Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] [SHATTER Team Security Alert] Multiple vulnerabilities

from [SHATTER] Network Security [Permanent Link]
Subject: [Full-Disclosure] [SHATTER Team Security Alert] Multiple vulnerabilities in Oracle Database Server
Date: Wed, 01 Sep 2004 19:20:25 -0400 
AppSecInc Advisory: Multiple vulnerabilities in Oracle Database Server

Date:
August 31, 2004

Detailed Information Provided Online At:
http://www.appsecinc.com/resources/alerts/oracle/2004-0001/

Credit:
These vulnerabilities were researched and discovered by Cesar Cerrudo and Esteban Martinez Fayo of Application Security, Inc. (www.appsecinc.com)

Risk Level:
High

Abstract:
Multiple buffer overflow and denial of service (DoS) vulnerabilities exist in the Oracle Database Server which allow database users to take complete control over the database and optionally cause denial of service.

The official advisory from Oracle Corporation can be obtained from: http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf


Details:

http://www.appsecinc.com/resources/alerts/oracle/2004-0001/

#1 - Buffer overflow in public procedure DROP_SITE_INSTANTIATION of DBMS_REPCAT_INSTANTIATE package

#2 - Buffer overflow in public function INSTANTIATE_OFFLINE of DBMS_REPCAT_INSTANTIATE package

#3 - Buffer overflow in public function INSTANTIATE_ONLINE of DBMS_REPCAT_INSTANTIATE package

#4 - Buffer overflow on "gname" parameter on procedures of Replication Management API Packages

#5 - Buffer overflow on "sname" and "oname" parameters on procedures of DBMS_REPCAT package

#6 - Buffer overflow on "type" parameter on procedures of DBMS_REPCAT package

#7 - Buffer overflow on "gowner" parameter on procedures of the DBMS_REPCAT package

#8 - Buffer overflow on "operation" parameter on procedures of DBMS_REPCAT package

#9 - Buffer overflow in procedure CREATE_MVIEW_REPGROUP of DBMS_REPCAT package

#10 - Buffer overflow in procedure GENERATE_REPLICATION_SUPPORT of DBMS_REPCAT package

#11 - Buffer overflow in procedures REGISTER_USER_REPGROUP and UNREGISTER_USER_REPGROUP of DBMS_REPCAT_ADMIN package

#12 - Buffer overflow in functions INSTANTIATE_OFFLINE, INSTANTIATE_ONLINE and procedure DROP_SITE_INSTANTIATION of DBMS_REPCAT_RGT package

#13 - Buffer overflow on TEMPFILE parameter

#14 - Buffer overflow on LOGFILE parameter

#15 - Buffer overflow on CONTROLFILE parameter

#16 - Buffer overflow on FILE parameter

#17 - Buffer overflow in Interval Conversion Functions

#18 - Buffer overflow in String Conversion Function

#19 - Buffer overflow in CTX_OUTPUT Package Function

#21 - Buffer overflow on DATAFILE parameter

#22 - Buffer overflow in DBMS_SYSTEM package function

#24 - Buffer overflow on "fname" parameter of the DBMS_REPCAT* packages

#25 - Buffer overflow on procedures of the Replication Management API packages

#26 - Heap based buffer overflow Vulnerability in Oracle 10g iSQL*PLus Service

#27 - Buffer overflow in procedure AQ_TABLE_DEFN_UPDATE of DBMS_AQ_IMPORT_INTERNAL package

#28 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_GET_NRP of DBMS_AQADM package

#29 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_NO_QUEUE of DBMS_AQADM package

#30 - Buffer overflow in procedure VERIFY_QUEUE_TYPES of DBMS_AQADM_SYS package

#31 - Buffer overflow in procedure PARALLEL_PUSH_RECOVERY of DBMS_DEFER_INTERNAL_SYS package

#32 - Buffer overflow in procedure ENABLE_PROPAGATION_TO_DBLINK of DBMS_DEFER_REPCAT package

#33 - Buffer overflow in procedure DISABLE_RECEIVER_TRACE of DBMS_INTERNAL_REPCAT package

#34 - Buffer overflow in procedure ENABLE_RECEIVER_TRACE of DBMS_INTERNAL_REPCAT package

#35 - Buffer overflow in procedure VALIDATE of DBMS_INTERNAL_REPCAT package

#36 - Buffer overflow in procedure DIFFERENCES of DBMS_RECTIFIER_DIFF package

#37 - Buffer overflow in procedure ADD_COLUMN of DBMS_REPCAT_RQ package

#39 - Buffer overflow in procedure IS_MASTER of DBMS_REPCAT_UTL package

#40 - Buffer overflow in procedure PUSHDEFERREDTXNS of LTUTIL package

#41 - Buffer overflow in public procedure SDO_CODE_SIZE of MD2 package

#42 - Buffer overflow in public procedure VALIDATE_GEOM of MD2 package

#43 - Buffer overflow in public procedure SDO_CODE_SIZE of SDO_ADMIN package

#44 - Buffer overflow in procedure SUBINDEXPOPULATE of DRIDDLR package


To determine if you are vulnerable, please download AppDetective from:

http://www.appsecinc.com/products/appdetective/oracle/


Comments:

Exploitation of these vulnerabilities will allow an attacker to completely compromise the OS and the database if Oracle is running on Windows platform, because Oracle must run under the local System account or under an administrative account. If Oracle is running on *nix then only the database would be compromised because Oracle runs mostly under oracle user which has restricted permissions.


Workaround:

-Check packages permissions and remove public permissions. Set minimal permissions that fit your needs.
-Restrict users to execute PL/SQL statements directly over the server.
-Periodically audit user permissions on all database objects.
-Lock users that aren't used.
-Change default passwords.
-Keep Oracle up to date with patches.

Vendor Contact:
Vendor was contacted and has released fixes.


Credit:

Esteban Martinez Fayo of Application Security, Inc. (www.appsecinc.com) discovered all of the following issues: #1,#2,#3,#4,#5,#6,#7,#8,#9,#10,#11,#12,#24,#25,#26,#27,#28,#29,#30,#31,#32,#33,#34,#35,#36,#37,#39,#40,#41,#42,#43,and #44

Cesar Cerrudo of Application Security, Inc. (www.appsecinc.com) discovered all of the following issues: #13,#14,#15,#16,#17,#18,#19,#21,#22

--
Thank you,
shatter@appsecinc.com
Application Security, Inc.
phone: 212-947-8787
fax: 212-947-8788

----------------------------------------------------------------------
Application Security, Inc.
www.appsecinc.com

AppSecInc is the leading provider of database security solutions for
the enterprise. AppSecInc products proactively secure enterprise
applications at more than 200 organizations around the world by
discovering, assessing, and protecting the database against rapidly
changing security threats. By securing data at its source, we enable
organizations to more confidently extend their business with
customers, partners and suppliers. Our security experts, combined
with our strong support team, deliver up-to-date application
safeguards that minimize risk and eliminate its impact on business. ----------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] [SHATTER Team Security Alert] Multiple vulnerabilities in Oracle Database Server, SHATTER <=
Previous by Date:  [VulnWatch] Patch available for IBM DB2 Universal Database flaws, NGSSoftware Insight Security Research
Next by Date:  [VulnWatch] SSHD / AnonCVS Nastyness, Dragos Ruiu
Previous by Thread:  [VulnWatch] Patch available for IBM DB2 Universal Database flaws, NGSSoftware Insight Security Research
Next by Thread:  [VulnWatch] SSHD / AnonCVS Nastyness, Dragos Ruiu
Indexes:  [Date] [Thread] [Top] [All Lists]