9 Aug 2008 von Alexander Kornbrust.

Yesterday night I got the following email from Oracle support:

———————————————————————————-

Dear Oracle Customer,

You are receiving this email because our records indicated you downloaded Critical Patch Update July 2008 (CPUJul2008) patch for one or more of the following:

o    Oracle Database 10.1.0.5 for the following platforms:
o    Windows 32-bit (Patch 7047034)
o    Windows 64-bit (Patch 7047037)

Symptom and cause of issue
The 10.1.0.5 Database Windows Bundle Patch #26 did not correctly install the sdotopo.jar file.

Workaround if any
Please follow the following manual steps to install sdotopo.jar.

>cd %ORACLE_HOME%\md\lib
>copy sdotopo.jar sdotopo.jar_save
>cd <windows bundle patch location>
>cd files\md\lib
>copy sdotopo.jar %ORACLE_HOME%\md\lib\sdotopo.jar

In the event  you need to rollback to the previous sdotopo.jar:

>cd %ORACLE_HOME%\md\lib
>copy sdotopo.jar_save sdotopo.jar

These steps are also documented in MetaLink Note 579285.1  ¿Critical Patch Update July 2008 Database Known Issues

Action
Follow the manual steps noted above to install the sdotopo.jar file..

Please accept our apologies for any inconvenience you may have experienced, and we thank you for your patience and cooperation in securing your Oracle server products.

Regards,
Oracle Global Product Support

Geschrieben in Oracle Security | Keine Kommentare »

29 Jul 2008 von Alexander Kornbrust.

12 days ago the german security researcher Kingcope released an 0day exploit (remote denial of service without credentials, CVSS2 score of 10) for the BEA Weblogic Apache Connector on milworm. Yesterday Oracle published a fix for this vulnerability.

It took only 11 days to provide a fix for this issue which is incredible fast for Oracle.

Geschrieben in BEA, Allgemein | Keine Kommentare »

8 Mai 2008 von Alexander Kornbrust.

2 weeks ago Oracle released the instant client 10.2.0.4 for Mac OS Intel. Yesterday I had the time to recompile checkpwd (checkpwd for other platforms) with the new instant client. The compilation worked flawless.

The performance of checkpwd with the native Oracle Mac client is 50% faster than the previous version for PPC.

Here are the links:

• Checkpwd 1.23  [Mac - Intel - native] - 37 MB - with Oracle instant client
• Checkpwd 1.23  [Mac - Intel - native] - 68 KB - without Oracle instant client
• Checkpwd 1.23  [Mac - Intel - native] - 68 KB - Passwords are not displayed

And here sidguess recompiled for Mac - Intel:

•  Sidguess 1.02  [Mac - Intel - native] - 16 KB -without Oracle instant client

Geschrieben in MacOS, passwords, checkpwd, Security, Oracle Security | Keine Kommentare »

16 Apr 2008 von Alexander Kornbrust.

Few hours ago Bruce Lowenthal sent me an email that Oracle forgot to inform me what was fixed. Hey how can you forget me. I am reporting bugs since several years… 6 of my vulnerabilities are now history (if you apply the April patches or a new patchset like 10.2.0.4).3 of the vulnerabilities are the affecting Oracle Spatial. The packages SDO_UTIL [DB05], SDO_GEOM [DB06]  and SDO_IDX [DB07] are vulnerable against SQL Injection. SDO_IDX is also vulnerable in Oracle 11g.

1 vulnerability is a hardcoded default password OUTLN [DB13] for the user OUTLN. In some special cases the Oracle database is resetting the password of the user OUTLN to OUTLN and grants DBA privileges to this user.

The CPU is also fixing 2 PL/SQL injection vulnerabilities from Paul Wright (see Paul’s blog entry). At the moment there is no additional information about vulnerabilities available.

This CPU provides also fixes the the Inline-View and Create-View problem.

Geschrieben in CPUApr2008 | 2 Kommentare »

15 Apr 2008 von Alexander Kornbrust.

Few minutes ago Oracle was releasing the latest Oracle CPU for April 2008 fixing 41 new vulnerabilities (15 in the database). 1 of the database vulnerabilities DB08 can be exploited remotely. APEX contains a SQL Injection vulnerability APEX01 and 1 remote exploitable vulnerability APEX02.

