SQL Injection in package DBMS_AQIN
NameSQL Injection in package DBMS_AQIN [CVE-2009-0992] Systems AffectedOracle 10.1.0.5 - 11.1.0.7 SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) CVE CVE-2009-0992 Advisory14 April 2009 (V 1.00) Details: The package DBMS_AQIN contains a SQL injection vulnerability in the procedure DEQ_EXEJOB. Additional information is available in the following advisory. Advisory: http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html Patch Information: Apply the patches for Oracle CPU April 2009. Verification: Our Oracle database scanner Repscan was updated with the information from the Oracle CPU April 2009 and can identify vulnerable databases. More Information about Repscan can be found here: http://www.sentrigo.com/repscan History: 14-apr-2009 Oracle published CPU April 2009 [CVE-] 14-apr-2009 Advisory published About Red-Database-Security: Red-Database-Security is the leading company for Oracle security. Within the last 6 years we reported several hundred vulnerabilities to Oracle. -- (c) 2009 by Red-Database-Security GmbH http://www.red-database-security.com
Unprivileged DB users can see APEX password hashes
Name Unprivileged DB users can see APEX password hashes Systems Affected APEX 3.0 (optional component of 11.1.0.7 installation) Severity High Risk Category Password Disclosure Vendor URLhttp://www.oracle.com/ AuthorAlexander Kornbrust (ak at red-database-security.com) CVE CVE-2009-0981 Advisory 14 April 2009 (V 1.00) Details: Unprivileged database users can see APEX password hashes in FLOWS_03.WWV_FLOW_USER. SQL select user_name,web_password2 from FLOWS_03.WWV_FLOW_USERS USER_NAMEWEB_PASSWORD2 -- YURI 141FA790354FB6C72802FDEA86353F31 This password hash can be checked using a tool like Repscan. Additional information is available in the following advisory. Advisory: http://www.red-database-security.com/advisory/apex_password_hashes.html Patch Information: Upgrade to Oracle APEX 3.2. Verification: Our Oracle database scanner Repscan was updated with the information from the Oracle CPU April 2009 and can identify vulnerable databases. More Information about Repscan can be found here: http://www.sentrigo.com/repscan History: 13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981] 14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981] 14-apr-2009 Advisory published About Red-Database-Security: Red-Database-Security is the leading company for Oracle security. Within the last 6 years we reported several hundred vulnerabilities to Oracle. -- (c) 2009 by Red-Database-Security GmbH http://www.red-database-security.com
SQL Injection in package DBMS_AQADM_SYS
Name SQL Injection in package DBMS_AQADM_SYS [CVE-2009-0977] Systems Affected Oracle 9.2.0.8 - 10.2.0.3 Severity Medium Risk Category SQL Injection Vendor URLhttp://www.oracle.com/ AuthorFranz Hüll (fh at red-database-security.com) CVE CVE-2009-0977 Advisory 14 April 2009 (V 1.00) Details: The package DBMS_AQADM_SYS contains a SQL injection vulnerability in the procedure GRANT_TYPE_ACCESS. Additional information is available in the following advisory. Advisory: http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html Patch Information: Apply the patches for Oracle CPU April 2009. Verification: Our Oracle database scanner Repscan was updated with the information from the Oracle CPU April 2009 and can identify vulnerable databases. More Information about Repscan can be found here: http://www.sentrigo.com/repscan History: 14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0977] 14-apr-2009 Advisory published About Red-Database-Security: Red-Database-Security is the leading company for Oracle security. Within the last 6 years we reported several hundred vulnerabilities to Oracle. -- (c) 2009 by Red-Database-Security GmbH http://www.red-database-security.com
Oracle - SQL Injection in package SDO_GEOM [DB06]
Systems Affected 9i Rel. 1 - 10g Rel. 2 Severity High Risk Category SQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust Advisory 16 April 2008 (V 1.00) Advisory URL http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_geom.html Details The package SDO_GEOM is vulnerable against SQL injection. Patch Information Apply the patches for Oracle CPU April 2008. History 6-jun-2007 Oracle secalert was informed 15-apr-2008 Oracle published CPU April 2008 [DB06] 16-apr-2008 Advisory published © 2008 by Red-Database-Security GmbH http://www.red-database-security.com
Oracle - SQL Injection in package SDO_IDX [DB07]
Oracle - SQL Injection in package SDO_IDX [DB07] Systems Affected 9i Rel. 1 - 11g Rel. 1 Severity High Risk Category SQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust Advisory 16 April 2008 (V 1.00) Advisory URL http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_idx.html Details The package SDO_IDX is vulnerable against SQL injection. Patch Information Apply the patches for Oracle CPU April 2008. History 6-jun-2007 Oracle secalert was informed 15-apr-2008 Oracle published CPU April 2008 [DB07] 16-apr-2008 Advisory published © 2008 by Red-Database-Security GmbH http://www.red-database-security.com
Oracle - SQL Injection Vulnerability in SDO_UTIL [DB05]
Systems Affected 10g Rel. 1, 10g Rel. 2 Severity High Risk Category SQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust Advisory 16 April 2008 (V 1.00) Advisory URL http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_util.html Details The package SDO_UTIL is vulnerable against SQL injection. Patch Information Apply the patches for Oracle CPU April 2008. History 6-jun-2007 Oracle secalert was informed 15-apr-2008 Oracle published CPU April 2008 [DB05] 16-apr-2008 Advisory published © 2008 by Red-Database-Security GmbH http://www.red-database-security.com
Oracle - Hardcoded Password and Password Reset of OUTLN User [DB13]
