RE: Do not connect Oracle DB to the Internet. Oracle Alert #59
Title: Message Sorry, It is not readable. Kind Regards, Hatzistavrou Yannis -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2003 6:40 PMTo: Multiple recipients of list ORACLE-LSubject: RE: Do not connect Oracle DB to the Internet. Oracle Alert #59 Hi MikeHere it is again. Let me know if you can read it.tatonyAt 08:54 AM 23/10/2003 -0800, Vergara, Michael (TEM) wrote: Tony:I did not receive the attachment clearly. Can you re-send itor cite the source?Thanks,Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 23, 2003 6:25 AM To: Multiple recipients of list ORACLE-L Subject: Do not connect Oracle DB to the Internet. Oracle Alert #59 Important: Please read the following Oracle Alert. We strongly recommend that you do not connect the Oracle Database directly to the Internet. Got your attention? That is what is in the Alert. These alerts are beginning to come all too often. Sounds just like Microsoft's software, yeah? Buffer Overflow in Oracle Database Server Binaries This is with the Oracle kernel/binary itself ie 'oracle' or 'oracleO' file in $ORACLE_HOME/bin. Description A potential buffer overflow has been discovered in the "oracle" and "oracleO" (the letter O) binaries of the Oracle Database. A knowledgeable and malicious local user can exploit this buffer overflow to execute code on the operating system hosting the Oracle Database server. Products Affected Oracle 9i Database Release 2, Version 9.2.x Oracle 9i Database Release 1, Version 9.0.x Platforms Affected All supported UNIX and Linux operating system variants. Patch only available for Linux right now. So who found out this vulnerability? David Litchfield? Aaron Newman? I know it is a bit silly to ask but does anyone know how to exploit this vulnerability? Send it to me directly if you dont want to reply publicly ta tony
Re: Do not connect Oracle DB to the Internet. Oracle Alert #59
So who found out this vulnerability? David Litchfield? Aaron Newman? I know it is a bit silly to ask but does anyone know how to exploit this vulnerability? Send it to me directly if you dont want to reply publicly Hi, Some guy called c0ntex, email [EMAIL PROTECTED] found it. If you want to know how to exploit it then just search google for C0ntex Oracle and many pages pop up with exploit code on them. For instance: http://www.security-corporation.com/exploits-20031018-000.html kind regards Pete -- Pete Finnigan email:[EMAIL PROTECTED] Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Pete Finnigan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Do not connect Oracle DB to the Internet. Oracle Alert #59
Hi Mike Here it is again. Let me know if you can read it. ta tony At 08:54 AM 23/10/2003 -0800, Vergara, Michael (TEM) wrote: Tony: I did not receive the attachment clearly. Can you re-send it or cite the source? Thanks, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 23, 2003 6:25 AM To: Multiple recipients of list ORACLE-L Subject: Do not connect Oracle DB to the Internet. Oracle Alert #59 Important: Please read the following Oracle Alert. We strongly recommend that you do not connect the Oracle Database directly to the Internet. Got your attention? That is what is in the Alert. These alerts are beginning to come all too often. Sounds just like Microsoft's software, yeah? Buffer Overflow in Oracle Database Server Binaries This is with the Oracle kernel/binary itself ie 'oracle' or 'oracleO' file in $ORACLE_HOME/bin. Description A potential buffer overflow has been discovered in the oracle and oracleO (the letter O) binaries of the Oracle Database. A knowledgeable and malicious local user can exploit this buffer overflow to execute code on the operating system hosting the Oracle Database server. Products Affected · Oracle 9i Database Release 2, Version 9.2.x · Oracle 9i Database Release 1, Version 9.0.x Platforms Affected All supported UNIX and Linux operating system variants. Patch only available for Linux right now. So who found out this vulnerability? David Litchfield? Aaron Newman? I know it is a bit silly to ask but does anyone know how to exploit this vulnerability? Send it to me directly if you dont want to reply publicly ta tony 2003alert59.pdf Description: Adobe PDF document
Re: Do not connect Oracle DB to the Internet. Oracle Alert #59
Thanks for sharing that Pete ta tony At 02:39 AM 24/10/2003 -0800, you wrote: So who found out this vulnerability? David Litchfield? Aaron Newman? I know it is a bit silly to ask but does anyone know how to exploit this vulnerability? Send it to me directly if you dont want to reply publicly Hi, Some guy called c0ntex, email [EMAIL PROTECTED] found it. If you want to know how to exploit it then just search google for C0ntex Oracle and many pages pop up with exploit code on them. For instance: http://www.security-corporation.com/exploits-20031018-000.html kind regards Pete -- Pete Finnigan email:[EMAIL PROTECTED] Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Pete Finnigan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Do not connect Oracle DB to the Internet. Oracle Alert #59
