEM_HELP contains a cross site scripting vulnerability.

Affected Products
#
Oracle APEX/HTMLDB  2.2.1

Patch Information
#
This bug is fixed with the patch 2.2.1 of APEX which is not part of the 
Critical Patch Update October 2006. It's necessary to upgrade your APEX/HTMLDB 
installation to 2.2.1. Patches are currently not available for Oracle 
Application Express.



History
###
03-oct-2005 Oracle secalert was informed
04-oct-2005 Bug confirmed
17-oct-2006 Oracle published CPU October 2006
18-oct-2006 Red-Database-Security published this advisory


Additional Information
##
An analysis of the Oracle CPU Oct 2006 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html

SQL Injection in package XDB.DBMS_XDBZ0

2006-10-23 Thread ak 
Name  SQL Injection in package XDB.DBMS_XDBZ0 [DB01]/[DB15]
Systems AffectedOracle 9i Rel.2 - 10g Rel. 2
SeverityHigh Risk
CategorySQL Injection
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Advisory18 October 2006 (V 1.00)
Advisory
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_xdbz0.html

Details
###
The package XDB.DBMS_XDBZ0 contains SQL injection vulnerabilities in the 
procedure enable_hierarchy_internal [DB01], disable_hierarchiy_internal [DB15]. 
Oracle fixed this problem by using bind variables and verifying table names.


Patch Information
#
Apply the patches for Oracle CPU October 2006.


History
###
1-nov-2005 Oracle secalert was informed about both bugs.
18-oct-2006 Oracle published CPU October 2006 [DB01], [DB15]
18-oct-2006 Advisory published


Additional Information
##
An analysis of the Oracle CPU Oct 2006 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html

SQL Injection in package SYS.DBMS_CDC_IMPDP

2006-10-23 Thread ak 
NameSQL Injection in package SYS.DBMS_CDC_IMPDP [DB04]
Systems AffectedOracle 10g
SeverityHigh Risk
CategorySQL Injection
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Advisory18 October 2006 (V 1.00)
Advisory
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_cdc_impdp2.html


Details
###
The package SYS.DBMS_CDC_IMPDP contains SQL injection vulnerabilities. Oracle 
fixed this by using dbms_assert.


Patch Information
#
Apply the patches for Oracle CPU October 2006.


History
###
1-nov-2005 Oracle secalert was informed .
18-oct-2006 Oracle published CPU October 2006 [DB04]
18-oct-2006 Advisory published


Additional Information
##
An analysis of the Oracle CPU Oct 2006 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html

SQL Injection in Oracle package MDSYS.SDO_LRS

2006-10-23 Thread ak 
Name  SQL Injection in package MDSYS.SDO_LRS (7569081) [DB13]
Systems AffectedOracle 9i Rel. 2
SeverityHigh Risk
CategorySQL Injection
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Advisory18 October 2006 (V 1.00)
Advisory
http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_lrs.html

Details
###
The package MDSYS.SDO_LRS contains a SQL injection vulnerability in the first 
parameter of convert_to_lrs_layer. Oracle forgot to fix this problem with the 
April CPU. Oracle fixed these vulnerabilities with the package DBMS_ASSERT. To 
exploit this vulnerability it is necessary to have the privilege to create a 
PL/SQL-function.


Sample
##
After running the following SQL statement
   select sdo_lrs.convert_to_lrs_layer(''' or 5=5--''','RDS','A',1,1,1,1) 
from dual;

The following SQL statement will be executed by Oracle:
 
  SELECT COUNT(*) FROM USER_SDO_INDEX_INFO WHERE TABLE_NAME = '' OR 5=5--'' 
AND COLUMN_NAME = 'RDS'


Patch Information
#
Apply the patches for Oracle CPU October 2006.


