No, no, no... that can't be possible, oracle is unbreakable. On Mon, 18 Mar 2002, jay wrote:
> ouch. > > =jay > > > CERT advisory: Multiple vulnerabilities in Oracle Servers > ------------------------------------------------------------------------ > > > SUMMARY > > Multiple vulnerabilities in Oracle Application Server have recently > been discovered. These vulnerabilities include buffer overflows, > insecure default settings, failures to enforce access controls, and > failure to validate input. The impacts of these vulnerabilities > include the execution of arbitrary commands or code, denial of > service, and unauthorized access to sensitive information. > > DETAILS > > Vulnerable systems: > Systems running Oracle8i Database > Systems running Oracle9i Database > Systems running Oracle9i Application Server > > > Oracle Application Server includes a web server based on the Apache > HTTP Server. Oracle extends the web server with a number of different > components that can be used provide interfaces to database applications. > These components include, but are not limited to, a Procedural > Language/Structured Query Language (PL/SQL) module, Java Server Pages, > XSQL Servlets, and Simple Object Access Protocol (SOAP) applications. > > The vulnerabilities referenced in this advisory were reported in several > publications by David Litchfield of NGSSoftware: > > * Hackproofing Oracle Application Server > <http://www.nextgenss.com/papers/hpoas.pdf> > http://www.nextgenss.com/papers/hpoas.pdf > > * NGSSoftware Insight Security Research Advisory #NISR20122001 > <http://www.nextgenss.com/advisories/plsql.txt> > http://www.nextgenss.com/advisories/plsql.txt > > * NGSSoftware Insight Security Research Advisory #NISR06022002A > <http://www.nextgenss.com/advisories/oraplsextproc.txt> > http://www.nextgenss.com/advisories/oraplsextproc.txt > > * NGSSOftware Insight Security Research Advisory #NISR06022002B > <http://www.nextgenss.com/advisories/oraplsbos.txt> > http://www.nextgenss.com/advisories/oraplsbos.txt > > * NGSSoftware Insight Security Research Advisory #NISR06022002C > <http://www.nextgenss.com/advisories/orajsa.txt> > http://www.nextgenss.com/advisories/orajsa.txt > <http://www.nextgenss.com/advisories/orajsp.txt> > http://www.nextgenss.com/advisories/orajsp.txt > > For the complete list of Oracle-related vulnerabilities published by the > CERT/CC, please search the Vulnerability Notes Database using the term > 'Oracle'. Details about specific vulnerabilies can be found in the > appropriate vulnerability note. > > Oracle has addressed these vulnerabilities with patches and recommended > configuration changes. For more information please see the vendor > information section. > > Buffer overflows > > Several buffer-overflow vulnerabilities exist in the way the PL/SQL > module handles HTTP requests and configuration parameters. Default > configuration settings in a range of components are insecure, and > different components fail to apply access restrictions uniformly. > These vulnerabilities expose both the systems running Oracle > Application Server and the information held in the underlying > databases to undue risk. > > Two more buffer overflow vulnerabilities exist in code that processes > configuration parameters. These parameters processes configuration > parameters that can be specified via the PL/SQL gateway web > administration interface. By default, access to the PL/SQL gateway web > administration interface is not restricted [VU#611776]. > > VU#500203 - Oracle9i Application Server Apache PL/SQL module > vulnerable to buffer overflow via help page request > > VU#313280 - Oracle9i Application Server Apache PL/SQL module > vulnerable to buffer overflow via HTTP Location header > > VU#750299 - Oracle9i Application Server Apache PL/SQL module > vulnerable to buffer overflow via HTTP request > > VU#878603 - Oracle9i Application Server Apache PL/SQL module > vulnerable to buffer overflow via HTTP Authorization header > > VU#659043 - Oracle9i