[ISN] Gadfly zeroes in on Oracle bugs

From: InfoSec News (alerts@private)
Date: Tue Mar 06 2007 - 22:19:51 PST


By Joris Evers
Staff Writer, CNET News.com
March 6, 2007

ARLINGTON, Va. -- Don't even try to tell David Litchfield that Oracle is 

Litchfield, a noted bug hunter, has made it his mission to tell the 
world that database software is insecure--Oracle's database software in 
particular. Litchfield has been vocal in his criticism of Oracle, even 
calling for the resignation of Oracle Chief Security Officer Mary Ann 

For too long, Oracle and its customers have stuck their heads in the 
sand when it comes to security, according to Litchfield. And Oracle has 
taken the wrong approach to address mounting security concerns, he 

Litchfield, co-founder of Next Generation Security Software in the U.K., 
is on a crusade. In January he published The Oracle Hacker's Handbook [1]. 
The book, according to its cover, offers readers a complete arsenal to 
assess and defend Oracle systems.

While dissing Oracle, Litchfield is cheerleading for Microsoft. He has 
publicly stated that SQL Server 2005, the latest version of Microsoft's 
database software, is secure. This must hurt at Oracle, a Microsoft arch 
rival, which has already seen a significant piece of the database market 
go to the Redmond, Wash.-based software giant.

When not hunting for bugs, Litchfield likes to go out with his two 
greyhounds, and he helps charities find homes for other canines. In 
fact, he is so passionate about his dogs that he dedicated The Oracle 
Hacker's Handbook to his wife and two girls, the girls being his 

At last week's Black Hat DC event, Litchfield discussed a new attack 
technique that increases the severity of certain vulnerabilities in 
Oracle's database software. He sat down with CNET News.com at the event 
to explain why such disclosures are necessary.

Q: Why are you into database security? There's so much other software 
out there.

Litchfield: Because that's where the crown jewels are for any 
organization. Every organization on this planet has a database and 
that's where the lifeblood of that organization exists. Where better to 
secure it than at the source. We can secure it at the perimeter, but 
with vulnerabilities like SQL injection, that security is completely 

Despite having a firewall, despite having the Web server locked down, an 
SQL injection flaw in your Web app takes us all the way through to the 
back end of the database server. If that database is not using the 
principle of least privilege or is not fully patched, then we can gain 
full access to the database server and suck out all your data. The 
database has to be secured. The problem is that nobody has ever really 
dealt with the back end until recently. It has always been about 
securing the perimeter.

Lately you have especially been looking closely at Oracle's databases. 
Is there a specific reason that you're looking at Oracle more than 
Microsoft or IBM?

Litchfield: Yes. SQL Server 2005 is secure. (Microsoft has) solved the 
problem. Oracle is in the process of solving that problem. IBM, I have 
looked at DB2 and Informix and sent them a bunch of bugs, probably about 
50, ranging from buffer overflows to privilege escalation issues. But 
IBM's security response was mature. In the most recent past, the Oracle 
security response was not so mature. They have been combative, as 
opposed to: "This guy is just trying to make our products more secure." 
But it is getting better. Oracle is beginning to understand that we're 
fighting on the same side, just from different perspectives.

When a vendor like Oracle becomes more combative, you become more 
combative as well?

Litchfield: I will. It is unfortunate that it happens that way, but if 
you have to defend yourself, then you should defend yourself. I would 
rather be working, like I do with Microsoft and IBM, with their security 
response team. We've got good relationships with Microsoft and IBM. What 
better way to get things done than have a good relationship, as opposed 
to sniping at each other from the gutter.

My relationship has gotten slightly better with Oracle, and they 
understand that it's not so much a battle of wills. I'm trying to make 
them aware of these problems in their database because it affects me 
indirectly. If someone breaks into that database server and steals my 
information, then I'm paying for it, not Oracle.

Some might think that it's some sort of an extortion game that's being 

Litchfield: I've never asked Oracle for money. If people think that, 
they are ill-informed.

And Microsoft doesn't pay you to say SQL Server 2005 is secure.