History
###
19-apr-2006 Oracle secalert was informed
18-oct-2006 Oracle published CPU October 2006 [DB13]
18-oct-2006 Advisory published


Additional Information
##
An analysis of the Oracle CPU Oct 2006 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html

http://www.red-database-security.com/advisory/oracle_apex_css_notification_msg.html

2006-10-23 Thread ak 
Cross-Site-Scripting Vulnerabilitiy in Oracle APEX NOTIFICATION_MSG

Name  Cross-Site-Scripting Vulnerabilitiy in Oracle APEX 
NOTIFICATION_MSG
Systems AffectedOracle APEX/HTMLDB
SeverityMedium Risk
CategoryCross Site Scripting (XSS/CSS)
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Date  18 October 2006 (V 1.00)
Advisory
http://www.red-database-security.com/advisory/oracle_apex_css_notification_msg.html

Details
###
The parameter NOTIFCATION_MSG parameter contains a cross site scripting 
vulnerability.

Affected Products
#
Oracle APEX/HTMLDB  2.2.1


Patch Information
#
This bug is fixed with the patch 2.2.1 of APEX which is not part of the 
Critical Patch Update October 2006. It's necessary to upgrade your APEX/HTMLDB 
installation to 2.2.1. Patches are currently not available for Oracle 
Application Express.



History
###
03-oct-2005 Oracle secalert was informed
04-oct-2005 Bug confirmed
17-oct-2006 Oracle published CPU October 2006
18-oct-2006 Red-Database-Security published this advisory



Additional Information
##
An analysis of the Oracle CPU Oct 2006 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html

Various Cross-Site-Scripting Vulnerabilities in Oracle Reports

2006-10-23 Thread ak 
NameVarious Cross-Site-Scripting Vulnerabilities in Oracle Reports [REP01], 
[REP02]
SeverityLow Risk
CategoryCross Site Scripting (CSS/XSS)
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Date  18 July 2006 (V 1.0)
Advisory
http://www.red-database-security.com/advisory/oracle_reports_css.html

Details
###
The Oracle Reports parameters showenv [REP01], parsequery [REP01], cellwrapper 
[REP02] and delimiter [REP02] are vulnerable against Cross-Site-Scripting.


Affected Products
#
Internet Application Server
Oracle Application Server
Oracle Developer Suite


Patch Information
#
Apply Oracle Critical Patch Update October 2006 (CPU July 2006).



History
###
28-aug-2003 Oracle secalert was informed
29-aug-2003 Bug confirmed
17-oct-2006 Oracle published CPU October 2006
18-oct-2006 Red-Database-Security published this advisory


Additional Information
##
An analysis of the Oracle CPU Oct 2006 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html

Bypassing Oracle dbms_assert

2006-07-27 Thread ak 
Hey all,


Today I released a new whitepaper Bypassing Oracle dbms_assert. This 
technique makes many already fixed Oracle vulnerabilities (SQL Injection) 
exploitable again.


URL:

http://www.red-database-security.com/wp/bypass_dbms_assert.pdf 

 

Summary:

By using specially crafted parameters (in double quotes) it is possible to 

bypass the input validation of the security package dbms_assert and inject 

SQL code. This makes dozens of already fixed Oracle vulnerabilities exploitable 
in all versions of Oracle again (8.1.7.4 - 10.2.0.2, fully patched with Oracle 
CPU July 2006). I informed Oracle about this problem end of April 2006. Oracle 
has no problem with the release of this information (“Oracle sees no problem 
with your publication of the white paper.”)



 Kind Regards


 Alexander Kornbrust


 Red-Database-Security GmbH

 http://www.red-database-security.com

Oracle Database - SQL Injection in SYS.KUPW$WORKER [DB03]

2006-07-18 Thread ak 

NameSQL Injection in package SYS.KUPW$WORKER (6980775) [DB03]

Systems Oracle 10g Release 1

SeverityHigh Risk

CategorySQL Injection

Vendor URL  http://www.oracle.com/

Author  Alexander Kornbrust (ak at red-database-security.com)

Advisory18 Jul 2006 (V 1.00)



Advisory



http://www.red-database-security.com/advisory/oracle_sql_injection_kupw$worker.html



Details

###

The package SYS.KUPW$WORKER contains a SQL injection vulnerability in the MAIN 
procedure. This procedure is granted to PUBLIC by default. Oracle fixed this 
vulnerability with the package dbms_assert. To exploit this vulnerability it is 
necessary to have the privilege to create a PL/SQL-function.



