Blog

Checkpwd 1.23 for MacOS Intel native released

Alexander Kornbrust — Thu, 08 May 2008 14:28:23 +0000

2 weeks ago Oracle released the instant client 10.2.0.4 for Mac OS Intel. Yesterday I had the time to recompile checkpwd (checkpwd for other platforms) with the new instant client. The compilation worked flawless.

The performance of checkpwd with the native Oracle Mac client is 50% faster than the previous version for PPC.

Here are the links:

Checkpwd 1.23 [Mac - Intel - native] - 37 MB - with Oracle instant client
Checkpwd 1.23 [Mac - Intel - native] - 68 KB - without Oracle instant client
Checkpwd 1.23 [Mac - Intel - native] - 68 KB - Passwords are not displayed

And here sidguess recompiled for Mac - Intel:

Sidguess 1.02 [Mac - Intel - native] - 16 KB -without Oracle instant client

Oracle CPU April 2008 - Update

Alexander Kornbrust — Wed, 16 Apr 2008 07:05:26 +0000

Few hours ago Bruce Lowenthal sent me an email that Oracle forgot to inform me what was fixed. Hey how can you forget me. I am reporting bugs since several years… 6 of my vulnerabilities are now history (if you apply the April patches or a new patchset like 10.2.0.4).3 of the vulnerabilities are the affecting Oracle Spatial. The packages SDO_UTIL [DB05], SDO_GEOM [DB06] and SDO_IDX [DB07] are vulnerable against SQL Injection. SDO_IDX is also vulnerable in Oracle 11g.

1 vulnerability is a hardcoded default password OUTLN [DB13] for the user OUTLN. In some special cases the Oracle database is resetting the password of the user OUTLN to OUTLN and grants DBA privileges to this user.

The CPU is also fixing 2 PL/SQL injection vulnerabilities from Paul Wright (see Paul’s blog entry). At the moment there is no additional information about vulnerabilities available.

This CPU provides also fixes the the Inline-View and Create-View problem.

Oracle Critical Patch Update April 2008 is out

Alexander Kornbrust — Tue, 15 Apr 2008 20:21:06 +0000

Few minutes ago Oracle was releasing the latest Oracle CPU for April 2008 fixing 41 new vulnerabilities (15 in the database). 1 of the database vulnerabilities DB08 can be exploited remotely. APEX contains a SQL Injection vulnerability APEX01 and 1 remote exploitable vulnerability APEX02.

This time Oracle secalert forgot to inform the researchers (usual suspects: Cesar, Esteban, Stephen, Joxean… plus a few others) so we a not aware what vulnerabilities were fixed. Oracle normally informs the researchers in advance what vulnerabilities will be fixed in the upcoming CPU. The most critical issue (CVSS rating 6.6) is an issue in the Oracle Enterprise Manager. DB02-DB07 are SQL Injection vulnerabilities (5.5 is the typical CVSS value for that issue).

Oracle probably fixed the following of our vulnerabilities (we reported bugs in these packages):
* SQL Injection in SDO_GEOM (Tracking ID: 10051851)
* SQL Injection in SDO_UTIL (Tracking ID: 10051595)
* SQL Injection in SDO_IDX (Tracking ID: 10051649)

We will post more information soon…

Looking Glass and Oracle 11g

Alexander Kornbrust — Fri, 11 Apr 2008 14:10:48 +0000

Yesterday I read an article about Apple Quicktime and LookingGlass. I downloaded the free tool from the website of errata security.

Here are the results from a test with Oracle 11.1.0.6 on Windows. I have scanned the Oracle Home and the tool found 518 Oracle files with dangerous functions like strcpy, sprintf, sscanf, strcat, …

The Oracle executable (oracle.exe) for example is using wsprintfA, strncpy, sprintf, sscanf, _vsnprintf, _snprintf, vprintf, strncat, strtok, strlen, strcpy, strcat.