Oracle - Hardcoded Password and Password Reset of OUTLN User [DB13] Systems Affected 9i Rel. 1 - 10g Rel. 2 Severity High Risk Category Hardcoded Default Password Password Reset Vendor URL http://www.oracle.com/ Author Alexander Kornbrust Advisory 16 April 2008 (V 1.00) Advisory URL http://www.red-database-security.com/advisory/oracle_outln_password_change.html Details During the creation of a materialized view the package DBMS_STATS_INTERNAL is called and resets the password of the user OUTLN to OUTLN and grants DBA privileges to this user. [...] GRANT_DBA_OUTLN:= 'grant dba to outln identified by outln'; [...] GRANT_DBA_OUTLN:= 'grant on commit refresh to outln identified by outln'; [...] Many people are not aware that the GRANT command (GRANT CONNECT TO SYS IDENTIFIED BY ALEX) can be used to change passwords in Oracle instead of using the ALTER USER command . It's a bad idea to hardcode passwords and it took only 1 year to fix this issue. In most Oracle default installations the account OUTLN is locked but some security guidelines (e.g. Oracle Practical Security from Syngress) recommend to unlock the account OUTLN and set an invalid password (to avoid the error message ORA-28000 account is locked). Following this advisory and setting an invalid password is opening a default user with default password with DBA privileges in the Oracle database (OUTLN/OUTLN) if a materialized view was created. I found this vulnerability during the search for backdoors in Oracle databases for the Oracle malware report of our vulnerability scanner Repscan. I was looking for the strings like grant dba to and found that dbms_stats_internal is executing these commands in an internal package. In Oracle 9i you can find these strings using the grep command in $ORACLE_HOME/rdbms/admin because strings literals are not encrypted in wrapped PL/SQL 9i Code. BTW: During this research I found also 3 Oracle procedures modifying the Oracle Audit-Table (Insert/Update/Delete rows from SYS.AUD$). I think procedures modifying the Audit-Log (especially delete and update) are a bad coding practice. Patch Information Apply the patches for Oracle CPU April 2008. History 4-apr-2007 Oracle secalert was informed 15-apr-2008 Oracle published CPU April 2008 [DB13] 16-apr-2008 Advisory published
Re: Oracle 11g Password algorithm revealed
Different people identified the algorithm at the same time. Recurity Labs GmbH (Tnx to Thorsten Schröder and Fx) did the research for us. A very interesting analysis about the 11g password algorithm can be found at the following URL: http://www.phenoelit.net/lablog/oracle.sl Regards Alexander Kornbrust www.red-database-security.com
Oracle Security: Insert / Update / Delete Data via Views
Insert / Update / Delete Data via Views ### This advisory http://www.red-database-security.com/advisory/oracle_view_vulnerability.html Name Insert / Update / Delete Data via Views [DB17] Systems Oracle 8i - 10g Rel. 2 Severity High Risk Category Bypass Access Control Author Alexander Kornbrust (ak at red-database-security.com) Advisory 17 July 2007 (V 1.00) Details Updates, deletes and inserts are possible via specially crafted views without having the right privileges. This vulnerability is not identical with similar vulnerabilities fixed with April 2006 CPU and October 2006 CPU. Samples ### delete from (specially crafted view) insert into (specially crafted view) update (specially crafted view) Testcases will be released if we can verify that the problem is really fixed. Patch Information # Apply the patches for Oracle CPU July 2007. History ### 24-oct-2006 Oracle secalert was informed 25-oct-2006 Bug confirmed 18-jul-2007 Oracle published CPU July 2007 [DB17] 18-jul-2007 Advisory published Analysis and CVE entries of the Oracle CPU ### http://www.red-database-security.com/advisory/oracle_cpu_jul_2007.html (c) 2007 by Red-Database-Security GmbH - last update 17-jul-2007
Oracle Security: SQL Injection in package DBMS_PRVTAQIS
SQL Injection in package DBMS_PRVTAQIS ## This advisory http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_prvtaqis.html Name SQL Injection in package DBMS_PRVTAQIS [DB02] Systems Oracle 9i Rel.1 - 10g Rel. 1 Severity High Risk Category SQL Injection Author Alexander Kornbrust (ak at red-database-security.com) Advisory 17 July 2007 (V 1.00) Details ### The package DBMS_PRVTAQIS contains a SQL injection vulnerability. Patch Information # Apply the patches for Oracle CPU July 2007. History ### 1-nov-2005 Oracle secalert was informed 17-jul-2007 Oracle published CPU July 2007 [DB02] 17-jul-2007 Advisory published Analysis and CVE entries of the Oracle CPU ### http://www.red-database-security.com/advisory/oracle_cpu_jul_2007.html (c) 2007 by Red-Database-Security GmbH
Oracle Security: SQL Injection in APEX CHECK_DB_PASSWORD
SQL Injection Vulnerability in Oracle APEX CHECK_DB_PASSWORD ### This advisory http://www.red-database-security.com/advisory/oracle_apex_sql_injection_check_db_password.html NameSQL Injection Vulnerability in Oracle CHECK_DB_PASSWORD Systems Oracle APEX Severity Medium Risk Category SQL Injection Author Alexander Kornbrust (ak at red-database-security.com) Date 17 July 2007 (V 1.00) Details The function wwv_flow_security.check_db_password contains a SQL injection vulnerability. Oracle is using the ALTER USER command to change the password of a database user without doing an input validation of the password (=typical Oracle PL/SQL programming fault). APEX 3.0.1 is now doing an input validation on the user password. Apex 3.0.1 is used in Oracle 11g. Old, vulnerable code FUNCTION CHECK_DB_PASSWORD (P_USER_NAME VARCHAR2, P_PASSWORD VARCHAR2) RETURN BOOLEAN IS BEGIN IF P_USER_NAME IS NULL OR P_PASSWORD IS NULL THEN RETURN FALSE;END IF; BEGIN EXCEPTION WHEN NO_DATA_FOUND THEN RETURN FALSE;END; BEGIN EXCEPTION WHEN NO_DATA_FOUND THEN RETURN FALSE;END; L_STMT:= 'ALTER USER ' || P_USER_NAME || ' IDENTIFIED BY ' || P_PASSWORD||''; EXECUTE IMMEDIATE L_STMT; New code Oracle is now doing a length check of the password (30 characters). Good idea. I'm interested to see if this is changed in 11g where passwords up to 50 characters are allowed. One part of the input validation is stupid code. If the password contains a chr(34) Oracle throws an error message. chr(34) is never executed. Even if this code would be executed this could be bypassed quite easily (e.g. chr( 34) or chr(34 ) or chr(35-1) or ...) FUNCTION CHECK_DB_PASSWORD (P_USER_NAME VARCHAR2, P_PASSWORD VARCHAR2) RETURN BOOLEAN IS BEGIN IF P_USER_NAME IS NULL OR P_PASSWORD IS NULL THEN RETURN FALSE;END IF; IF LENGTH(P_PASSWORD) 30 OR INSTR(P_PASSWORD,'') 0 OR INSTR(LOWER(P_PASSWORD),'chr(34)') 