Patch Information

#

Apply the patches for Oracle CPU July 2006 on top of Oracle 10g Release 1.



History

###

01-nov-2005 Oracle secalert was informed

02-nov-2005 Bug confirmed

18-jul-2006 Oracle published CPU July 2006 [DB03]

18-jul-2006 Advisory published



Additional Information

##

An analysis of the Oracle CPU July 2006 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_july_2006.html


This document will be updated during the next few days and weeks with the 
latest information.

Oracle Database - SQL Injection in SYS.DBMS_CDC_IMPDP [DB01]

2006-07-18 Thread ak 

NameSQL Injection in package SYS.DBMS_CDC_IMPDP (6980711) [DB01]

Systems Oracle 10g Release 1

SeverityHigh Risk

CategorySQL Injection

Vendor URL  http://www.oracle.com/

Author  Alexander Kornbrust (ak at red-database-security.com)

Advisory18 Jul 2006 (V 1.00)



Details

###

The package SYS.DBMS_CDC_IMPDP contains SQL injection vulnerabilities in the 
procedures IMPORT_CHANGE_SET, IMPORT_CHANGE_TABLE, IMPORT_CHANGE_COLUMN, 
IMPORT_SUBSCRIBER, IMPORT_SUBSCRIBED_TABLE, IMPORT_SUBSCRIBED_COLUMN, 
VALIDATE_IMPORT, VALIDATE_CHANGE_SET, VALIDATE_CHANGE_TABLE, 
VALIDATE_SUBSCRIPTION. Oracle fixed these vulnerabilities with the package 
dbms_assert. To exploit this vulnerability it is necessary to have the 
privilege to create a PL/SQL-function.



Patch Information

#

Apply the patches for Oracle CPU July 2006 on top of Oracle 10g Release 1.



History

###

01-nov-2005 Oracle secalert was informed

02-nov-2005 Bug confirmed

18-jul-2006 Oracle published CPU July 2006 [DB01]

18-jul-2006 Advisory published




Additional Information

##

An analysis of the Oracle CPU July 2006 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_july_2006.html


This document will be updated during the next few days and weeks with the 
latest information.

Oracle Database - SQL Injection in SYS.DBMS_UPGRADE [DB22]

2006-07-18 Thread ak 

Name  SQL Injection in package SYS.DBMS_UPGRADE (6980717) [DB22]

Systems Oracle 10g Release 1

SeverityHigh Risk

CategorySQL Injection

Vendor URL  http://www.oracle.com/

Author  Alexander Kornbrust (ak at red-database-security.com)

Advisory18 Jul 2006 (V 1.00)


Advisory



http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_upgrade.html



Details

###

The package SYS.DBMS_UPGRADE contains a SQL injection vulnerability. Oracle 
fixed these vulnerabilities with the package dbms_assert. To exploit this 
vulnerability it is necessary to have the privilege to create a PL/SQL-function.



Patch Information

#

Apply the patches for Oracle CPU July 2006 on top of Oracle 10g Release 1.



History

###

01-nov-2005 Oracle secalert was informed

02-nov-2005 Oracle secalert asked for an exploit

18-jul-2006 Oracle published CPU July 2006 [DB22]

18-jul-2006 Advisory published



Additional Information

##

An analysis of the Oracle CPU July 2006 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_july_2006.html


This document will be updated during the next few days and weeks with the 
latest information.

Oracle Database - SQL Injection in SYS.DBMS_STATS [DB21]

2006-07-18 Thread ak 
Name  SQL Injection in package SYS.DBMS_STATS (6980751) [DB21]

Systems Oracle 10g Release 1

SeverityHigh Risk

CategorySQL Injection

Vendor URL  http://www.oracle.com/

Author  Alexander Kornbrust (ak at red-database-security.com)

Advisory18 Jul 2006 (V 1.00)



Advisory



http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_stats.html



Details

###

The package SYS.DBMS_STATS contains a SQL injection vulnerability. Oracle fixed 
these vulnerabilities with the package dbms_assert. To exploit this 
vulnerability it is necessary to have the privilege to create a PL/SQL-function.



Patch Information

#

Apply the patches for Oracle CPU July 2006 on top of Oracle 10g Release 1.



History

###

01-nov-2005 Oracle secalert was informed

02-nov-2005 Oracle secalert asked for an exploit

18-jul-2006 Oracle published CPU July 2006 [DB21]

18-jul-2006 Advisory published



Additional Information

##

An analysis of the Oracle CPU July 2006 is available here 
http://www.red-database-security.com/advisory/oracle_cpu_july_2006.html


This document will be updated during the next few days and weeks with the 
latest information.

SQL Injection in package SYS.DBMS_LOGMNR_SESSION

2006-04-19 Thread ak 
SQL Injection in package SYS.DBMS_LOGMNR_SESSION

NameSQL Injection in package SYS.DBMS_LOGMNR_SESSION
Systems AffectedOracle Database
SeverityMedium Risk
CategorySQL Injection (DB06)
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Advisory18 April 2006 (V 1.00)
Oracle Bugid6980723


Details
###
The package SYS.DBMS_LOGMNR_SESSION contains a SQL injection vulnerability in 
the procedure DELETE_FROM_TABLE.
Oracle fixed this problem by using the package DBMS_ASSERT.

This advisory
##
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_logmnr_session.html


Patch Information
#
Apply the patches for Oracle CPU April 2006 on top of Oracle 9i Release 2 or 
Oracle 10g Release 1.
The patches are available via Oracle Metalink.



History
###
01-nov-2005 Oracle secalert was informed
02-nov-2005 Oracle secalert asked for an exploit
18-apr-2006 Oracle published CPU April 2006
18-apr-2006 Advisory published



Additional information
##
An analysis of the Oracle CPU April 2006 is available here
http://www.red-database-security.com/advisory/oracle_cpu_apr_2006.html

Many (40+) open security issues in Oracle are still unfixed
http://www.red-database-security.com/advisory/upcoming_alerts.html

Oracle read-only user can insert/update/delete data via specially crafted views

2006-04-10 Thread ak 
Dear bugtraq-Reader

Last Thursday 6th April 2006, Oracle released a note on the Oracle 
knowledgebase Metalink with details about an unfixed security vulnerability 
(=0day) and a working test case (=exploit code) which effects all versions of 
Oracle from 9.2.0.0 to 10.2.0.3. This note 363848.1 – A User with SELECT 
Object Privilege on Base Tables Can Delete Rows from a View was available last 
week to Metalink customers. The note was also displayed in the daily headlines 
section of the Metalink.
 
That’s why this information can be assumed as public knowledge and 
DBAs/Developers which missed the note on Metalink should know this 
vulnerability in order to avoid/mitigate the risk (if possible) whilst waiting 
for a patch from Oracle.

After noticing the note, I informed Oracle secalert that releasing such 
information on Metalink is not a wise idea. Oracle normally criticises 
individuals and/or companies for releasing information about Oracle 
vulnerabilities (like David Litchfield from NGSSoftware for releasing 
information an ever not fixed bug in mod_plsql gateway). In this case, not only 
Oracle released detailed information on the vulnerability; they also included 
the working exploit code on the Metalink. 

In an interview, the Oracle CSO stated:  “I’ve known customers to terminate 
contracts … for releasing exploit code… you might get applause from hackers… 
but business will not pay you to slit their throats. With knowledge comes 
responsibility.” 

After my email, Oracle removed the note from Metalink. 


Problem: 

In Oracle versions (9.2.0.0-10.2.0.3) exists an unpatched vulnerability which 
allows users with “SELECT” only privileges on a base table to insert/update/ 
delete data via a specially crafted view.

The impact of this vulnerability on the Oracle data dictionary is low because 
most data dictionary tables don’t have a primary key which is a requirement for 
this vulnerability.

