8 Mai 2008 von Alexander Kornbrust.

2 weeks ago Oracle released the instant client 10.2.0.4 for Mac OS Intel. Yesterday I had the time to recompile checkpwd (checkpwd for other platforms) with the new instant client. The compilation worked flawless.

The performance of checkpwd with the native Oracle Mac client is 50% faster than the previous version for PPC.

Here are the links:

• Checkpwd 1.23  [Mac - Intel - native] - 37 MB - with Oracle instant client
• Checkpwd 1.23  [Mac - Intel - native] - 68 KB - without Oracle instant client
• Checkpwd 1.23  [Mac - Intel - native] - 68 KB - Passwords are not displayed

And here sidguess recompiled for Mac - Intel:

•  Sidguess 1.02  [Mac - Intel - native] - 16 KB -without Oracle instant client

Geschrieben in MacOS, passwords, checkpwd, Security, Oracle Security | Keine Kommentare »

16 Apr 2008 von Alexander Kornbrust.

Few hours ago Bruce Lowenthal sent me an email that Oracle forgot to inform me what was fixed. Hey how can you forget me. I am reporting bugs since several years… 6 of my vulnerabilities are now history (if you apply the April patches or a new patchset like 10.2.0.4).3 of the vulnerabilities are the affecting Oracle Spatial. The packages SDO_UTIL [DB05], SDO_GEOM [DB06]  and SDO_IDX [DB07] are vulnerable against SQL Injection. SDO_IDX is also vulnerable in Oracle 11g.

1 vulnerability is a hardcoded default password OUTLN [DB13] for the user OUTLN. In some special cases the Oracle database is resetting the password of the user OUTLN to OUTLN and grants DBA privileges to this user.

The CPU is also fixing 2 PL/SQL injection vulnerabilities from Paul Wright (see Paul’s blog entry). At the moment there is no additional information about vulnerabilities available.

This CPU provides also fixes the the Inline-View and Create-View problem.

Geschrieben in CPUApr2008 | Keine Kommentare »

15 Apr 2008 von Alexander Kornbrust.

Few minutes ago Oracle was releasing the latest Oracle CPU for April 2008 fixing 41 new vulnerabilities (15 in the database). 1 of the database vulnerabilities DB08 can be exploited remotely. APEX contains a SQL Injection vulnerability APEX01 and 1 remote exploitable vulnerability APEX02.

This time Oracle secalert forgot to inform the researchers (usual suspects: Cesar, Esteban, Stephen, Joxean… plus a few others) so we a not aware what vulnerabilities were fixed. Oracle normally informs the researchers in advance what vulnerabilities will be fixed in the upcoming CPU. The most critical issue (CVSS rating 6.6) is an issue in the Oracle Enterprise Manager. DB02-DB07 are SQL Injection vulnerabilities (5.5 is the typical CVSS value for that issue).

Oracle probably fixed the following of our vulnerabilities (we reported bugs in these packages):
* SQL Injection in SDO_GEOM (Tracking ID: 10051851)
* SQL Injection in SDO_UTIL (Tracking ID: 10051595)
* SQL Injection in SDO_IDX (Tracking ID: 10051649)

We will post more information soon…

Geschrieben in CPUApr2008, Oracle Security | 1 Kommentar »

11 Apr 2008 von Alexander Kornbrust.

Yesterday I read an article about Apple Quicktime and LookingGlass. I downloaded the free tool from the website of errata security.

Here are the results from a test with Oracle 11.1.0.6 on Windows. I have scanned the Oracle Home and the tool found 518 Oracle files with dangerous functions like strcpy, sprintf, sscanf, strcat, …

The Oracle executable (oracle.exe) for example is using wsprintfA, strncpy, sprintf, sscanf, _vsnprintf, _snprintf, vprintf, strncat, strtok, strlen, strcpy, strcat.

Geschrieben in 11g | 1 Kommentar »

11 Apr 2008 von Alexander Kornbrust.

Yesterday Oracle has published the pre-release announcement for the upcoming CPU next tuesday. According to this announcement the CPU will fix 41 security in various Oracle products. 17 vulnerabilities are affecting the Oracle Database.