0 THEN RETURN FALSE;END IF; BEGIN EXCEPTION WHEN NO_DATA_FOUND THEN RETURN FALSE;END; BEGIN EXCEPTION WHEN NO_DATA_FOUND THEN RETURN FALSE;END; L_STMT:= 'ALTER USER ' || P_USER_NAME || ' IDENTIFIED BY ' || P_PASSWORD||''; EXECUTE IMMEDIATE L_STMT; Affected Products # This bug is fixed with 3.0.1 of APEX which is not part of the Critical Patch Update July 2006. It's necessary to upgrade your APE installation to 3.0.1 or higher. Apex 3.0.1 is compatible with Oracle Application Express. Patch Information # This bug is fixed with Apex 3.0.1 or higher. History ### 07-may-2007 Oracle secalert was informed 07-may-2007 Bug confirmed 29-jun-2007 Oracle released APEX 3.0.1 17-jul-2007 Oracle published CPU July 2007 and recommends to update to 3.0.1 17-jul-2007 Red-Database-Security published this advisory Analysis and CVE entries of the Oracle CPU ### http://www.red-database-security.com/advisory/oracle_cpu_jul_2007.html (c) 2007 by Red-Database-Security GmbH
Advisory: Bypass Oracle Logon Trigger
NameBypass Oracle Logon Trigger (7826485) [DB05] Systems AffectedOracle 8-10g Rel. 2 SeverityHigh Risk CategoryBypass Security Feature Database Logon Trigger Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory17 April 2007 (V 1.00) Details ### It is possible to bypass the Oracle database logon trigger. This can cause severe security problems. Oracle database logon trigger are often used to restrict user access (e.g. based on time or ip addresses) and/or to do audit entries into (custom) tables. This can be bypassed on unpatched systems. This advisory is available at http://www.red-database-security.com/advisory/bypass_oracle_logon_trigger.html Patch Information # Apply the patches for Oracle CPU April 2007. History ### 07-jun-2006 Oracle secalert was informed 08-jun-2006 Bug confirmed 17-apr-2007 Oracle published CPU April 2007 [DB05] 17-apr-2007 Advisory published Additional Information ## An analysis of the Oracle CPU April 2007 is available here http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html This document will be updated during the next few days and weeks with the latest information. (c) 2007 by Red-Database-Security GmbH -- http://www.red-database-security.com
Advisory: SQL Injection in package SYS.DBMS_AQADM_SYS
NameSQL Injection in package SYS.DBMS_AQADM_SYS [DB04] Systems AffectedOracle 8i-10g Rel. 2 SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory17 April 2007 (V 1.00) Details ### The package DBMS_AQADM_SYS contains SQL injection vulnerabilities. This advisory is available at http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html Patch Information # Apply the patches for Oracle CPU April 2007. History ### 01-nov-2005 Oracle secalert was informed 02-nov-2005 Bug confirmed 17-apr-2007 Oracle published CPU April 2007 [DB04] 17-apr-2007 Advisory published Additional Information ## An analysis of the Oracle CPU April 2007 is available here http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html This document will be updated during the next few days and weeks with the latest information. (c) 2007 by Red-Database-Security GmbH -- http://www.red-database-security.com
Advisory: XSS Vulnerability in Oracle Secure Enterprise Search [SES01]
NameCross-Site-Scripting Vulnerability in Oracle Secure Enterprise Search Systems AffectedOracle Secure Enterprise Search 10.1.6- SES SeverityMedium Risk CategoryCross Site Scripting (XSS/CSS) Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date17 April 2007 (V 1.00) Details ### Oracle Secure Enterprise Search 10g, a standalone product from Oracle, enables a secure, high quality, easy-to-use search across all enterprise information assets. The parameter EXPTYPE in boundary_rules.jsp contains a cross site scripting vulnerability. This advisory is available at http://www.red-database-security.com/advisory/oracle_css_ses.html Exploit ### http://ses10106:/search/admin/sources/boundary_rules.jsp?event=deleteIncludeRulep_src=webp_mode=editp_id=3pattern=rdsexpType=%3Cscript%3Ealert(document.cookie)%3C/script%3ECC_SIMPLE_INCLUSION' Affected Products # Oracle Enterprise Search Patch Information # Please upgrade to the latest version of SES or apply CPU April 2007. History ### 05-Apr-2005 Oracle secalert was informed 06-Apr-2005 Bug confirmed 17-apr-2007 Oracle published CPU April 2007 17-apr-2007 Red-Database-Security published this advisory Additional Information ## An analysis of the Oracle CPU April 2007 is available here http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html This document will be updated during the next few days and weeks with the latest information. (c) 2007 by Red-Database-Security GmbH -- http://www.red-database-security.com
Advisory: Shutdown unprotected Oracle TNS Listener via Oracle Discoverer Servlet [AS01]
NameShutdown unprotected TNS Listener via Oracle Discoverer Servlet [AS01] Systems AffectedOracle Discoverer Servlet SeverityLow Risk CategoryRemote D.o.S. Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory17 April 2007 (V 1.00) Details ### The Oracle Discoverer Servlet contains a field for the database/tns alias. It is possible to send TNS STOP commands via this field and to shutdown unprotected Oracle TNS Listener. This advisory is available at http://www.red-database-security.com/advisory/oracle_discoverer_servlet.html Patch Information ## Apply the patches for Oracle CPU April 2007. History ### 28-oct-2003 Oracle secalert was informed 29-oct-2003 Bug confirmed 17-apr-2007 Oracle published CPU April 2007 [AS01] 17-apr-2007 Advisory published Additional Information ## An analysis of the Oracle CPU April 2007 is available here http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html This document will be updated during the next few days and weeks with the latest information. (c) 2007 by Red-Database-Security GmbH -- http://www.red-database-security.com
SQL Injection in package SYS.DBMS_SQLTUNE_INTERNAL