The impact on custom applications can be huge and eliminate the entire role 
concept because in well designed applications there is normally a read-only 
role for low-privilege users (e.g. reporting or external auditors). If these 
low-privileged users are able to create a view, which is standard in Oracle 
9.2.x to 10 g R1, they could also insert, update and delete data via a 
specially crafted view. Depending on the architecture, it is possible to modify 
data, escalate privileges, …


Test cases:

Oracle provided a complete test case in note 363848.1. I decided not to publish 
such code on the internet as long as patches are not available. If you need 
additional information you could contact me via email. A test case (without the 
specially crafted view) is available on my website:

http://www.red-database-security.com/advisory/oracle_modify_data_via_views.html



Patches:

Currently there are no patches available. According to Oracle secalert Oracle 
will provide patches in a future critical patch update.
 
Red-Database-Security is not convinced that the April 2006 CPU will contain 
patches against this vulnerability.



Workarounds / Risk Mitigation:

Sanitize the connect role (9i - 10g R1) and remove the CREATE VIEW (and CREATE 
DATABASE LINK, …) privilege from the connect role. 
Removing the primary key from the base table solves the problem too. Be aware 
that this could cause performance and integrity issues on the application.

Oracle recommends creating views the option “WITH CHECK OPTION”. This 
recommendation helps against accidental modification but not against hackers. 


Credits:

Special thanks to Jens Flasche who made Red-Database-Security aware of the 
Metalink note and for the first analysis + additional test cases. 



URLs:

Interview: Oracle CSO - Mary Ann Davidson
http://news.com.com/When+security+researchers+become+the+problem/2010-1071_3-5807074.html

Metalink Hacking
http://www.red-database-security.com/wp/oracle_metalink_hacking_us.pdf




--

Are you interested in additional information about Oracle security?


Our next Oracle Anti-Hacker-Training:

23-may – 26-may   (4 days (english) – Milano / Italy) 
29-may – 2-june   (5 days (english) – Cupertino [CA] / U.S.A) 
19-june – 23-june (5 days (german)  – Oberursel/Frankfurt / Germany) 

--

Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT

2006-01-19 Thread ak 

#

http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft.html

###
SQL Injection in package SYS.KUPV$FT

Name  SQL Injection in package SYS.KUPV$FT
AffectedOracle 10g Release 1
SeverityHigh Risk
CategorySQL Injection
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Advisory17 Jan 2006 (V 1.00)


Details:

The package SYS.KUPV$FT contains 3 SQL injection vulnerabilities in the 
functions ATTACH_JOB, OPEN_JOB, HAS_PRIVS. Oracle fixed these vulnerabilities 
with the package dbms_assert.




Patch Information:
##
Apply the patches for Oracle CPU Jan 2006 on top of Oracle 10g Release 1.


History:

01-nov-2005 Oracle secalert was informed
02-nov-2005 Oracle secalert asked for an exploit
17-jan-2006 Oracle published CPU January 2006
17-jan-2006 Advisory published



© 2006 by Red-Database-Security GmbH
http://www.red-database-security.com/advisory/published_alerts.html

Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT_INT

2006-01-19 Thread ak 

#

http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft_int.html

###
Name   SQL Injection in package SYS.KUPV$FT_INT Affected   Oracle 10g 
Release 1 Severity   High Risk  Category   SQL Injection Vendor URL 
http://www.oracle.com/ 
Author Alexander Kornbrust (ak at red-database-security.com) Advisory   17 
Jan 2006 (V 1.00) 

Details:

The package SYS.KUPV$FT_INT contains 16 SQL injection vulnerabilities in the 
functions ATTACH_JOB, OPEN_JOB, HAS_PRIVS. Oracle is now using bind variables 
to fix these vulnerabilities. 



Patch Information:
##
Apply the patches for Oracle CPU Jan 2006 on top of Oracle 10g Release 1.


