Re: Oracle WebDb engine brain-damagse

[Michal Zalewski <lcamtuf () DIONE IDS PL>]

I would like to explain some issues related to this bugreport. I've
received some critical responses, and some people missed the point of this
advisory:

First of all, there were TWO separate bugs reported - IAS bug allowing
attacker to inject PL/SQL queries and/or other code within external HTTP
query and WebDB bug allowing unauthorized proxy reconfiguration attempts
(the second problem is common in WebDB+Apache configurations):

* The risk related to first problem depends on privledges on which
  PL/SQL query is processed; in multi-user, structural systems where
  privledges are strictly controlled, the impact is less damaging (eg.
  if this user can't access any tables, create any objects, and can
  call public procedures in secure *only*). This means on most
  installations, the problem persists and is real.

* The second problem has really huge security impact on almost every
  system (including these listed as examples, e.g. www.oracle.com)
  which is using Apache integrated with WebDB interface (no information
  about other systems).

The second issue I would like to bring here are some legal / ethical
problems:

* I've tried to provide useful information, which can be verified
  easily and can be used to defend against attacks; this approach has
  some costs: for example, I *HAD* to provide examples proving the
  problem exists (I haven't provided any complete break-in example, but
  referred an examples how to check if you are vulnerable and proofs
  that numerous sites are affected, including vendor's site); I believe
  I haven't provided any information smart attacker couldn't collect
  or find on his own having enough time. Unfortunately, most of us
  - system administrators - have not so much time as blackhats for
  investigating such issues. Effectively, I've made administrators'
  task much easier. If you believe providing incomplete / useless
  information would be better, I wouldn't agree.

* Vendor notification: I am not working for Oracle and I can't find any
  reason to provide them confidential security audits for free, giving
  them enough time to fix the problem silently. That's why I've decided
  to disclose this information about observed functionality, not violating
  copyrights or other laws, as a result of my experiments based on
  publicly available knowledge and techniques. On the other hand, I would
  like to minimize eventual damage caused to Oracle clients, that's
  obvious. That's why I've choosen this form of publication - informative to
  both sides, but - instead of CERT-alike advisories - giving administrators
  better chances - because they have all the information required for
  eventual testing and fix, while blackhats do not have an exploit or
  all knowledge required to write it. Sorry, that's my point of view.

Thank you,
--
_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=