NameSQL Injection in package SYS.DBMS_SQLTUNE_INTERNAL (6980745) [DB10] Systems AffectedOracle 8i-10g Rel. 2 SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory18 October 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_sqltune_internal.html Details ### The package DBMS_SQLTUNE_INTERNAL contains SQL injection vulnerabilities. in I_SET_TUNING_PARAMETER and SELECT_SQLSET. Oracle fixed this by using bind variables in their dynamic SQL statements. Patch Information # Apply the patches for Oracle CPU October 2006. History ### 1-nov-2005 Oracle secalert was informed 18-oct-2006 Oracle published CPU October 2006 [DB13] 18-oct-2006 Advisory published Additional Information ## An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
Modify Data via Inline Views
NameModify Data via Inline Views (8107967) [DB09] Systems AffectedOracle 9i - 10g Rel. 2 SeverityHigh Risk CategoryUnauthorized Access Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory18 October 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_modify_data_via_inline_views.html Details ### Updates, deletes and inserts are possible with least-privilege via inline views. A user with create session only can insert/update/delete data (e.g. the dual table). This bug is similar but not identical to the bug which was fixed in the July 2006 CPU (Modify Data via views). No workarounds available. Samples ### delete from (specially crafted inline view) insert into (specially crafted inline view) update (specially crafted inline view) Patch Information # Apply the patches for Oracle CPU October 2006. History ### 24-jul-2006 Oracle secalert was informed about a variant of the create view bug. 18-oct-2006 Oracle published CPU October 2006 [DB09] 18-oct-2006 Advisory published Additional Information ## An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
SQL Injection Vulnerability in Oracle WWV_FLOW_UTILITIES
### NameSQL Injection Vulnerability in Oracle WWV_FLOW_UTILITIES Systems Affected Oracle APEX/HTMLDB SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date 18 October 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_apex_sql_injection_wwv_flow_utilities.html Details ### The list of values (LOV) in wwv_flow_utilities.gen_popup_list contains a SQL injection vulnerability. Depending of the APEX application it is possible to inject custom SQL statements. The entire SQL statement is accessible from the URL in the parameter P_LOV. To protect the SELECT statement in the URL Oracle is using a MD5 checksum. By modifying the SQL statement and recalculating the MD5 checksum P_LOV_CHECKSUM it is possible to run custom SQL statements from the URL. Sample URL: http://apex:/pls/htmldb/wwv_flow_utilities.gen_popup_list?p_filter=p_name=p_t02p_element_index=1p_hidden_elem_name=p_t01p_form_index=0p_max_elements=p_escape_html=p_ok_to_query=YESp_flow_id=100p_page_id=11p_session_id=15108399238201864297p_eval_value=p_return_key=YESp_translation=Np_lov=select%20cust_last_name%20||%20'%2C%20'%20||%20cust_first_name%20d%2C%20customer_id%20r%20from%20demo_customers%20order%20by%20cust_last_namep_lov_checksum=82C7EFB6FA3A2FA2C6E1A70FB63BB064 Affected Products # This bug is fixed with 2.2 of APEX which is not part of the Critical Patch Update October 2006. It's necessary to upgrade your APEX/HTMLDB installation to 2.2 or better 2.2.1. Patches are currently not available for Oracle Application Express. Patch Information # This bug is fixed with Apex 2.2 or higher. History ### 03-oct-2005 Oracle secalert was informed 04-oct-2005 Bug confirmed 17-oct-2006 Oracle published CPU October 2006 and recommends to update to 2.2.1 18-oct-2006 Red-Database-Security published this advisory Additional Information ## An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
Cross-Site-Scripting Vulnerability in Oracle APEX WWV_FLOW_ITEM_HELP
Name Cross-Site-Scripting Vulnerability in Oracle APEX WWV_FLOW_ITEM_HELP Systems AffectedOracle APEX/HTMLDB SeverityMedium Risk CategoryCross Site Scripting (XSS/CSS) Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date 18 October 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_apex_css_wwv_flow_item_help.html Details ### The package WWV_FLOW_ITEM_HELP contains a cross site scripting vulnerability. Affected Products # Oracle APEX/HTMLDB 2.2.1 Patch Information # This bug is fixed with the patch 2.2.1 of APEX which is not part of the Critical Patch Update October 2006. It's necessary to upgrade your APEX/HTMLDB installation to 2.2.1. Patches are currently not available for Oracle Application Express. History ### 03-oct-2005 Oracle secalert was informed 04-oct-2005 Bug confirmed 17-oct-2006 Oracle published CPU October 2006 18-oct-2006 Red-Database-Security published this advisory Additional Information ## An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
SQL Injection in package XDB.DBMS_XDBZ0
Name SQL Injection in package XDB.DBMS_XDBZ0 [DB01]/[DB15] Systems AffectedOracle 9i Rel.2 - 10g Rel. 2 SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory18 October 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_xdbz0.html Details ### The package XDB.DBMS_XDBZ0 contains SQL injection vulnerabilities in the procedure enable_hierarchy_internal [DB01], disable_hierarchiy_internal [DB15]. Oracle fixed this problem by using bind variables and verifying table names. Patch Information # Apply the patches for Oracle CPU October 2006. History ### 1-nov-2005 Oracle secalert was informed about both bugs. 18-oct-2006 Oracle published CPU October 2006 [DB01], [DB15] 18-oct-2006 Advisory published Additional Information ## An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
SQL Injection in package SYS.DBMS_CDC_IMPDP
NameSQL Injection in package SYS.DBMS_CDC_IMPDP [DB04] Systems AffectedOracle 10g SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory18 October 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_cdc_impdp2.html Details ### The package SYS.DBMS_CDC_IMPDP contains SQL injection vulnerabilities. Oracle fixed this by using dbms_assert. Patch Information # Apply the patches for Oracle CPU October 2006. History ### 1-nov-2005 Oracle secalert was informed . 18-oct-2006 Oracle published CPU October 2006 [DB04] 18-oct-2006 Advisory published Additional Information ## An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
SQL Injection in Oracle package MDSYS.SDO_LRS