History:

01-nov-2005 Oracle secalert was informed about vulnerabilities in
ACTIVE_JOB, ATTACH_JOB, ATTACH_POSSIBLE, CREATE_NEW_JOB, DELETE_JOB, UPDATE_JOB 
02-nov-2005 Oracle secalert asked for an exploit
17-jan-2006 Oracle published CPU January 2006
17-jan-2006 Advisory published



© 2006 by Red-Database-Security GmbH
http://www.red-database-security.com/advisory/published_alerts.html

Oracle Database 10g Rel. 2 - Event 10053 logs TDE wallet password in cleartext

2006-01-18 Thread ak 
NameEvent 10053 logs TDE wallet password in cleartext 
Systems Oracle Database 10g Release 2 
SeverityHigh Risk 
CategoryInformation disclosure 
Vendor URL  http://www.oracle.com/ 
Author  Alexander Kornbrust (ak at red-database-security.com)
Date17 January 2005 (V 1.00)
Oracle Bug  5802023
Time to fix 190 days


Details:

The event 10053 is storing the masterkey of Oracle Transparent Data Encryption 
unencrypted in a trace-file. A skilled attacker or non-security DBA could set 
this special event to get the plaintext masterkey for the TDE encryption. 

Test case:
##
SQL alter session set events='10053 trace name context forever, level 
SQL 1';

Session altered.


SQL ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY secretpassword;

System altered.
# Test case ##



# Excerpt from trace file  [] Current SQL statement for 
this session:
ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY secretpassword
[]
# Excerpt from trace file 


Patch Information:
##
Oracle fixed this issue with the patches from the critical patch update january 
2006 for Oracle 10g Release 2.

History:

11-jul-2005 Oracle secalert was informed
12-jul-2005 Bug confirmed
17-jan-2006 Oracle published the Critical Patch Update January 2006
(CPU January 2006)
17-jan-2006 Red-Database-Security published this advisory


© 2006 by Red-Database-Security GmbH
http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html

Oracle Reports - Read parts of files via desname (fixed after 874 days)

2006-01-18 Thread ak 
Read parts of any file via desformat in Oracle Reports

Name  Read parts of any file via desformat in Oracle Reports
SeverityMedium Risk
CategoryInformation disclosure
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Date  25 August 2005 (V 1.02)
Cert VU#925261
CVE   CAN-2005-2378
Oracle Bug  5883621
Time to fix 874 days ago


Details:

Oracle Reports is Oracle's award-winning, high-fidelity enterprise reporting 
tool.

It enables businesses to give immediate access to information to all levels 
within and outside of the organization in an unrivaled scalable and secure 
environment. Oracle Reports, a component of the Oracle Application Server, is 
used by Oracle itself for the E-Business Suite. Many large customers are using 
Oracle Reports as reporting tool for their enterprise applications.

The Oracle Reports parameter desformat can read any file by using an absolute 
or relative file name.
Parts of the file content are displayed in the Reports error message (see test 
case)

The DESFORMAT parameter specifies the format for the job output. In bit-mapped 
environments, use DESFORMAT to specify the printer driver to be used when 
DESTYPE is FILE.
In character-mode environments, use it to specify the characteristics of the 
printer named in DESNAME.



Affected Products:
##
Internet Application Server
Oracle Application Server
Oracle Developer Suite

Patch Information:
##
This bug is finally fixed with Critical Patch Update January 2006.


Testcase:
#
http://myserver:7778/reports/rwservlet?server=myserver+report=test.rdf+
userid=scott/[EMAIL PROTECTED]/etc/passwd

***Reports Output

REP-3002: Error in column 5 of line 1 of printer definition file /etc/passwd:
Unknown keyword root.
REP-3002: Error initializing printer. Please make sure a printer is installed.