I find it more interesting that the problem doesn't apply to Windows servers... ;) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: 23 October 2003 14:25To: Multiple recipients of list ORACLE-LSubject: Do not connect Oracle DB to the Internet. Oracle Alert #59Important: Please read the following Oracle Alert.We strongly recommend that you do not connect the Oracle Databasedirectly to the Internet.Got your attention? That is what is in the Alert. These alerts are beginning to come all too often. Sounds just like Microsoft's software, yeah?Buffer Overflow in Oracle Database Server BinariesThis is with the Oracle kernel/binary itself ie 'oracle' or 'oracleO' filein $ORACLE_HOME/bin.DescriptionA potential buffer overflow has been discovered in the oracle and oracleO (the letter O) binariesof the Oracle Database. A knowledgeable and malicious local user can exploit this buffer overflowto execute code on the operating system hosting the Oracle Database server.Products Affected· Oracle 9i Database Release 2, Version 9.2.x· Oracle 9i Database Release 1, Version 9.0.xPlatforms AffectedAll supported UNIX and Linux operating system variants.Patch only available for Linux right now. So who found out this vulnerability? David Litchfield? Aaron Newman?I know it is a bit silly to ask but does anyone know how to exploit this vulnerability? Send it to me directly if you dont want to reply publiclytatony
RE: Do not connect Oracle DB to the Internet. Oracle Alert #59
No problem, it's unbreakable!!! ;-) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 23, 2003 8:25 AMTo: Multiple recipients of list ORACLE-LSubject: Do not connect Oracle DB to the Internet. Oracle Alert #59Important: Please read the following Oracle Alert.We strongly recommend that you do not connect the Oracle Databasedirectly to the Internet.Got your attention? That is what is in the Alert. These alerts are beginning to come all too often. Sounds just like Microsoft's software, yeah?Buffer Overflow in Oracle Database Server BinariesThis is with the Oracle kernel/binary itself ie 'oracle' or 'oracleO' filein $ORACLE_HOME/bin.DescriptionA potential buffer overflow has been discovered in the oracle and oracleO (the letter O) binariesof the Oracle Database. A knowledgeable and malicious local user can exploit this buffer overflowto execute code on the operating system hosting the Oracle Database server.Products Affected· Oracle 9i Database Release 2, Version 9.2.x· Oracle 9i Database Release 1, Version 9.0.xPlatforms AffectedAll supported UNIX and Linux operating system variants.Patch only available for Linux right now. So who found out this vulnerability? David Litchfield? Aaron Newman?I know it is a bit silly to ask but does anyone know how to exploit this vulnerability? Send it to me directly if you dont want to reply publiclytatony
RE: Do not connect Oracle DB to the Internet. Oracle Alert #59
Ian - I haven't been able to locate this on Metalink, but can you give a quick idea about how I can ensure I don't have a vulnerability here? Our databases are behind firewalls and all access is through app servers. Thanks. Dennis Williams DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Thursday, October 23, 2003 9:25 AM To: Multiple recipients of list ORACLE-L The exploit involves passing a large argv[1] argument to the oracle or oracle0 binary. Credit for discovering the vulnerability goes to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] . The error was first discovered on a LINUX box but I have seen notes that AIX is vulnerable as well. What is not published in North America yet, is the Oracle alert you mention. The first security note I saw on this was published on 19 October. Yes there are people who know how to exploit the vulnerability. The vulnerability was shown to Oracle over a month ago, according to the comments in a proof of concept exploit. One workaround is to take off the setuid bit from the Oracle binaryIs it really necessary to set this. How many places still have users log into the database server?Oracle has recommended putting its databases behind firewalls for some time. Ian MacGregor Stanford Linear Accelerator Center [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- Sent: Thursday, October 23, 2003 6:25 AM To: Multiple recipients of list ORACLE-L Important: Please read the following Oracle Alert. We strongly recommend that you do not connect the Oracle Database directly to the Internet. Got your attention? That is what is in the Alert. These alerts are beginning to come all too often. Sounds just like Microsoft's software, yeah? Buffer Overflow in Oracle Database Server Binaries This is with the Oracle kernel/binary itself ie 'oracle' or 'oracleO' file in $ORACLE_HOME/bin. Description A potential buffer overflow has been discovered in the oracle and oracleO (the letter O) binaries of the Oracle Database. A knowledgeable and malicious local user can exploit this buffer overflow to execute code on the operating system hosting the Oracle Database server. Products Affected * Oracle 9i Database Release 2, Version 9.2.x * Oracle 9i Database Release 1, Version 9.0.x Platforms Affected All supported UNIX and Linux operating system variants. Patch only available for Linux right now. So who found out this vulnerability? David Litchfield? Aaron Newman? I know it is a bit silly to ask but does anyone know how to exploit this vulnerability? Send it to me directly if you dont want to reply publicly ta tony -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: DENNIS WILLIAMS INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Do not connect Oracle DB to the Internet. Oracle Alert #59