Name SQL Injection in package MDSYS.SDO_LRS (7569081) [DB13] Systems AffectedOracle 9i Rel. 2 SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory18 October 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_lrs.html Details ### The package MDSYS.SDO_LRS contains a SQL injection vulnerability in the first parameter of convert_to_lrs_layer. Oracle forgot to fix this problem with the April CPU. Oracle fixed these vulnerabilities with the package DBMS_ASSERT. To exploit this vulnerability it is necessary to have the privilege to create a PL/SQL-function. Sample ## After running the following SQL statement select sdo_lrs.convert_to_lrs_layer(''' or 5=5--''','RDS','A',1,1,1,1) from dual; The following SQL statement will be executed by Oracle: SELECT COUNT(*) FROM USER_SDO_INDEX_INFO WHERE TABLE_NAME = '' OR 5=5--'' AND COLUMN_NAME = 'RDS' Patch Information # Apply the patches for Oracle CPU October 2006. History ### 19-apr-2006 Oracle secalert was informed 18-oct-2006 Oracle published CPU October 2006 [DB13] 18-oct-2006 Advisory published Additional Information ## An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
http://www.red-database-security.com/advisory/oracle_apex_css_notification_msg.html
Cross-Site-Scripting Vulnerabilitiy in Oracle APEX NOTIFICATION_MSG Name Cross-Site-Scripting Vulnerabilitiy in Oracle APEX NOTIFICATION_MSG Systems AffectedOracle APEX/HTMLDB SeverityMedium Risk CategoryCross Site Scripting (XSS/CSS) Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date 18 October 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_apex_css_notification_msg.html Details ### The parameter NOTIFCATION_MSG parameter contains a cross site scripting vulnerability. Affected Products # Oracle APEX/HTMLDB 2.2.1 Patch Information # This bug is fixed with the patch 2.2.1 of APEX which is not part of the Critical Patch Update October 2006. It's necessary to upgrade your APEX/HTMLDB installation to 2.2.1. Patches are currently not available for Oracle Application Express. History ### 03-oct-2005 Oracle secalert was informed 04-oct-2005 Bug confirmed 17-oct-2006 Oracle published CPU October 2006 18-oct-2006 Red-Database-Security published this advisory Additional Information ## An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
Various Cross-Site-Scripting Vulnerabilities in Oracle Reports
NameVarious Cross-Site-Scripting Vulnerabilities in Oracle Reports [REP01], [REP02] SeverityLow Risk CategoryCross Site Scripting (CSS/XSS) Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date 18 July 2006 (V 1.0) Advisory http://www.red-database-security.com/advisory/oracle_reports_css.html Details ### The Oracle Reports parameters showenv [REP01], parsequery [REP01], cellwrapper [REP02] and delimiter [REP02] are vulnerable against Cross-Site-Scripting. Affected Products # Internet Application Server Oracle Application Server Oracle Developer Suite Patch Information # Apply Oracle Critical Patch Update October 2006 (CPU July 2006). History ### 28-aug-2003 Oracle secalert was informed 29-aug-2003 Bug confirmed 17-oct-2006 Oracle published CPU October 2006 18-oct-2006 Red-Database-Security published this advisory Additional Information ## An analysis of the Oracle CPU Oct 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
Bypassing Oracle dbms_assert
Hey all, Today I released a new whitepaper Bypassing Oracle dbms_assert. This technique makes many already fixed Oracle vulnerabilities (SQL Injection) exploitable again. URL: http://www.red-database-security.com/wp/bypass_dbms_assert.pdf Summary: By using specially crafted parameters (in double quotes) it is possible to bypass the input validation of the security package dbms_assert and inject SQL code. This makes dozens of already fixed Oracle vulnerabilities exploitable in all versions of Oracle again (8.1.7.4 - 10.2.0.2, fully patched with Oracle CPU July 2006). I informed Oracle about this problem end of April 2006. Oracle has no problem with the release of this information (Oracle sees no problem with your publication of the white paper.) Kind Regards Alexander Kornbrust Red-Database-Security GmbH http://www.red-database-security.com
Oracle Database - SQL Injection in SYS.KUPW$WORKER [DB03]
NameSQL Injection in package SYS.KUPW$WORKER (6980775) [DB03] Systems Oracle 10g Release 1 SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory18 Jul 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_sql_injection_kupw$worker.html Details ### The package SYS.KUPW$WORKER contains a SQL injection vulnerability in the MAIN procedure. This procedure is granted to PUBLIC by default. Oracle fixed this vulnerability with the package dbms_assert. To exploit this vulnerability it is necessary to have the privilege to create a PL/SQL-function. Patch Information # Apply the patches for Oracle CPU July 2006 on top of Oracle 10g Release 1. History ### 01-nov-2005 Oracle secalert was informed 02-nov-2005 Bug confirmed 18-jul-2006 Oracle published CPU July 2006 [DB03] 18-jul-2006 Advisory published Additional Information ## An analysis of the Oracle CPU July 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_july_2006.html This document will be updated during the next few days and weeks with the latest information.
Oracle Database - SQL Injection in SYS.DBMS_CDC_IMPDP [DB01]
NameSQL Injection in package SYS.DBMS_CDC_IMPDP (6980711) [DB01] Systems Oracle 10g Release 1 SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory18 Jul 2006 (V 1.00) Details ### The package SYS.DBMS_CDC_IMPDP contains SQL injection vulnerabilities in the procedures IMPORT_CHANGE_SET, IMPORT_CHANGE_TABLE, IMPORT_CHANGE_COLUMN, IMPORT_SUBSCRIBER, IMPORT_SUBSCRIBED_TABLE, IMPORT_SUBSCRIBED_COLUMN, VALIDATE_IMPORT, VALIDATE_CHANGE_SET, VALIDATE_CHANGE_TABLE, VALIDATE_SUBSCRIPTION. Oracle fixed these vulnerabilities with the package dbms_assert. To exploit this vulnerability it is necessary to have the privilege to create a PL/SQL-function. Patch Information # Apply the patches for Oracle CPU July 2006 on top of Oracle 10g Release 1. History ### 01-nov-2005 Oracle secalert was informed 02-nov-2005 Bug confirmed 18-jul-2006 Oracle published CPU July 2006 [DB01] 18-jul-2006 Advisory published Additional Information ## An analysis of the Oracle CPU July 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_july_2006.html This document will be updated during the next few days and weeks with the latest information.
