Hi all, David: We always test Oracle patches against the bugs we have reported to them just to be sure the patches work. Last time there was not exception and we tested it and it seemed to work to fix the bugs including SQL Injection vulnerabilities in DBMS_CDC_SUBSCRIBE and DBMS_CDC_ISUBSCRIBE packages, so we were surprised with David post, after some analysis we have identified that on Oracle 10g systems with patchset 2 (10.1.0.4) applied (we tested the patch on this system after April CPU relase) the Critical Patch Update for April 2005 works ok fixing SQL Injection vulnerabilities in DBMS_CDC_SUBSCRIBE and DBMS_CDC_ISUBSCRIBE packages but on systems prior patchset 2 (10.1.0.2 and 10.1.0.3) it doesn't work. Oracle is not willing to respond any email in order to clarify what we have found. Important: Tomorrow Oracle is releasing a new security patch, i personally recommend that you shouldn't install that patch on production systems before properly testing it for a couple of months or more since as we have seen Oracle doesn't have QA so you have to do it by yourself. Also consider buying another database server software if you want to be secure, unless you want to have CardSystems luck. This exploit could help you to detect if you are still vulnerable after applying the April CPU: http://www.argeniss.com/research/OraDBMS_CDC_SUBSCRIBEExploit.txt BTW: Don't miss these talks at Black Hat if you want to know more about Oracle (IN)security: http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Cerrudo http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Fayo Cesar Cerrudo Argeniss (http://www.argeniss.com) --- David Litchfield <davidl@private> wrote: > Hey all, > Whilst analyzing Oracle's Critical Patch Update for > April 2005 I noticed > some failures in it, that meant certain issues the > patch was supposed to fix > were actually left unfixed. > > One set of vulnerabilities "fixed" by the April CPU > is a group of SQL > injection bugs in DBMS_SUBSCRIBE and DBMS_ISUBSCRIBE > discovered by AppSec > Inc. On digging deeper you find that the actual > source of the problem lies > within the underlying java class files. The April > CPU fails to properly load > the newer patched classes which means that these > problems can still be > exploited. To resolve this problem, a DBA can use > the loadjava command line > utility or execute the loadjava procedure on the > DBMS_JAVA package. The jar > file to be loaded is > $ORACLE_HOME/rdbms/jlib/CDC.jar. All platforms are > affected by this problem. > > On Windows, both 32bit and 64bit, a second problem > exists; a vulnerability > exists whereby an attacker can run arbitrary SQL by > abusing the > CTXSYS.DRILOAD package to gain DBA privleges. This > was discovered by > multiple persons and was initially fixed in August > 2004. However, the April > Critical Patch Update copies the updated sql script > file to the wrong > directory and if previous patches (August 2004 or > January 2005) have not > applied then you will still be vulnerable to this > attack even if the April > CPU has been applied. > > These problems were reported to Oracle in early June > and today they have > released updated information about these problems. > See the Metalink > (http://metalink.oracle.com) website for more > details. > > <shameless plug> > I'll be speaking about patching and Oracle as part > of my presentation at > Blackhat in Las Vegas and the end of this month if > anyone's interested > </shameless plug> > > <shameful plug> > NGSSQuirreL for Oracle > (http://www.ngssoftware.com/squirrelora.htm) checks > for the problems I've just discussed > </shameful plug> > > Cheers, > David Litchfield > NGSSoftware Ltd > http://www.ngssoftware.com > > ____________________________________________________ Sell on Yahoo! Auctions – no fees. Bid on great items. http://auctions.yahoo.com/
This archive was generated by hypermail 2.1.3 : Mon Jul 11 2005 - 16:36:50 PDT