Litchfield: I'm not being paid by Microsoft to say they're secure, and 
if anyone is going find a bug in SQL Server 2005, it better be me. It 
would undermine my ability to be able to say in the future that a 
product is secure if bugs are found by anyone else. So, if there are 
bugs in SQL Server 2005, I hope I'm the one who finds them, and I'm 

What's the business of NGS Software?

Litchfield: There are three sides to the business. We sell tools to help 
assess your state of vulnerability and whether you're compliant with 
Sarbanes-Oxley, etc. We consult to a number of organizations, and we 
also do vulnerability research and sell that research.

What types of organizations are your typical research customers?

Litchfield: Government organizations, those who are responsible for 
critical national infrastructure and the protection thereof. We try to 
give them advance warning of security problems. We can tell them that 
there's a flaw in a particular product, along with a risk mitigation 
strategy. Even in the absence of a vendor-supplied patch, these systems 
will be protected.

NGS has been growing over the past years. Where is the demand?

Litchfield: It's mostly in consultancy, which is a bit of a shame 
because I set out to build a software company and we're more of a 
consultancy. That's one of my personal failures though and I've not 
given up. We will be a software company at some stage.

What does a typical consultant do?

Litchfield: He might do penetration tests, code reviews or threat 
modeling. It is not installing firewalls; our consultants do the 
high-end stuff.

What is it that drives you to get up and do your job every day?

Litchfield: Well, I'm good at it, and if you're good at something, 
you've got more drive to do. If I was a good painter, I would paint 
more, you know. But since I am crap, I don't bother doing that. I enjoy 
the work.

Particularly the bug hunting part of it?

Litchfield: Yes, it's just a question of analysis. If I were trying to 
subvert the system, how would I do it? The other reason is that it has 
an effect on everyone's lives. Now, it's not like I'm curing cancer, but 
I know that one database server tomorrow is going to be more secure 
because of something I did, and that means that, for example, more 
credit card numbers are safe that day.

If people at Oracle say that you actually hurt security because of the 
disclosure of vulnerabilities, what do you say?

Litchfield: They have a case. In certain cases it does raise the risk 
level, OK, and that's one of the major problems with this kind of work. 
However, in raising the risk level, people are more inclined to protect 
their systems.

Now, as an example of this, I just put out that new attack method that 
allows an attacker without any special privileges to exploit flaws that 
were thought to be only exploitable by people with higher privileges. 
Now we know that that's not true, people have no reason to say they are 
not going to patch.

Someone has, within day zero of me posting my new method, modified their 
exploits and posted them publicly to use my new methods. Those exploits 
now can be run by anyone. So, yes it has increased the risk.

Back in August 2002, I presented some code that was then taken to form 
the basis of SQL Slammer. There was that initial raising of risk, but 
after that short-term pain, there are now more patched SQL Servers out 
there than there ever were before. The short-term risk has been raised 
for the long-term benefit, that's the way I look at it.

If people like you weren't around, some might say we wouldn't know of 
any security risks and nobody would be exploiting them either. You don't 
think that's true?

Litchfield: I don't think that's true. There are always going to be bad 
guys out there. If there aren't good guys working with the vendors to 
close these holes, then we'll be walking around with our head in the 
clouds thinking we're all secure when we're not. Security through 
ignorance really doesn't work because one person's ignorance is someone 
else's revenue stream.

What makes you pull your hair out?

Litchfield: When people say things like I'm increasing risk or doing it 
for selfish reasons. I'm not like that. But I can't always be the 
popular guy. I just wish there were fewer detractors.

You published The Oracle Hacker's Handbook recently. What do you hope to 
achieve with the book?

Litchfield: The Oracle security world is smug basically, and I'm trying 
to take that security blanket away from them. There are too many people 
out there who think that the Oracle product is secure and that they 
don't need to be doing anything. That's irresponsible, as far as I'm 

What would you like people to know you for?

Litchfield: I would like to be the person who helped convince people 
that database security is important to look at. I would like to think 
that it's through my work, and obviously that of some of my peers in the 
industry, that we've helped shape the way security is dealt with at 
places like Oracle and Microsoft.

Copyright 1995-2007 CNET Networks, Inc. All rights reserved.

[1] http://www.amazon.com/exec/obidos/ASIN/0470080221/c4iorg

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Tue Mar 06 2007 - 22:39:35 PST