Oracle Database - SQL Injection in SYS.DBMS_UPGRADE [DB22]
Name SQL Injection in package SYS.DBMS_UPGRADE (6980717) [DB22] Systems Oracle 10g Release 1 SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory18 Jul 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_upgrade.html Details ### The package SYS.DBMS_UPGRADE contains a SQL injection vulnerability. Oracle fixed these vulnerabilities with the package dbms_assert. To exploit this vulnerability it is necessary to have the privilege to create a PL/SQL-function. Patch Information # Apply the patches for Oracle CPU July 2006 on top of Oracle 10g Release 1. History ### 01-nov-2005 Oracle secalert was informed 02-nov-2005 Oracle secalert asked for an exploit 18-jul-2006 Oracle published CPU July 2006 [DB22] 18-jul-2006 Advisory published Additional Information ## An analysis of the Oracle CPU July 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_july_2006.html This document will be updated during the next few days and weeks with the latest information.
Oracle Database - SQL Injection in SYS.DBMS_STATS [DB21]
Name SQL Injection in package SYS.DBMS_STATS (6980751) [DB21] Systems Oracle 10g Release 1 SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory18 Jul 2006 (V 1.00) Advisory http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_stats.html Details ### The package SYS.DBMS_STATS contains a SQL injection vulnerability. Oracle fixed these vulnerabilities with the package dbms_assert. To exploit this vulnerability it is necessary to have the privilege to create a PL/SQL-function. Patch Information # Apply the patches for Oracle CPU July 2006 on top of Oracle 10g Release 1. History ### 01-nov-2005 Oracle secalert was informed 02-nov-2005 Oracle secalert asked for an exploit 18-jul-2006 Oracle published CPU July 2006 [DB21] 18-jul-2006 Advisory published Additional Information ## An analysis of the Oracle CPU July 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_july_2006.html This document will be updated during the next few days and weeks with the latest information.
SQL Injection in package SYS.DBMS_LOGMNR_SESSION
SQL Injection in package SYS.DBMS_LOGMNR_SESSION NameSQL Injection in package SYS.DBMS_LOGMNR_SESSION Systems AffectedOracle Database SeverityMedium Risk CategorySQL Injection (DB06) Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory18 April 2006 (V 1.00) Oracle Bugid6980723 Details ### The package SYS.DBMS_LOGMNR_SESSION contains a SQL injection vulnerability in the procedure DELETE_FROM_TABLE. Oracle fixed this problem by using the package DBMS_ASSERT. This advisory ## http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_logmnr_session.html Patch Information # Apply the patches for Oracle CPU April 2006 on top of Oracle 9i Release 2 or Oracle 10g Release 1. The patches are available via Oracle Metalink. History ### 01-nov-2005 Oracle secalert was informed 02-nov-2005 Oracle secalert asked for an exploit 18-apr-2006 Oracle published CPU April 2006 18-apr-2006 Advisory published Additional information ## An analysis of the Oracle CPU April 2006 is available here http://www.red-database-security.com/advisory/oracle_cpu_apr_2006.html Many (40+) open security issues in Oracle are still unfixed http://www.red-database-security.com/advisory/upcoming_alerts.html
Oracle read-only user can insert/update/delete data via specially crafted views
Dear bugtraq-Reader Last Thursday 6th April 2006, Oracle released a note on the Oracle knowledgebase Metalink with details about an unfixed security vulnerability (=0day) and a working test case (=exploit code) which effects all versions of Oracle from 9.2.0.0 to 10.2.0.3. This note 363848.1 A User with SELECT Object Privilege on Base Tables Can Delete Rows from a View was available last week to Metalink customers. The note was also displayed in the daily headlines section of the Metalink. Thats why this information can be assumed as public knowledge and DBAs/Developers which missed the note on Metalink should know this vulnerability in order to avoid/mitigate the risk (if possible) whilst waiting for a patch from Oracle. After noticing the note, I informed Oracle secalert that releasing such information on Metalink is not a wise idea. Oracle normally criticises individuals and/or companies for releasing information about Oracle vulnerabilities (like David Litchfield from NGSSoftware for releasing information an ever not fixed bug in mod_plsql gateway). In this case, not only Oracle released detailed information on the vulnerability; they also included the working exploit code on the Metalink. In an interview, the Oracle CSO stated: Ive known customers to terminate contracts for releasing exploit code you might get applause from hackers but business will not pay you to slit their throats. With knowledge comes responsibility. After my email, Oracle removed the note from Metalink. Problem: In Oracle versions (9.2.0.0-10.2.0.3) exists an unpatched vulnerability which allows users with SELECT only privileges on a base table to insert/update/ delete data via a specially crafted view. The impact of this vulnerability on the Oracle data dictionary is low because most data dictionary tables dont have a primary key which is a requirement for this vulnerability. The impact on custom applications can be huge and eliminate the entire role concept because in well designed applications there is normally a read-only role for low-privilege users (e.g. reporting or external auditors). If these low-privileged users are able to create a view, which is standard in Oracle 9.2.x to 10 g R1, they could also insert, update and delete data via a specially crafted view. Depending on the architecture, it is possible to modify data, escalate privileges, Test cases: Oracle provided a complete test case in note 363848.1. I decided not to publish such code on the internet as long as patches are not available. If you need additional information you could contact me via email. A test case (without the specially crafted view) is available on my website: http://www.red-database-security.com/advisory/oracle_modify_data_via_views.html Patches: Currently there are no patches available. According to Oracle secalert Oracle will provide patches in a future critical patch update. Red-Database-Security is not convinced that the April 2006 CPU will contain patches against this vulnerability. Workarounds / Risk Mitigation: Sanitize the connect role (9i - 10g R1) and remove the CREATE VIEW (and CREATE DATABASE LINK, ) privilege from the connect role. Removing the primary key from the base table solves the problem too. Be aware that this could cause performance and integrity issues on the application. Oracle recommends creating views the option WITH CHECK OPTION. This recommendation helps against accidental modification but not against hackers. Credits: Special thanks to Jens Flasche who made Red-Database-Security aware of the Metalink note and for the first analysis + additional test cases. URLs: Interview: Oracle CSO - Mary Ann Davidson http://news.com.com/When+security+researchers+become+the+problem/2010-1071_3-5807074.html Metalink Hacking http://www.red-database-security.com/wp/oracle_metalink_hacking_us.pdf -- Are you interested in additional information about Oracle security? Our next Oracle Anti-Hacker-Training: 23-may 26-may (4 days (english) Milano / Italy) 29-may 2-june (5 days (english) Cupertino [CA] / U.S.A) 19-june 23-june (5 days (german) Oberursel/Frankfurt / Germany) --
Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT
# http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft.html ### SQL Injection in package SYS.KUPV$FT Name SQL Injection in package SYS.KUPV$FT AffectedOracle 10g Release 1 SeverityHigh Risk CategorySQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory17 Jan 2006 (V 1.00) Details: The package SYS.KUPV$FT contains 3 SQL injection vulnerabilities in the functions ATTACH_JOB, OPEN_JOB, HAS_PRIVS. Oracle fixed these vulnerabilities with the package dbms_assert. Patch Information: ## Apply the patches for Oracle CPU Jan 2006 on top of Oracle 10g Release 1. History: 01-nov-2005 Oracle secalert was informed 02-nov-2005 Oracle secalert asked for an exploit 17-jan-2006 Oracle published CPU January 2006 17-jan-2006 Advisory published © 2006 by Red-Database-Security GmbH http://www.red-database-security.com/advisory/published_alerts.html
Oracle Database 10g Rel. 1 - SQL Injection in SYS.KUPV$FT_INT
# http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft_int.html ### Name SQL Injection in package SYS.KUPV$FT_INT Affected Oracle 10g Release 1 Severity High Risk Category SQL Injection Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Advisory 17 Jan 2006 (V 1.00) Details: The package SYS.KUPV$FT_INT contains 16 SQL injection vulnerabilities in the functions ATTACH_JOB, OPEN_JOB, HAS_PRIVS. Oracle is now using bind variables to fix these vulnerabilities. Patch Information: ## Apply the patches for Oracle CPU Jan 2006 on top of Oracle 10g Release 1. History: 01-nov-2005 Oracle secalert was informed about vulnerabilities in ACTIVE_JOB, ATTACH_JOB, ATTACH_POSSIBLE, CREATE_NEW_JOB, DELETE_JOB, UPDATE_JOB 02-nov-2005 Oracle secalert asked for an exploit 17-jan-2006 Oracle published CPU January 2006 17-jan-2006 Advisory published © 2006 by Red-Database-Security GmbH http://www.red-database-security.com/advisory/published_alerts.html
Oracle Database 10g Rel. 2 - Event 10053 logs TDE wallet password in cleartext
NameEvent 10053 logs TDE wallet password in cleartext Systems Oracle Database 10g Release 2 SeverityHigh Risk CategoryInformation disclosure Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date17 January 2005 (V 1.00) Oracle Bug 5802023 Time to fix 190 days Details: The event 10053 is storing the masterkey of Oracle Transparent Data Encryption unencrypted in a trace-file. A skilled attacker or non-security DBA could set this special event to get the plaintext masterkey for the TDE encryption. Test case: ## SQL alter session set events='10053 trace name context forever, level SQL 1'; Session altered. SQL ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY secretpassword; System altered. # Test case ## # Excerpt from trace file [] Current SQL statement for this session: ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY secretpassword [] # Excerpt from trace file Patch Information: ## Oracle fixed this issue with the patches from the critical patch update january 2006 for Oracle 10g Release 2. History: 11-jul-2005 Oracle secalert was informed 12-jul-2005 Bug confirmed 17-jan-2006 Oracle published the Critical Patch Update January 2006 (CPU January 2006) 17-jan-2006 Red-Database-Security published this advisory © 2006 by Red-Database-Security GmbH http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html
Oracle Reports - Read parts of files via desname (fixed after 874 days)
Read parts of any file via desformat in Oracle Reports Name Read parts of any file via desformat in Oracle Reports SeverityMedium Risk CategoryInformation disclosure Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date 25 August 2005 (V 1.02) Cert VU#925261 CVE CAN-2005-2378 Oracle Bug 5883621 Time to fix 874 days ago Details: Oracle Reports is Oracle's award-winning, high-fidelity enterprise reporting tool. It enables businesses to give immediate access to information to all levels within and outside of the organization in an unrivaled scalable and secure environment. Oracle Reports, a component of the Oracle Application Server, is used by Oracle itself for the E-Business Suite. Many large customers are using Oracle Reports as reporting tool for their enterprise applications. The Oracle Reports parameter desformat can read any file by using an absolute or relative file name. Parts of the file content are displayed in the Reports error message (see test case) The DESFORMAT parameter specifies the format for the job output. In bit-mapped environments, use DESFORMAT to specify the printer driver to be used when DESTYPE is FILE. In character-mode environments, use it to specify the characteristics of the printer named in DESNAME. Affected Products: ## Internet Application Server Oracle Application Server Oracle Developer Suite Patch Information: ## This bug is finally fixed with Critical Patch Update January 2006. Testcase: # http://myserver:7778/reports/rwservlet?server=myserver+report=test.rdf+ userid=scott/[EMAIL PROTECTED]/etc/passwd ***Reports Output REP-3002: Error in column 5 of line 1 of printer definition file /etc/passwd: Unknown keyword root. REP-3002: Error initializing printer. Please make sure a printer is installed. ***Reports Output History: 27-aug-2003 Oracle secalert was informed 27-aug-2003 Bug confirmed 15-apr-2005 Red-Database-Security informed Oracle secalert that this vulnerability will publish after CPU July 2005 Red-Database-Security offered Oracle more time if it is not possible to provide a fix == NO FEEDBACK. 12-jul-2005 Oracle published CPU July 2005 without fixing this issue 18-jul-2005 Red-Database-Security published this advisory 25-aug-2005 CVE number added 13-jan-2005 days since initial report updated 17-jan-2006 Oracle published the Critical Patch Update January 2006 (CPU January 2006) © 2006 by Red-Database-Security GmbH http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html
Oracle Reports - Overwrite any application server file via desname (fixed after 889 days)
