RE: Oracle DBS_SCHEDULER Vulnerability

Wed, 10 Nov 2004 07:57:58 -0800


There is a ton of detail and sample code available at this site.  Perhaps
this could be used to fine-tune the plugin?

http://www.appsecinc.com/resources/alerts/oracle/2004-0001/

--
Jared

[EMAIL PROTECTED] wrote on 11/05/2004 11:44:59 AM:

> We have had the same issue, from what I can see from looking at the plug-
> in source, it is only looking at the versioning information – no actual
> exploit is tried. I think this is because Oracle has kept the details of
> the exploit secret, only releasing to the public that there is the
> possibility of an exploit. From what I could see on the web, the guy who
> discovered the problem gave the Proof of Exploit to Oracle… and no one
> else. He refuses to make the code public. Good for Oracle, bad for us
> security people who need to verify if the patch actually worked.
> Disclosure is a tough issue, isn’t it?
>  
> If anyone has any information about how to better test for the presence of
> this Oracle vulnerability, please let the list know.
>  
> Jeremy J. Hyland
> Information Assurance
> Code 19
> NAVSEA Warfare Center Keyport
>
> From: OBrien, Edward [mailto:[EMAIL PROTECTED]
> Sent: Friday, November 05, 2004 7:54 AM
> To: '[EMAIL PROTECTED]'
> Subject: Oracle DBS_SCHEDULER Vulnerability
>  
> Plugin: 14641
>  
> We followed the instructions from Oracle to fix this problem, but our
> scans keep picking it up.  Can anyone explain the logic that Nessus is
> using to determine if this vulnerability exists?  Is it just check a banner?
>  
> Thanks,
> Ed O'Brien
>
> The information contained in this e-mail, including any attachment(s), is
> intended solely for use by the named addressee(s). If you are not the
> intended recipient, or a person designated as responsible for delivering
> such messages to the intended recipient, you are not authorized to
> disclose, copy, distribute or retain this message, in whole or in part,
> without written authorization from PSEG. This e-mail may contain
> proprietary, confidential or privileged information. If you have received
> this message in error, please notify the sender immediately. This notice
> is included in all e-mail messages leaving PSEG. Thank you for your cooperation.
> _______________________________________________
> Nessus mailing list
> [EMAIL PROTECTED]
> http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus

Reply via email to