Application Server Apache PL/SQL module > vulnerable to buffer overflow via Database Access Descriptor password > > VU#923395 - Oracle9i Application Server Apache PL/SQL module > vulnerable to buffer overflow via cache directory name > > Insecure default configurations > > The default installation of Oracle Application Server includes a > number of insecure configuration settings, such as well-known default > passwords and unrestricted access to applications and sensitive > information. > > VU#307835 - Oracle9i Application Server OWA_UTIL procedures expose > sensitive information > > VU#736923 - Oracle 9iAS SOAP components allow anonymous users to > deploy applications by default > > VU#611776 - Oracle9i Application Server PL/SQL Gateway web > administration interface uses null authentication by default > > VU#698467 - Oracle 9iAS default configuration allows access to > "globals.jsa" file > > VU#476619 - Oracle 9iAS default configuration allows arbitrary users to > view sensitive configuration files > > VU#712723 - Oracle 9iAS default configuration uses well-known default > passwords > > VU#168795 - Oracle 9iAS allows anonymous remote users to view > sensitive Apache services by default > > VU#278971 - Oracle 9i Application Server does not adequately handle > requests for nonexistent JSP files thereby disclosing web folder path > information > > Failure to enforce access controls > > Oracle Application Server does not uniformly enforce access > restrictions. Different components do not adequately check > authorization before granting access to protected resources. > > VU#180147 - Oracle 9i Database Server PL/SQL module allows remote > command execution without authentication > > VU#193523 - Oracle 9i Application Server allows unauthenticated access to > PL/SQL applications via alternate Database Access Descriptor > > VU#977251 - Oracle 9iAS XSQL Servlet ignores file permissions allowing > arbitrary users to view sensitive configuration files > > VU#547459 - Oracle 9iAS creates temporary files when processing JSP > requests that are world-readable > > Failure to validate input > > In one case, the PL/SQL module does not properly handle a malformed > HTTP request. > > VU#805915 - Oracle9i Application Server Apache PL/SQL module does not > properly handle HTTP Authorization header > > Impact > > The impacts of these vulnerabilities include the remote execution of > arbitrary code, remote execution of commands and SQL queries, > disclosure of sensitive information, and denial of service. > > Remote execution of arbitrary commands and code > > This section contains vulnerabilities that permit a remote intruder to > cause a denial of service or execute arbitrary commands, code, or > queries on the system. > > Some of these vulnerabilities allow execution with the privileges of the > Apache process. On UNIX systems, the Apache process typically runs as the > "oracle" user. On Windows systems, the Apache service typically runs as > the SYSTEM user; therefore, an attacker could gain complete control of > the system by exploiting these vulnerabilities. > > VU#500203 - Oracle9i Application Server Apache PL/SQL module > vulnerable to buffer overflow via help page request > > VU#313280 - Oracle9i Application Server Apache PL/SQL module > vulnerable to buffer overflow via help page request Location: header > > VU#750299 - Oracle9i Application Server Apache PL/SQL module > vulnerable to buffer overflow via HTTP request > > VU#878603 - Oracle9i Application Server Apache PL/SQL module > vulnerable to buffer overflow via HTTP Authorization header password > parameter > > VU#659043 - Oracle9i Application Server Apache PL/SQL module > vulnerable to buffer overflow via Database Access Descriptor password > > VU#923395 - Oracle9i Application Server Apache PL/SQL module > vulnerable to buffer overflow via cache directory name > > VU#180147 - Oracle 9i Database Server PL/SQL module allows remote > command execution without authentication > > VU#736923 - Oracle 9iAS SOAP