[ISN] How to hack unbreakable Oracle servers

From: InfoSec News (isnat_private)
Date: Thu Feb 07 2002 - 22:48:24 PST

Next message: InfoSec News: "[ISN] Russian hacker arrested in bank extortion case"

Previous message: InfoSec News: "[ISN] Teen Anarchist's Supporters Accuse FBI Of AIM Hack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.theregister.co.uk/content/4/23979.html

By Thomas C Greene in Washington
Posted: 07/02/2002 at 20:53 GMT

Security researcher David Litchfield has identified a vast number of
attacks against Oracle application servers and has written them up in
a paper[1] which includes defensive strategies as well.

From this we learn, contrary to Oracle President Larry Ellison's
claims, that Oracle is vulnerable to buffer overflow attacks, DoS
attacks, and remote exploitation to name but a few difficulties.

Litchfield willingly allows that Oracle makes the most secure product
on the market, and compliments Oracle for its obvious dedication to
security. But as for being unbreakable, well, we all know that nothing
is.

First up we have a PL/SQL buffer overrun vulnerability. This is in the
Apache front end affecting Windows NT/2K, where Apache runs in the
System (root) account and consequently allows code to run with full
privileges.

One problem is that the admin help pages are not PW protected. Thus a
call to one of the pages can initiate a buffer overflow if it contains
enough garbage (around 1K bytes). A quick fix would be to alter the
admin path with something unique, making it difficult to guess.

Next, a directory traversal is possible due to a URL decoding glitch.  
This would allow an attacker to move from the Web environment to read
files readable to the OS.

It's also possible to administer PL/SQL DADs (Database Access
Descriptors) without authentication, Litchfield has discovered. An
obvious goal in this case would be to add a password so the attacker
can escalate his privileges.

These are only the first three taken in order for illustration. There
are in fact scores of attacks listed in this compendium, including
authentication bypassing, path mapping, SOAP vulnerabilities, weak
default paths, and terribly guessable or forcable default passwords
(examples are provided -- but system/manager is our absolute
favorite).

Litchfield's paper should be required reading for anyone who owns or
administers an unbreakable Oracle box.


[1] http://www.nextgenss.com/papers/hpoas.pdf



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.

Next message: InfoSec News: "[ISN] Russian hacker arrested in bank extortion case"
Previous message: InfoSec News: "[ISN] Teen Anarchist's Supporters Accuse FBI Of AIM Hack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 08 2002 - 02:44:29 PST