[ISN] How to hack unbreakable Oracle servers

From: InfoSec News (isnat_private)
Date: Thu Feb 07 2002 - 22:48:24 PST

  • Next message: InfoSec News: "[ISN] Russian hacker arrested in bank extortion case"

    By Thomas C Greene in Washington
    Posted: 07/02/2002 at 20:53 GMT
    Security researcher David Litchfield has identified a vast number of
    attacks against Oracle application servers and has written them up in
    a paper[1] which includes defensive strategies as well.
    From this we learn, contrary to Oracle President Larry Ellison's
    claims, that Oracle is vulnerable to buffer overflow attacks, DoS
    attacks, and remote exploitation to name but a few difficulties.
    Litchfield willingly allows that Oracle makes the most secure product
    on the market, and compliments Oracle for its obvious dedication to
    security. But as for being unbreakable, well, we all know that nothing
    First up we have a PL/SQL buffer overrun vulnerability. This is in the
    Apache front end affecting Windows NT/2K, where Apache runs in the
    System (root) account and consequently allows code to run with full
    One problem is that the admin help pages are not PW protected. Thus a
    call to one of the pages can initiate a buffer overflow if it contains
    enough garbage (around 1K bytes). A quick fix would be to alter the
    admin path with something unique, making it difficult to guess.
    Next, a directory traversal is possible due to a URL decoding glitch.  
    This would allow an attacker to move from the Web environment to read
    files readable to the OS.
    It's also possible to administer PL/SQL DADs (Database Access
    Descriptors) without authentication, Litchfield has discovered. An
    obvious goal in this case would be to add a password so the attacker
    can escalate his privileges.
    These are only the first three taken in order for illustration. There
    are in fact scores of attacks listed in this compendium, including
    authentication bypassing, path mapping, SOAP vulnerabilities, weak
    default paths, and terribly guessable or forcable default passwords
    (examples are provided -- but system/manager is our absolute
    Litchfield's paper should be required reading for anyone who owns or
    administers an unbreakable Oracle box.
    [1] http://www.nextgenss.com/papers/hpoas.pdf
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Feb 08 2002 - 02:44:29 PST