• Advanced Queuing
• Audit
• Authentication
• Change Data Capture
• Core RDBMS
• Data Pump
• Export
• Oracle Application Express
• Oracle Net Services
• Oracle Secure Enterprise Search or Ultrasearch
• Oracle Spatial
• Query Optimizer

2 of these vulnerabilities are located in APEX and 2 of these 17 are remote exploitable (APEX?).

Tonight Oracle secalert will normally inform the researchers what vulnerabilities will be fixed by the upcoming CPU. It seems that some of our critical vulnerabilities (e.g. Bypass Oracle auditing in all databases) will be fixed next week.

More about the CPU next tuesday night or at HITB 2008 Dubai.  Cesar Cerrudo and I will be there.

Geschrieben in CPUApr2008, Security, Oracle Security | Keine Kommentare »

4 Mrz 2008 von Alexander Kornbrust.

Last friday night, 29. February 2008, our daughter Anna Marie Kornbrust was born in Frankfurt / Germany. I just came back from a consulting project in Munich and went from the railway station directly to the hospital to see her birth.
Mother and daughter are doing fine.

Geschrieben in Oracle Security | 4 Kommentare »

4 Mrz 2008 von Alexander Kornbrust.

Today, Luigi Auriemma posted an advisory and heap overflow exploit for the Corba Visibroker 8.0 from Borland.

Visibroker was used by older versions of Oracle Reports (e.g. in the Oracle Application Server, Reports Developer or eBusiness Suite) and Oracle Discoverer. In Oracle 10g Release 2 Visibroker was replaced by the JDK ORB. Details see Metalink note 307669.1.

Geschrieben in Exploit, Oracle Security | Keine Kommentare »

25 Feb 2008 von Alexander Kornbrust.

I just read in Sven’s Blog that the Oracle Patchset 10.2.0.4 is out. Patch 6810189 is available for Linux x86.

10.2.0.4 comes with new security fixes for VPD (Bypass VPD), Auditing (Some activities are not audited) and other security bugs. These bugs will be fixed in future CPUs in older versions.

Soon we wil report from our first experience with 10.2.0.4.

Geschrieben in 10.2.0.4, Allgemein | Keine Kommentare »

31 Jan 2008 von Alexander Kornbrust.

The first exploits for CPU January 2008 were published on milw0rm.com.

Alexandr Polyakov from Digital Security published 4 exploits for XMLDB. Alexandr found and reported these vulnerabilities mid of december 2007 to Oracle. It seems that someone else reported these errors before because Oracle NEVER fixes vulnerabilities within less than a month.

• SQL Injection in PITRIG_DROP (1)
• SQL Injection in PITRIG_DROP (2)
• SQL Injection in PITRIG_TRUNCATE (1)
  
• SQL Injection in PITRIG_TRUNCATE (2)
  

Geschrieben in CPUJan2008, Exploit, SQL Injection | 7 Kommentare »

15 Jan 2008 von Alexander Kornbrust.

Oracle just released their latest Oracle Critical Patch Update (CPU) January 2008. As promised in the prelease announcement the patch contains 8 fixes for the database itself. As usual most of the vulnerabilities are coming from the usual suspects (Esteban, Joxean, David, Alex) and some other people like Pete Finnigan, Mariano Nunez Di Croce, Ali Kumcu and Alexandr Polyakov.

According to an email from Oracle secalert they fixed 7 of my vulnerabilities (tracking numbers: 6980733, 7520291, 9675443, 9675563, 9675681, 9675695, 9675857) but they mapped them to DB05, DB04 and DB02.

The highest database CVSS rating of 6.5 has DB01.
DB02, DB03, DB04 and DB05 are SQL Injection vulnerabilities allowing privilege escalation.

The highest application server CVSS ratings of 9.3 are 2 bugs (AS01, AS02) in Oracle Jinitiator 1.1.8.26 and 1.3.1.27 and affects clients only.

Other interesting information are described in the Metalink note 466757.1. With this CPU it is necessary to recompile ALL Views to fix the “VIEW” problems fixed with Oracle CPU July/October 2007.

Geschrieben in CPUJan2008, Oracle Security | 1 Kommentar »