NameOverwrite any file via desname in Oracle Reports SeverityHigh Risk CategoryFile overwrite Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date25 August 2005 (V 1.02) Cert VU#472148 CVE CAN-2005-2371 Oracle Bug 5883603 Time to fix 889 days ago Details: Oracle Reports is Oracle's award-winning, high-fidelity enterprise reporting tool. It enables businesses to give immediate access to information to all levels within and outside of the organization in an unrivaled scalable and secure environment. Oracle Reports, a component of the Oracle Application Server, is used by Oracle itself for the E-Business Suite. Many large customers are using Oracle Reports as reporting tool for their enterprise applications. By specifing a special value for the parameter desname Oracle Reports can overwrite any file on the application server. On Windows systems an attacker can overwrite any files (e.g. boot.ini) on the application server. On UNIX system an attacker can overwrite all files (e.g. opmn.xml) which belongs to the Oracle Application Server user. This attack can be done with a simple URL. Affected Products: ## Internet Application Server Oracle Application Server Oracle Developer Suite Patch Information: ## This bug is finally fixed with Critical Patch Update January 2006. Testcase: # Overwrite the boot.ini with the ../-syntax with PDF output (on a Windows system) http://myserver.com:7779/reports/rwservlet?server=repserv+userid=scott/[EMAIL PROTECTED]/../../boot.ini Overwrite the boot.ini via an absolute path with PDF output (on a Windows system) http://myserver.com:7779/reports/rwservlet?server=repserv+userid=scott/[EMAIL PROTECTED]:\boot.ini Overwrite the file httpd.conf with PDF output (on a UNIX system) http://myserver.com:7779/reports/rwservlet?server=repserv+myconn+report=anyreport.rdf+destype=file+desformat=PDF+desname=/oracle/iasapp/Apache/Apache/conf/httpd.conf Overwrite any report (or form) with PDF output (on a UNIX system) http://myserver.com:7779/reports/rwservlet?server=repserv+myconn+report=anyreport.rdf+destype=file+desformat=PDF+desname=/oracle/iasapp/reports/anyreport.rdf History 12-aug-2003 Oracle secalert was informed 26-sep-2003 Bug confirmed 15-apr-2005 Red-Database-Security informed Oracle secalert that this vulnerability will publish after CPU July 2005 Red-Database-Security offered Oracle more time if it is not possible to provide a fix == NO FEEDBACK. 12-jul-2005 Oracle published CPU July 2005 without fixing this issue 18-jul-2005 Red-Database-Security published this advisory 21-jul-2005 Cert VU# and affected products added 25-aug-2005 CVE number added 16-sep-2005 Workaround was incomplete and is now correct (Thanks to D. Nachbar for this information) 13-jan-2005 days since initial report updated 17-jan-2006 Oracle published the Critical Patch Update January 2006 (CPU January 2006) © 2006 by Red-Database-Security GmbH http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html
Oracle Reports - Read parts of files via customize(fixed after 875 days)
Read parts of any XML-file via customize parameter in Oracle Reports Name Read parts of any XML-file via customize parameter SeverityMedium Risk CategoryInformation disclosure Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date 25 August 2005 (V 1.02) Cert VU#277757 Oracle Bug 5882923 Time to fix 875 days ago Details: Oracle Reports is Oracle's award-winning, high-fidelity enterprise reporting tool. It enables businesses to give immediate access to information to all levels within and outside of the organization in an unrivaled scalable and secure environment. Oracle Reports, a component of the Oracle Application Server, is used by Oracle itself for the E-Business Suite. Many large customers are using Oracle Reports as reporting tool for their enterprise applications. The Oracle Reports parameter customize can read any file by using an absolute or relative file name. Parts of the file content are displayed in the Reports error message (see test case). Affected Products: ## Internet Application Server Oracle Application Server Oracle Developer Suite Patch Information This bug is finally fixed with Critical Patch Update January 2006. Testcase: # http://myserver:7778/reports/rwservlet?server=myserver+report=test.rdf+userid=scott/[EMAIL PROTECTED] +destype=cache+desformat=xml+CUSTOMIZE=/opt/ORACLE/ias/oracle/product/9. +0.2/webcache/webcache.xml ***Reports Output REP--866648059: Error in the XML report definition at line 3 in ' Element 'CALYPSO' used but not declared.'. ***Reports Output History: 26-aug-2003 Oracle secalert was informed 27-aug-2003 Bug confirmed 15-apr-2005 Red-Database-Security informed Oracle secalert that this vulnerability will publish after CPU July 2005 Red-Database-Security offered Oracle more time if it is not possible to provide a fix == NO FEEDBACK. 12-jul-2005 Oracle published CPU July 2005 without fixing this issue 18-jul-2005 Red-Database-Security published this advisory 21-jul-2005 Cert VU# and affected products added 13-jan-2005 days since initial report updated 17-jan-2006 Oracle published the Critical Patch Update January 2006 (CPU January 2006) © 2006 by Red-Database-Security GmbH http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html
Oracle Database 10g Rel. 2- Transparent Data Encryption plaintext masterkey in SGA
Transparent Data Encryption stores key unencrypted in the SGA NameTransparent Data Encryption stores key unencrypted in the SGA AffectedOracle Database 10g Release 2 SeverityHigh Risk CategoryInformation disclosure Vendor URL http://www.oracle.com/ Author Alexander Kornbrust (ak at red-database-security.com) Date 17 January 2005 (V 1.00) Oracle Bug 5802173 Time to fix 190 days Details: The Oracle security feature Transparent Data Encryption is storing the masterkey unencrypted in the SGA. A skilled attacker or non-security DBA can retrieve the plaintext masterkey. Test case: ## SQL ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY secretpassword; System altered. SQL exit Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 Production With the Partitioning, OLAP and Data Mining options [EMAIL PROTECTED] /]$ export DUMPSGA_DIR=/oracle/10.2.0/bin [EMAIL PROTECTED] /]$ cd /tmp [EMAIL PROTECTED] /]$ dumpsga [EMAIL PROTECTED] /]$ strings * | grep -iH secretpassword secretpassword secretpassword secretpassword [] Excerpt from the SGA /oracle/10.2.0/admin/ora01/wallet/^@[EMAIL PROTECTED]@[EMAIL PROTECTED]/10.2.0/admin/ora10201/wallet/[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED] [EMAIL PROTECTED]@0êd$L4^L¿^Xp /¹]/º8f[EMAIL PROTECTED]@èd$´4^Lfile:/oracle/10.2.0/admin/ora10201/wallet [] Patch Information: ## Oracle fixed this issue with the patches from the critical patch update january 2006 for Oracle 10g Release 2. History: 11-jul-2005 Oracle secalert was informed 12-jul-2005 Bug confirmed 17-jan-2006 Oracle published the Critical Patch Update January 2006 (CPU January 2006) 17-jan-2006 Red-Database-Security published this advisory © 2006 by Red-Database-Security GmbH http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html
M$ VPN hole reported
http://zdnet.com.com/2100-1105-964057.html