components allow anonymous users to > deploy applications by default > > VU#712723 - Oracle 9iAS default configuration uses well-known default > passwords > > VU#611776 - Oracle9i Application Server PL/SQL Gateway web > administration interface uses null authentication by default > > Unauthorized access to sensitive information > > A number of vulnerabilities disclose configuration information or > expose data stored in underlying databases. Also, insecure > applications could allow an intruder to execute SQL queries. Oracle > system programmers may wish to examine these vulnerabilities in > Oracle's sample pages to prevent similar vulnerabilities in their own > Oracle applications. > > VU#307835 - Oracle9i Application Server OWA_UTIL PL/SQL application > exposes procedures that are remotely accessible by arbitrary users > > VU#193523 - Oracle 9i Application Server allows unauthenticated access to > PL/SQL applications via alternate Database Access Descriptor > > VU#698467 - Oracle 9iAS default configuration allows access to > "globals.jsa" file > > VU#476619 - Oracle 9iAS default configuration allows arbitrary users to > view sensitive configuration files > > VU#977251 - Oracle 9iAS XSQL Servlet ignores file permissions allowing > arbitrary users to view sensitive configuration files > > VU#168795 - Oracle 9iAS allows anonymous remote users to view > sensitive Apache services by default > > VU#278971 - Oracle 9i Application Server does not adequately handle > requests for nonexistent JSP files thereby disclosing web folder path > information > > VU#547459 - Oracle 9iAS creates temporary files when processing JSP > requests that are world-readable > > Denial of service > > In the case where the PL/SQL module does not properly handle an HTTP > request, a denial-of-service vulnerability exists. Also, an > unsuccessful attempt to exploit a buffer overflow vulnerability could > crash the Apache service. > > VU#805915 - Oracle9i Application Server Apache PL/SQL module does not > properly handle HTTP Authorization header > > Solution > > Oracle has provided patches and workarounds that address most of these > vulnerabilities. Sites using Oracle Application Server are encouraged to > install the appropriate patches and make the recommended > configuration changes provided by Oracle. > > Solutions and workarounds for specific vulnerabilities can be found in > individual vulnerability notes and in the following Oracle security > alerts: > > * Oracle Security Alert #29 > <http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf> > http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf > > * Oracle Security Alert #28 > <http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf> > http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf > > * Oracle Security Alert #25 > <http://otn.oracle.com/deploy/security/pdf/modplsql.pdf> > http://otn.oracle.com/deploy/security/pdf/modplsql.pdf > > * Oracle Security Alert #22 > <http://otn.oracle.com/deploy/security/pdf/ias_soap_alert.pdf> > http://otn.oracle.com/deploy/security/pdf/ias_soap_alert.pdf > > Security and patch information for Oracle products are available at the > following locations: > > * Oracle Security Alerts > <http://otn.oracle.com/deploy/security/alerts.htm> > http://otn.oracle.com/deploy/security/alerts.htm > > * MetaLink (registration required) > <http://metalink.oracle.com/> http://metalink.oracle.com/ > > Sites using Oracle Application Server may also find David Litchfield's > Hackproofing Oracle Application Server paper useful in describing the > impacts and various interactions of these vulnerabilities. > > Apply a patch > > Oracle has released patches that address some of these > vulnerabilities. Patch information can be found in Oracle Security > Alert #28 and Oracle Security Alert #25 and on the MetaLink web site > (registration required). > > Secure default configuration > > Oracle has provided documentation on changing vulnerable default > configuration settings. For details, consult