Hi all, David:
We always test Oracle patches against the bugs we have
reported to them just to be sure the patches work.
Last time there was not exception and we tested it and
it seemed to work to fix the bugs including SQL
Injection vulnerabilities in DBMS_CDC_SUBSCRIBE and
DBMS_CDC_ISUBSCRIBE packages, so we were
surprised with David post, after some analysis we have
identified that on Oracle 10g systems with patchset 2
(10.1.0.4) applied (we tested the patch on this system
after April CPU relase) the Critical Patch Update for
April 2005 works ok fixing SQL Injection
vulnerabilities in DBMS_CDC_SUBSCRIBE and
DBMS_CDC_ISUBSCRIBE packages but on systems prior
patchset 2 (10.1.0.2 and 10.1.0.3) it doesn't work.
Oracle is not willing to respond any email in order to
clarify what we have found.
Important:
Tomorrow Oracle is releasing a new security patch, i
personally recommend that you shouldn't install that
patch on production systems before properly testing it
for a couple of months or more since as we have seen
Oracle doesn't have QA so you have to do it by
yourself. Also consider buying another database server
software if you want to be secure, unless you want to
have CardSystems luck.
This exploit could help you to detect if you are still
vulnerable after applying the April CPU:
http://www.argeniss.com/research/OraDBMS_CDC_SUBSCRIBEExploit.txt
BTW: Don't miss these talks at Black Hat if you want
to know more about Oracle (IN)security:
http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Cerrudo
http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Fayo
Cesar Cerrudo
Argeniss (http://www.argeniss.com)
--- David Litchfield <davidl@ngssoftware.com> wrote:
Hey all,
Whilst analyzing Oracle's Critical Patch Update for
April 2005 I noticed
some failures in it, that meant certain issues the
patch was supposed to fix
were actually left unfixed.
One set of vulnerabilities "fixed" by the April CPU
is a group of SQL
injection bugs in DBMS_SUBSCRIBE and DBMS_ISUBSCRIBE
discovered by AppSec
Inc. On digging deeper you find that the actual
source of the problem lies
within the underlying java class files. The April
CPU fails to properly load
the newer patched classes which means that these
problems can still be
exploited. To resolve this problem, a DBA can use
the loadjava command line
utility or execute the loadjava procedure on the
DBMS_JAVA package. The jar
file to be loaded is
$ORACLE_HOME/rdbms/jlib/CDC.jar. All platforms are
affected by this problem.
On Windows, both 32bit and 64bit, a second problem
exists; a vulnerability
exists whereby an attacker can run arbitrary SQL by
abusing the
CTXSYS.DRILOAD package to gain DBA privleges. This
was discovered by
multiple persons and was initially fixed in August
2004. However, the April
Critical Patch Update copies the updated sql script
file to the wrong
directory and if previous patches (August 2004 or
January 2005) have not
applied then you will still be vulnerable to this
attack even if the April
CPU has been applied.
These problems were reported to Oracle in early June
and today they have
released updated information about these problems.
See the Metalink
(http://metalink.oracle.com) website for more
details.
<shameless plug>
I'll be speaking about patching and Oracle as part
of my presentation at
Blackhat in Las Vegas and the end of this month if
anyone's interested
</shameless plug>
<shameful plug>
NGSSQuirreL for Oracle
(http://www.ngssoftware.com/squirrelora.htm) checks
for the problems I've just discussed
</shameful plug>
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com
____________________________________________________
Sell on Yahoo! Auctions ? no fees. Bid on great items.
http://auctions.yahoo.com/