This time Oracle secalert forgot to inform the researchers (usual suspects: Cesar, Esteban, Stephen, Joxean… plus a few others) so we a not aware what vulnerabilities were fixed. Oracle normally informs the researchers in advance what vulnerabilities will be fixed in the upcoming CPU. The most critical issue (CVSS rating 6.6) is an issue in the Oracle Enterprise Manager. DB02-DB07 are SQL Injection vulnerabilities (5.5 is the typical CVSS value for that issue).

Oracle probably fixed the following of our vulnerabilities (we reported bugs in these packages):
* SQL Injection in SDO_GEOM (Tracking ID: 10051851)
* SQL Injection in SDO_UTIL (Tracking ID: 10051595)
* SQL Injection in SDO_IDX (Tracking ID: 10051649)

We will post more information soon…

Geschrieben in CPUApr2008, Oracle Security | 1 Kommentar »

11 Apr 2008 von Alexander Kornbrust.

Yesterday I read an article about Apple Quicktime and LookingGlass. I downloaded the free tool from the website of errata security.

Here are the results from a test with Oracle 11.1.0.6 on Windows. I have scanned the Oracle Home and the tool found 518 Oracle files with dangerous functions like strcpy, sprintf, sscanf, strcat, …

The Oracle executable (oracle.exe) for example is using wsprintfA, strncpy, sprintf, sscanf, _vsnprintf, _snprintf, vprintf, strncat, strtok, strlen, strcpy, strcat.

Geschrieben in 11g | 1 Kommentar »

11 Apr 2008 von Alexander Kornbrust.

Yesterday Oracle has published the pre-release announcement for the upcoming CPU next tuesday. According to this announcement the CPU will fix 41 security in various Oracle products. 17 vulnerabilities are affecting the Oracle Database.

• Advanced Queuing
• Audit
• Authentication
• Change Data Capture
• Core RDBMS
• Data Pump
• Export
• Oracle Application Express
• Oracle Net Services
• Oracle Secure Enterprise Search or Ultrasearch
• Oracle Spatial
• Query Optimizer

2 of these vulnerabilities are located in APEX and 2 of these 17 are remote exploitable (APEX?).

Tonight Oracle secalert will normally inform the researchers what vulnerabilities will be fixed by the upcoming CPU. It seems that some of our critical vulnerabilities (e.g. Bypass Oracle auditing in all databases) will be fixed next week.

More about the CPU next tuesday night or at HITB 2008 Dubai.  Cesar Cerrudo and I will be there.

Geschrieben in CPUApr2008, Security, Oracle Security | Keine Kommentare »

4 Mrz 2008 von Alexander Kornbrust.

Last friday night, 29. February 2008, our daughter Anna Marie Kornbrust was born in Frankfurt / Germany. I just came back from a consulting project in Munich and went from the railway station directly to the hospital to see her birth.
Mother and daughter are doing fine.

Geschrieben in Oracle Security | 4 Kommentare »

4 Mrz 2008 von Alexander Kornbrust.

Today, Luigi Auriemma posted an advisory and heap overflow exploit for the Corba Visibroker 8.0 from Borland.

Visibroker was used by older versions of Oracle Reports (e.g. in the Oracle Application Server, Reports Developer or eBusiness Suite) and Oracle Discoverer. In Oracle 10g Release 2 Visibroker was replaced by the JDK ORB. Details see Metalink note 307669.1.

Geschrieben in Exploit, Oracle Security | Keine Kommentare »

25 Feb 2008 von Alexander Kornbrust.

I just read in Sven’s Blog that the Oracle Patchset 10.2.0.4 is out. Patch 6810189 is available for Linux x86.

10.2.0.4 comes with new security fixes for VPD (Bypass VPD), Auditing (Some activities are not audited) and other security bugs. These bugs will be fixed in future CPUs in older versions.

Soon we wil report from our first experience with 10.2.0.4.

Geschrieben in 10.2.0.4, Allgemein | Keine Kommentare »