This vulnerability is only exploitable by local users. That is to say, if you have a local user (one that uses telnet or (ideally) ssh to log in) that has permissions to execute the oracle binary, you are vulnerable to this. It has nothing to do with whether or not your system is attached to the Internet, it has to do with giving users logins on your system. Now, of course, having your database exposed to the Internet is a terrible idea, but its a generally terrible idea, not one specific to this vulnerability. Let me know if I can clarify any of this. Thanks, Matt -- Matthew Zito GridApp Systems Email: [EMAIL PROTECTED] Cell: 646-220-3551 Phone: 212-358-8211 x 359 http://www.gridapp.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DENNIS WILLIAMS Sent: Thursday, October 23, 2003 12:20 PM To: Multiple recipients of list ORACLE-L Subject: RE: Do not connect Oracle DB to the Internet. Oracle Alert #59 Ian - I haven't been able to locate this on Metalink, but can you give a quick idea about how I can ensure I don't have a vulnerability here? Our databases are behind firewalls and all access is through app servers. Thanks. Dennis Williams DBA Lifetouch, Inc. [EMAIL PROTECTED] -Original Message- Sent: Thursday, October 23, 2003 9:25 AM To: Multiple recipients of list ORACLE-L The exploit involves passing a large argv[1] argument to the oracle or oracle0 binary. Credit for discovering the vulnerability goes to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] . The error was first discovered on a LINUX box but I have seen notes that AIX is vulnerable as well. What is not published in North America yet, is the Oracle alert you mention. The first security note I saw on this was published on 19 October. Yes there are people who know how to exploit the vulnerability. The vulnerability was shown to Oracle over a month ago, according to the comments in a proof of concept exploit. One workaround is to take off the setuid bit from the Oracle binaryIs it really necessary to set this. How many places still have users log into the database server?Oracle has recommended putting its databases behind firewalls for some time. Ian MacGregor Stanford Linear Accelerator Center [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- Sent: Thursday, October 23, 2003 6:25 AM To: Multiple recipients of list ORACLE-L Important: Please read the following Oracle Alert. We strongly recommend that you do not connect the Oracle Database directly to the Internet. Got your attention? That is what is in the Alert. These alerts are beginning to come all too often. Sounds just like Microsoft's software, yeah? Buffer Overflow in Oracle Database Server Binaries This is with the Oracle kernel/binary itself ie 'oracle' or 'oracleO' file in $ORACLE_HOME/bin. Description A potential buffer overflow has been discovered in the oracle and oracleO (the letter O) binaries of the Oracle Database. A knowledgeable and malicious local user can exploit this buffer overflow to execute code on the operating system hosting the Oracle Database server. Products Affected * Oracle 9i Database Release 2, Version 9.2.x * Oracle 9i Database Release 1, Version 9.0.x Platforms Affected All supported UNIX and Linux operating system variants. Patch only available for Linux right now. So who found out this vulnerability? David Litchfield? Aaron Newman? I know it is a bit silly to ask but does anyone know how to exploit this vulnerability? Send it to me directly if you dont want to reply publicly ta tony -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: DENNIS WILLIAMS INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Matthew Zito INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from
RE: Do not connect Oracle DB to the Internet. Oracle Alert #59
Dennis, Note 251910.1 Oracle Security Alert #59 Dated: 20 October 2003 Updated: 22 October 2003 Severity: 2 Buffer Overflow in Oracle Database Server Binaries Description A potential buffer overflow has been discovered in the oracle and oracleO (the letter O) binaries of the Oracle Database. A knowledgeable and malicious local user can exploit this buffer overflow to execute code on the operating system hosting the Oracle Database server. Products Affected Oracle 9i Database Release 2, Version 9.2.x Oracle 9i Database Release 1, Version 9.0.x Platforms Affected All supported UNIX and Linux operating system variants. Required conditions for exploit A valid account on the operating system hosting the Oracle Database server. Risk to exposure The oracle and oracleO (the letter O) binaries are typically owned by the oracle operating system user account and by the dba operating system group. A malicious local user (a user defined in the operating system hosting the Oracle Database) can write code that attempts to exploit the buffer overflow in these binaries to run with the privileges of the oracle owner and potentially compromise the operating system hosting the Oracle Database server. Unless you connect the Oracle Database directly to the Internet (e.g., no intervening application server or firewall), a remote exploit via the Internet is, in our opinion, unlikely. We strongly recommend that you do not connect the Oracle Database directly to the Internet. However, this vulnerability is susceptible to an insider attack originated on an Intranet if the required conditions for exploit are met. Oracle is aware of an exploit for this vulnerability. How to minimize risk See Workaround, below. Follow Oracle's best practices for database http://otn.oracle.com/deploy/security/oracle9i/pdf/9ir2_checklist.pdf http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf and best practices for operating system security. Ramification for customer Oracle recommends that customers review the severity rating for this Alert and patch accordingly. See http://otn.oracle.com/deploy/security/pdf/oracle_severity_ratings.pdf for a definition of severity ratings. Workaround Remove the execute permission from the operating system group other associated with the affected binaries. Perform the following steps: # cd $ORACLE_HOME/bin # chmod o-x oracle oracleO In addition, verify that only trusted users are in the same group as are the oracle and oracleO binaries. No other changes are required. For example, do not remove setuid or setgid from the affected binaries. NOTE: This workaround protects customers from the potential vulnerability. However, after performing the steps listed above, depending on the configuration of Oracle Net Services, certain users may no longer be able to connect to the Oracle Database. Specifically, if the database is configured to use the bequeath protocol[1], then local users not in the operating system dba group will no longer be able to connect to the database. With the workaround applied, the Oracle Net Listener runs as the same user who owns the oracle binary, or as a user who is a member of the dba group. Although this is already the case for a typical installation/configuration, it is not normally required that the user running the listener has these privileges. For those customers who are unable to implement the workaround as suggested, Oracle recommends applying the patch as soon as it is available. Fixed by An interim (one-off) patch for this issue is available for the following release: Oracle 9i Database Release 9.2.0.4 for Linux x86. Download this one-off patch from the Oracle Support Services web site, Metalink ( http://metalink.oracle.com): 1.Click on the Patches button. 2.Click on the Simple Search. 3.In the Search By option select Patch Number(s) from the drop-down menu, and enter 3157063 in the box. 4.Select the required platform and language. 5.Click on the Go button. 6.Click on the Download button. 7.Recommended: you should also click on the View README button for additional information and instructions. Please review Metalink, or check with Oracle Support Services periodically for patch availability if the patch for your platform is unavailable. Oracle strongly recommends that you backup and comprehensively test the stability of your system upon application of any patch prior to deleting any of the original file(s) that are replaced by the patch. Modification History 20-OCT-03: Initial release, version 1 22-OCT-03: Identified restrictions of the provided workaround, provided patch details for Linux x86, Oracle 8i Database Release 8.1.x and earlier proved not vulnerable. [1] If the client and server exist on the same machine, a client
RE: Do not connect Oracle DB to the Internet. Oracle Alert #59
Tony: I did not receive the attachment clearly. Can you re-send it or cite the source? Thanks, Mike -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Sent: Thursday, October 23, 2003 6:25 AMTo: Multiple recipients of list ORACLE-LSubject: Do not connect Oracle DB to the Internet. Oracle Alert #59Important: Please read the following Oracle Alert.We strongly recommend that you do not connect the Oracle Databasedirectly to the Internet.Got your attention? That is what is in the Alert. These alerts are beginning to come all too often. Sounds just like Microsoft's software, yeah?Buffer Overflow in Oracle Database Server BinariesThis is with the Oracle kernel/binary itself ie 'oracle' or 'oracleO' filein $ORACLE_HOME/bin.DescriptionA potential buffer overflow has been discovered in the "oracle" and "oracleO" (the letter O) binariesof the Oracle Database. A knowledgeable and malicious local user can exploit this buffer overflowto execute code on the operating system hosting the Oracle Database server.Products Affected· Oracle 9i Database Release 2, Version 9.2.x· Oracle 9i Database Release 1, Version 9.0.xPlatforms AffectedAll supported UNIX and Linux operating system variants.Patch only available for Linux right now. So who found out this vulnerability? David Litchfield? Aaron Newman?I know it is a bit silly to ask but does anyone know how to exploit this vulnerability? Send it to me directly if you dont want to reply publiclytatony