Oracle Critical Patch Update Pre-Release Announcement - April 2008

Alexander Kornbrust — Fri, 11 Apr 2008 12:59:17 +0000

Yesterday Oracle has published the pre-release announcement for the upcoming CPU next tuesday. According to this announcement the CPU will fix 41 security in various Oracle products. 17 vulnerabilities are affecting the Oracle Database.

Advanced Queuing
Audit
Authentication
Change Data Capture
Core RDBMS
Data Pump
Export
Oracle Application Express
Oracle Net Services
Oracle Secure Enterprise Search or Ultrasearch
Oracle Spatial
Query Optimizer

2 of these vulnerabilities are located in APEX and 2 of these 17 are remote exploitable (APEX?).

Tonight Oracle secalert will normally inform the researchers what vulnerabilities will be fixed by the upcoming CPU. It seems that some of our critical vulnerabilities (e.g. Bypass Oracle auditing in all databases) will be fixed next week.

More about the CPU next tuesday night or at HITB 2008 Dubai. Cesar Cerrudo and I will be there.

We proudly present: Anna Marie Kornbrust

Alexander Kornbrust — Tue, 04 Mar 2008 17:29:51 +0000

Last friday night, 29. February 2008, our daughter Anna Marie Kornbrust was born in Frankfurt / Germany. I just came back from a consulting project in Munich and went from the railway station directly to the hospital to see her birth.
Mother and daughter are doing fine.

Corba Exploit for VisiBroker published

Alexander Kornbrust — Tue, 04 Mar 2008 16:57:19 +0000

Today, Luigi Auriemma posted an advisory and heap overflow exploit for the Corba Visibroker 8.0 from Borland.

Visibroker was used by older versions of Oracle Reports (e.g. in the Oracle Application Server, Reports Developer or eBusiness Suite) and Oracle Discoverer. In Oracle 10g Release 2 Visibroker was replaced by the JDK ORB. Details see Metalink note 307669.1.

Oracle Patchset 10.2.0.4 is out

Alexander Kornbrust — Mon, 25 Feb 2008 00:20:01 +0000

I just read in Sven’s Blog that the Oracle Patchset 10.2.0.4 is out. Patch 6810189 is available for Linux x86.

10.2.0.4 comes with new security fixes for VPD (Bypass VPD), Auditing (Some activities are not audited) and other security bugs. These bugs will be fixed in future CPUs in older versions.

Soon we wil report from our first experience with 10.2.0.4.

First exploits for CPUJan2008 published

Alexander Kornbrust — Thu, 31 Jan 2008 15:29:08 +0000

The first exploits for CPU January 2008 were published on milw0rm.com.

Alexandr Polyakov from Digital Security published 4 exploits for XMLDB. Alexandr found and reported these vulnerabilities mid of december 2007 to Oracle. It seems that someone else reported these errors before because Oracle NEVER fixes vulnerabilities within less than a month.

Oracle Patch CPU January 2008 is out…

Alexander Kornbrust — Tue, 15 Jan 2008 21:13:56 +0000

Oracle just released their latest Oracle Critical Patch Update (CPU) January 2008. As promised in the prelease announcement the patch contains 8 fixes for the database itself. As usual most of the vulnerabilities are coming from the usual suspects (Esteban, Joxean, David, Alex) and some other people like Pete Finnigan, Mariano Nunez Di Croce, Ali Kumcu and Alexandr Polyakov.

According to an email from Oracle secalert they fixed 7 of my vulnerabilities (tracking numbers: 6980733, 7520291, 9675443, 9675563, 9675681, 9675695, 9675857) but they mapped them to DB05, DB04 and DB02.

The highest database CVSS rating of 6.5 has DB01.
DB02, DB03, DB04 and DB05 are SQL Injection vulnerabilities allowing privilege escalation.

The highest application server CVSS ratings of 9.3 are 2 bugs (AS01, AS02) in Oracle Jinitiator 1.1.8.26 and 1.3.1.27 and affects clients only.

Other interesting information are described in the Metalink note 466757.1. With this CPU it is necessary to recompile ALL Views to fix the “VIEW” problems fixed with Oracle CPU July/October 2007.