***Reports Output


History:

27-aug-2003 Oracle secalert was informed
27-aug-2003 Bug confirmed
15-apr-2005 Red-Database-Security informed Oracle secalert that this 
vulnerability will publish after CPU July 2005 Red-Database-Security offered 
Oracle more time if it is not possible to provide a fix == NO FEEDBACK.
12-jul-2005 Oracle published CPU July 2005 without fixing this issue
18-jul-2005 Red-Database-Security published this advisory
25-aug-2005 CVE number added
13-jan-2005 days since initial report updated
17-jan-2006 Oracle published the Critical Patch Update January 2006 (CPU 
January 2006)


© 2006 by Red-Database-Security GmbH
http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html

Oracle Reports - Overwrite any application server file via desname (fixed after 889 days)

2006-01-18 Thread ak 
NameOverwrite any file via desname in Oracle Reports
SeverityHigh Risk 
CategoryFile overwrite
Vendor URL  http://www.oracle.com/ 
Author  Alexander Kornbrust (ak at red-database-security.com)
Date25 August 2005 (V 1.02)
Cert VU#472148
CVE CAN-2005-2371
Oracle Bug  5883603
Time to fix 889 days ago


Details:

Oracle Reports is Oracle's award-winning, high-fidelity enterprise reporting 
tool.

It enables businesses to give immediate access to information to all levels 
within and outside of the organization in an unrivaled scalable and secure 
environment. Oracle Reports, a component of the Oracle Application Server, is 
used by Oracle itself for the E-Business Suite. Many large customers are using 
Oracle Reports as reporting tool for their enterprise applications. 

By specifing a special value for the parameter desname Oracle Reports can 
overwrite any file on the application server.
On Windows systems an attacker can overwrite any files (e.g. boot.ini) on the 
application server.
On UNIX system an attacker can overwrite all files (e.g. opmn.xml) which 
belongs to the Oracle Application Server user.

This attack can be done with a simple URL.


Affected Products:
##
Internet Application Server
Oracle Application Server
Oracle Developer Suite 

Patch Information:
##
This bug is finally fixed with Critical Patch Update January 2006.


Testcase:
#
Overwrite the boot.ini with the ../-syntax with PDF output (on a Windows 
system) 
http://myserver.com:7779/reports/rwservlet?server=repserv+userid=scott/[EMAIL 
PROTECTED]/../../boot.ini

Overwrite the boot.ini via an absolute path with PDF output (on a Windows 
system) 
http://myserver.com:7779/reports/rwservlet?server=repserv+userid=scott/[EMAIL 
PROTECTED]:\boot.ini

Overwrite the file httpd.conf with PDF output (on a UNIX system) 
http://myserver.com:7779/reports/rwservlet?server=repserv+myconn+report=anyreport.rdf+destype=file+desformat=PDF+desname=/oracle/iasapp/Apache/Apache/conf/httpd.conf

Overwrite any report (or form) with PDF output (on a UNIX system) 
http://myserver.com:7779/reports/rwservlet?server=repserv+myconn+report=anyreport.rdf+destype=file+desformat=PDF+desname=/oracle/iasapp/reports/anyreport.rdf




History
12-aug-2003 Oracle secalert was informed
26-sep-2003 Bug confirmed
15-apr-2005 Red-Database-Security informed Oracle secalert that this 
vulnerability will publish after CPU July 2005
Red-Database-Security offered Oracle more time if it is not possible to provide 
a fix == NO FEEDBACK.
12-jul-2005 Oracle published CPU July 2005 without fixing this issue
18-jul-2005 Red-Database-Security published this advisory
21-jul-2005 Cert VU# and affected products added
25-aug-2005 CVE number added
16-sep-2005 Workaround was incomplete and is now correct (Thanks to D. Nachbar 
for this information)
13-jan-2005 days since initial report updated
17-jan-2006 Oracle published the Critical Patch Update January 2006 (CPU 
January 2006) 


© 2006 by Red-Database-Security GmbH
http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html

Oracle Reports - Read parts of files via customize(fixed after 875 days)

2006-01-18 Thread ak 
Read parts of any XML-file via customize parameter in Oracle Reports

Name  Read parts of any XML-file via customize parameter 
SeverityMedium Risk
CategoryInformation disclosure
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Date  25 August 2005 (V 1.02)
Cert VU#277757
Oracle Bug  5882923
Time to fix 875 days ago


Details:

Oracle Reports is Oracle's award-winning, high-fidelity enterprise reporting 
tool.