individual Vulnerability > Notes and the Oracle Security Alerts referenced in the additional > information section. > > > > ADDITIONAL INFORMATION > > The CERT Coordination Center thanks David Litchfield and Oracle for > information used in this document. > > Authors: Art Manion, Jason Rafail, and Shawn Van Ittersum > > References > > 1. <http://www.kb.cert.org/vuls/id/500203> > http://www.kb.cert.org/vuls/id/500203 > 2. <http://www.kb.cert.org/vuls/id/313280> > http://www.kb.cert.org/vuls/id/313280 > 3. <http://www.kb.cert.org/vuls/id/750299> > http://www.kb.cert.org/vuls/id/750299 > 4. <http://www.kb.cert.org/vuls/id/878603> > http://www.kb.cert.org/vuls/id/878603 > 5. <http://www.kb.cert.org/vuls/id/659043> > http://www.kb.cert.org/vuls/id/659043 > 6. <http://www.kb.cert.org/vuls/id/923395> > http://www.kb.cert.org/vuls/id/923395 > 7. <http://www.kb.cert.org/vuls/id/307835> > http://www.kb.cert.org/vuls/id/307835 > 8. <http://www.kb.cert.org/vuls/id/736923> > http://www.kb.cert.org/vuls/id/736923 > 9. <http://www.kb.cert.org/vuls/id/611776> > http://www.kb.cert.org/vuls/id/611776 > 10. <http://www.kb.cert.org/vuls/id/698467> > http://www.kb.cert.org/vuls/id/698467 > 11. <http://www.kb.cert.org/vuls/id/476619> > http://www.kb.cert.org/vuls/id/476619 > 12. <http://www.kb.cert.org/vuls/id/712723> > http://www.kb.cert.org/vuls/id/712723 > 13. <http://www.kb.cert.org/vuls/id/168795> > http://www.kb.cert.org/vuls/id/168795 > 14. <http://www.kb.cert.org/vuls/id/278971> > http://www.kb.cert.org/vuls/id/278971 > 15. <http://www.kb.cert.org/vuls/id/180147> > http://www.kb.cert.org/vuls/id/180147 > 16. <http://www.kb.cert.org/vuls/id/193523> > http://www.kb.cert.org/vuls/id/193523 > 17. <http://www.kb.cert.org/vuls/id/977251> > http://www.kb.cert.org/vuls/id/977251 > 18. <http://www.kb.cert.org/vuls/id/805915> > http://www.kb.cert.org/vuls/id/805915 > 19. <http://www.kb.cert.org/vuls/id/547459> > http://www.kb.cert.org/vuls/id/547459 > 20. <http://www.nextgenss.com/papers/hpoas.pdf> > http://www.nextgenss.com/papers/hpoas.pdf > 21. <http://www.nextgenss.com/advisories/plsql.txt> > http://www.nextgenss.com/advisories/plsql.txt > 22. <http://www.nextgenss.com/advisories/oraplsextproc.txt> > http://www.nextgenss.com/advisories/oraplsextproc.txt > 23. <http://www.nextgenss.com/advisories/oraplsbos.txt> > http://www.nextgenss.com/advisories/oraplsbos.txt > 24. <http://www.nextgenss.com/advisories/orajsa.txt> > http://www.nextgenss.com/advisories/orajsa.txt > 25. <http://www.nextgenss.com/advisories/orajsp.txt> > http://www.nextgenss.com/advisories/orajsp.txt > 26. <http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf> > http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf > 27. <http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf> > http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf > 28. <http://otn.oracle.com/deploy/security/pdf/modplsql.pdf> > http://otn.oracle.com/deploy/security/pdf/modplsql.pdf > 29. <http://otn.oracle.com/deploy/security/pdf/ias_soap_alert.pdf> > http://otn.oracle.com/deploy/security/pdf/ias_soap_alert.pdf > > > > ======================================== > > > This bulletin is sent to members of the SecuriTeam mailing list. > To unsubscribe from the list, send mail with an empty subject line and body to: >[EMAIL PROTECTED] > In order to subscribe to the mailing list, simply forward this email to: >[EMAIL PROTECTED] > > > ==================== > ==================== > > DISCLAIMER: > The information in this bulletin is provided "AS IS" without warranty of any kind. > In no event shall we be liable for any damages whatsoever including direct, >indirect, incidental, consequential, loss of business profits or special damages. > > > > > > _______________________________________________ > Bits mailing list > [EMAIL PROTECTED] > http://www.sugoi.org/mailman/listinfo/bits > -- %/s/windows/linux/g _______________________________________________ Bits mailing list [EMAIL PROTECTED] http://www.sugoi.org/mailman/listinfo/bits
