[SECURITY-L] How to hack unbreakable Oracle servers

Daniela Regina Barbetti daniela em ccuec.unicamp.br
Sex Fev 8 11:10:05 -02 2002 

----- Forwarded message from Nelson Murilo <nelson em pangeia.com.br> -----

From: Nelson Murilo <nelson em pangeia.com.br>
Subject: [S] How to hack unbreakable Oracle servers
To: seguranca em pangeia.com.br
Date: Fri, 8 Feb 2002 09:56:32 -0200


[http://www.theregister.co.uk/content/4/23979.html]

By Thomas C Greene in Washington
Posted: 07/02/2002 at 20:53 GMT

Security researcher David Litchfield has identified a vast number of
attacks against Oracle application servers and has written them up in
a paper[1] which includes defensive strategies as well.

>From this we learn, contrary to Oracle President Larry Ellison's
claims, that Oracle is vulnerable to buffer overflow attacks, DoS
attacks, and remote exploitation to name but a few difficulties.

Litchfield willingly allows that Oracle makes the most secure product
on the market, and compliments Oracle for its obvious dedication to
security. But as for being unbreakable, well, we all know that nothing
is.

First up we have a PL/SQL buffer overrun vulnerability. This is in the
Apache front end affecting Windows NT/2K, where Apache runs in the
System (root) account and consequently allows code to run with full
privileges.

One problem is that the admin help pages are not PW protected. Thus a
call to one of the pages can initiate a buffer overflow if it contains
enough garbage (around 1K bytes). A quick fix would be to alter the
admin path with something unique, making it difficult to guess.

Next, a directory traversal is possible due to a URL decoding glitch.  
This would allow an attacker to move from the Web environment to read
files readable to the OS.

It's also possible to administer PL/SQL DADs (Database Access
Descriptors) without authentication, Litchfield has discovered. An
obvious goal in this case would be to add a password so the attacker
can escalate his privileges.

These are only the first three taken in order for illustration. There
are in fact scores of attacks listed in this compendium, including
authentication bypassing, path mapping, SOAP vulnerabilities, weak
default paths, and terribly guessable or forcable default passwords
(examples are provided -- but system/manager is our absolute
favorite).

Litchfield's paper should be required reading for anyone who owns or
administers an unbreakable Oracle box.



----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L