It enables businesses to give immediate access to information to all levels 
within and outside of the organization in an unrivaled scalable and secure 
environment. Oracle Reports, a component of the Oracle Application Server, is 
used by Oracle itself for the E-Business Suite. Many large customers are using 
Oracle Reports as reporting tool for their enterprise applications.

The Oracle Reports parameter customize can read any file by using an absolute 
or relative file name.
Parts of the file content are displayed in the Reports error message (see test 
case).



Affected Products:
##
Internet Application Server
Oracle Application Server
Oracle Developer Suite

Patch Information
This bug is finally fixed with Critical Patch Update January 2006.


Testcase:
#
http://myserver:7778/reports/rwservlet?server=myserver+report=test.rdf+userid=scott/[EMAIL
 PROTECTED]
+destype=cache+desformat=xml+CUSTOMIZE=/opt/ORACLE/ias/oracle/product/9.
+0.2/webcache/webcache.xml

***Reports Output

REP--866648059: Error in the XML report definition at line 3 in '
Element 'CALYPSO' used but not declared.'.

***Reports Output


History:

26-aug-2003 Oracle secalert was informed
27-aug-2003 Bug confirmed
15-apr-2005 Red-Database-Security informed Oracle secalert that this 
vulnerability will publish after CPU July 2005 Red-Database-Security offered 
Oracle more time if it is not possible to provide a fix == NO FEEDBACK.
12-jul-2005 Oracle published CPU July 2005 without fixing this issue
18-jul-2005 Red-Database-Security published this advisory
21-jul-2005 Cert VU# and affected products added
13-jan-2005 days since initial report updated
17-jan-2006 Oracle published the Critical Patch Update January 2006 (CPU 
January 2006)


© 2006 by Red-Database-Security GmbH
http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html

Oracle Database 10g Rel. 2- Transparent Data Encryption plaintext masterkey in SGA

2006-01-18 Thread ak 
Transparent Data Encryption stores key unencrypted in the SGA

NameTransparent Data Encryption stores key unencrypted in the SGA
AffectedOracle Database 10g Release 2
SeverityHigh Risk
CategoryInformation disclosure
Vendor URL  http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Date  17 January 2005 (V 1.00)
Oracle Bug  5802173
Time to fix 190 days


Details:

The Oracle security feature Transparent Data Encryption is storing the 
masterkey unencrypted in the SGA. A skilled attacker or non-security DBA can 
retrieve the plaintext masterkey.

Test case:
##

SQL ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY secretpassword;

System altered.
SQL exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 
Production With the Partitioning, OLAP and Data Mining options


[EMAIL PROTECTED] /]$ export DUMPSGA_DIR=/oracle/10.2.0/bin

[EMAIL PROTECTED] /]$ cd /tmp

[EMAIL PROTECTED] /]$ dumpsga 

[EMAIL PROTECTED] /]$ strings * | grep -iH secretpassword 

secretpassword 
secretpassword 
secretpassword


[] Excerpt from the SGA
/oracle/10.2.0/admin/ora01/wallet/^@[EMAIL PROTECTED]@[EMAIL 
PROTECTED]/10.2.0/admin/ora10201/wallet/[EMAIL PROTECTED]@[EMAIL 
PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]

[EMAIL PROTECTED]@0êd$L4^L¿^Xp /¹]/º8f[EMAIL 
PROTECTED]@èd$´4^Lfile:/oracle/10.2.0/admin/ora10201/wallet
[]


Patch Information:
##
Oracle fixed this issue with the patches from the critical patch update january 
2006 for Oracle 10g Release 2.

History:

11-jul-2005 Oracle secalert was informed
12-jul-2005 Bug confirmed
17-jan-2006 Oracle published the Critical Patch Update January 2006 
(CPU January 2006)
17-jan-2006 Red-Database-Security published this advisory



© 2006 by Red-Database-Security GmbH 
http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html

M$ VPN hole reported

2002-11-01 Thread AK 
http://zdnet.com.com/2100-1105-964057.html