Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: question about oracle advisory

From: "David Litchfield" <david () ngssoftware com>
Date: Wed, 6 Aug 2003 16:54:00 -0700
Hello Daymon and All,

I have CC'd in the Oracle Security Team....


Do you have any plans to release proof of concept code for the Oracle
exploit? The reason I ask is that "due to architectural constraints,"
Oracle is not planning on releasing a patch for 8i releases.  We contacted
them about this, but they're sticking to their guns about the exploit
requiring oracle authentication, and thus being a low(er)-risk
vulnerability.


I know Oracle 9 is vulnerable and can be exploited without a user ID or
password. I demonstrated an exploit for this problem at the European
Blackhat Security Briefings. I know a number of the Oracle security guys
have actually read the associated paper and are (or at least should be)
_FULLY_ aware that this vulnerability _CAN_ be exploited without
credentials. Oracle: let me know if you need more proof of this and I can
send you the exploit.

As this new bug was introduced in the patch for the problem I reported
here - http://www.nextgenss.com/advisories/oraplsextproc.txt - and Oracle
will not give out patches to those who are not customers, I've never had the
opportunity to test this on 8.

At an educated guess, however, I believe 8 will be the same as 9.


To quote the analyst that responded, "I'm not able to comment on David
Litchfield's claims, but with SECURITY ALERT 57, you need the CREATE

LIBRARY

or the CREATE ANY LIBRARY privilege. The exploit is dependent on these
privileges, so if they are not granted to users, the exploit fails. How a
user could exploit these without being able to connect is difficult to

even

imagine."


The analyst should do more analysis then. It is really very simple.



I'd like to see them put out a patch for this, but without some more proof
of the anonymous exploit, and motivation to fix the problem regardless of
"architectural constraints", I don't think they will.


I believe the Oracle security guys know this can be done without credentials
and if this is the case then it seems that one hand is not speaking to the
other. If however, the Oracle security guys believe this is not exploitable
without a userID and password then let me know. I'm more than happy to
supply Oracle with the exploit.

Can we get this resolved, once and for all, please.

Thank you,
David Litchfield
Previous By Date Next
Previous By Thread Next

Current thread: