So whats up with the 11.2 java security hole?
John Hurley
Vladimir M. Zakharychev
Hmm... Off the top of my head: unprivileged user can execute external
programs on the server from Java in context of Oracle owner user. If
this is so, then it's trivial to create a script with GRANT DBA TO
SCOTT in it and then execute 'sqlplus "/ as sysdba" @becomedba.sql'.
Actually, the possibilities to compromise the system and its
neighborhood further are limitless. Combined with some unauthenticated
remote PL/SQL code execution exploit (for unpatched mod_plsql/OWA for
example,) this hole is very dangerous indeed. You can grab whatever
you please from such system or wreak havoc on it, map the internal
network and its services, siphon data from nearby Oracle databases by
creating DB links to them, etc.
Before posting the above I quickly swept the net about this and found
that Alex Kornbrust posted the details in his blog at
http://blog.red-database-security.com/ and it's exactly this kind of
attack. He also suggests the workaround (revoking EXECUTE from PUBLIC
on certain Java-related packages.) Actually, I'd check the privileges
on these packages and revoke EXECUTE from everyone else, too. SYS is
just enough.
By the way, DBMS_SCHEDULER has the capability to execute external
programs, too. Hope default privileges for it are better thought out
and it's locked tight out of the box...
Regards,
Vladimir M. Zakharychev
N-Networks, makers of Dynamic PSP(tm)
http://www.dynamicpsp.com
Maxim Demenko
> On Feb 7, 2:47 am, John Hurley<johnbhur...@sbcglobal.net> wrote:
>> Based on David Litchfield ...
>>
>> http://www.computerworld.com/s/article/9151318/Black_Hat_Zero_day_hac...
>
> He also suggests the workaround (revoking EXECUTE from PUBLIC
> on certain Java-related packages.) Actually, I'd check the privileges
> on these packages and revoke EXECUTE from everyone else, too. SYS is
> just enough.
>
> Regards,
> Vladimir M. Zakharychev
> N-Networks, makers of Dynamic PSP(tm)
> http://www.dynamicpsp.com
>
Taking in account the complexity of underlying code, it seems to be
*not* a straightforward action - i would rather share the Gary Myers
thoughts on this subject -
http://blog.sydoracle.com/2010/02/exploits-and-revoking-risks-of-revoking.html
For sure only Oracle can confirm (or deny), such revoke won't break
anything in provided functionality. Even Oracle would have probably
difficulties to test against all usual scenarios in context of such
revoke - much easier will be probably to remove vulnerability in the
underlying packages. On the other side, the vulnerability is so
dangerous, that i hope, Oracle's fix should follow rather sooner ( at
least for those, who get lucky to login into MOS).
Best regards
Maxim
Vladimir M. Zakharychev
> On 07.02.2010 12:19, Vladimir M. Zakharychev wrote:
>
> > On Feb 7, 2:47 am, John Hurley<johnbhur...@sbcglobal.net> wrote:
> >> Based on David Litchfield ...
>
> >>http://www.computerworld.com/s/article/9151318/Black_Hat_Zero_day_hac...
>
> > He also suggests the workaround (revoking EXECUTE from PUBLIC
> > on certain Java-related packages.) Actually, I'd check the privileges
> > on these packages and revoke EXECUTE from everyone else, too. SYS is
> > just enough.
>
> > Regards,
> > Vladimir M. Zakharychev
> > N-Networks, makers of Dynamic PSP(tm)
> > http://www.dynamicpsp.com
>
> Taking in account the complexity of underlying code, it seems to be
> *not* a straightforward action - i would rather share the Gary Myers
> For sure only Oracle can confirm (or deny), such revoke won't break
> anything in provided functionality. Even Oracle would have probably
> difficulties to test against all usual scenarios in context of such
> revoke - much easier will be probably to remove vulnerability in the
> underlying packages. On the other side, the vulnerability is so
> dangerous, that i hope, Oracle's fix should follow rather sooner ( at
> least for those, who get lucky to login into MOS).
>
> Best regards
>
> Maxim
Well, that's a quick and dirty workaround, not a proven remedy. You
gotta decide between the real chance of your databases being
compromised any time now and some remote possibility that some obscure
Java-related stuff in the database will not work as expected. Finding
out where the package is used is not too complex - check the
dependencies, scan strings from Oracle executables for references to
the package and context in which it is being called. Then decide if
it's important to have it executable by anyone or by some select group
of accounts where it's really needed, or only by SYS. But leaving this
particular door open is a clear invitation to local and remote
burglars and it better be closed one way or another. For now, the only
way is to seal it completely. When Oracle releases a more gentle fix,
we'll use that.
Vladimir M. Zakharychev
>
[rant]
Well, the weekend's over, been 4 (if I didn't miscalculate) days since
disclosure and guess what - no alert from Oracle still. Neither public
at http://www.oracle.com/technology/deploy/security/alerts.htm, nor
paying-customer-only at MOS, nor on their security blogs... Even a
simple acknowledgment that they are aware and are working on a fix
would do at this point... Do they think that if they just ignore the
threat it will eventually go away? Or are they too busy rebranding Sun
sites and cleaning up after CVE-2010-0073? (this one's a nice BEA
heritage, full-fledged user-friendly backdoor, even no need to compose
and inject shellcode to instantiate one of your own...)
[/rant]
John Hurley
<vladimir.zakharyc...@gmail.com> wrote:
snip ...
> [rant]
> Well, the weekend's over, been 4 (if I didn't miscalculate) days since
> disclosure and guess what - no alert from Oracle still. Neither public
> athttp://www.oracle.com/technology/deploy/security/alerts.htm, nor
> paying-customer-only at MOS, nor on their security blogs... Even a
> simple acknowledgment that they are aware and are working on a fix
> would do at this point... Do they think that if they just ignore the
> threat it will eventually go away? Or are they too busy rebranding Sun
> sites and cleaning up after CVE-2010-0073? (this one's a nice BEA
> heritage, full-fledged user-friendly backdoor, even no need to compose
> and inject shellcode to instantiate one of your own...)
> [/rant]
It does seem quite curious doesn't it.
No worries though because Mary Ann has our back right?
How long until the auditors start asking questions ( as they are
supposed to do )?
Vladimir M. Zakharychev
Compare that to recent Microsoft attitude towards serious security
issues, especially 0-day. They typically publish bulletins within
hours just to let their customers know they take the matter seriously.
Every such issue damages their reputation and affects their bottom
line. Sure, impact of any Microsoft security bug is very wide - and
they accepted the responsibility. But impact of an enterprise database
bug of such magnitude is probably even more devastating because it
hits right in the heart of an enterprise. How they can remain quiet
and pretend nothing happens is beyond me. But thanks to David, now I'm
forewarned and thus forearmed.
M-A.D. seems to be more concerned with the process than with
deliverables I.M.O... She will probably start ranting about how
irresponsible it was of David to disclose the issue without giving
them time to cook a fix, and how this doesn't help security community
and how damaging such disclosures are to Oracle customers, etc. I have
a feeling she truly believes in security by obscurity.
She sure has her back covered, but I am not so sure about mine...
David's presentation starts with some figures and rates - well, that
wasn't new to me, but it's sad to see nothing changed over the last
few years. The attitude didn't change. No SCS, laws or education can
fix that.
Regards,
Bob
John Hurley
<vladimir.zakharyc...@gmail.com> wrote:
snip
> Well, the weekend's over, been 4 (if I didn't miscalculate) days since
> disclosure and guess what - no alert from Oracle still. Neither public
> athttp://www.oracle.com/technology/deploy/security/alerts.htm, nor
> paying-customer-only at MOS, nor on their security blogs... Even a
> simple acknowledgment that they are aware and are working on a fix
> would do at this point... Do they think that if they just ignore the
> threat it will eventually go away? Or are they too busy rebranding Sun
> sites and cleaning up after CVE-2010-0073? (this one's a nice BEA
> heritage, full-fledged user-friendly backdoor, even no need to compose
> and inject shellcode to instantiate one of your own...)
> [/rant]
Well the web logic alert is out now ... so maybe Oracle corp is about
ready to get this one out next ... maybe.