Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Exploit circulating for newly patched Oracle bug

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Exploit circulating for newly patched Oracle bug
Date: Fri, 21 Oct 2005 15:10:02 -0500 (CDT) 
http://www.networkworld.com/news/2005/102005-oracle-bug.html

By Robert McMillan
IDG News Service
10/20/05

Database administrators now have a little added incentive to install
Oracle's latest security patches, released earlier this week.  
Malicious software is now circulating that can crash an unpatched
database server, and one security expert predicted that more malware
targeting the 89 recently patched vulnerabilities is on the way.

On Thursday, code was published on the Full Disclosure security
mailing list that exploits a buffer overflow vulnerability in certain
versions of Oracle's databases.

This code could be used by attackers to bring down a database, using a
technique called an SQL injection attack, said Alexander Kornbrust, a
business director at Red-Database-Security, in Neunkirchen, Germany.  
In SQL injection attacks, Web applications that work with the database
are tricked into sending malicious database queries using the SQL
language.

The exploit could be used either by an attacker who had user
credentials on an unpatched database or by a remote attacker, using an
SQL injection attack over the Internet, Kornbrust said. "I tried the
exploit and it's working," he said in an interview conducted via
instant message. "I highly recommend customers to apply these patches
as soon as possible."

In a statement, Oracle said that versions 9i and 10g of the database
software were vulnerable to the bug, but the exploit published on Full
Disclosure affects only 10g users, according to Kornbrust.

On Tuesday, Oracle released a bundle of critical security patches that
fixed 89 bugs in its database and application servers, as well as some
PeopleSoft and J.D. Edwards applications. Oracle releases security
patches every three months as part of its security update program.

Normally, a few exploits begin circulating after each Oracle security
update, Kornbrust said.

The buffer overflow vulnerability is described as vulnerability number
DB27 on this page [1].

The Full Disclosure exploit code can be found here [2].

Oracle did not respond to requests for comment on this story.

The IDG News Service is a Network World affiliate.

[1] 
http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.html#Appendix%20A
[2] http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038061.html



_________________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Exploit circulating for newly patched Oracle bug, InfoSec News <=
Previous by Date:  [ISN] Patch Deployment Problems Haunt Microsoft Again, InfoSec News
Next by Date:  [ISN] Homeland Security mulls cyber czar nomination, InfoSec News
Previous by Thread:  [ISN] Patch Deployment Problems Haunt Microsoft Again, InfoSec News
Next by Thread:  [ISN] Homeland Security mulls cyber czar nomination, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]