From: John Hurley on
Based on David Litchfield ...

http://www.computerworld.com/s/article/9151318/Black_Hat_Zero_day_hack_of_Oracle_11g_database_revealed?taxonomyId=1

From: Vladimir M. Zakharychev on
On Feb 7, 2:47 am, John Hurley <johnbhur...(a)sbcglobal.net> wrote:
> Based on David Litchfield ...
>
> http://www.computerworld.com/s/article/9151318/Black_Hat_Zero_day_hac...

Hmm... Off the top of my head: unprivileged user can execute external
programs on the server from Java in context of Oracle owner user. If
this is so, then it's trivial to create a script with GRANT DBA TO
SCOTT in it and then execute 'sqlplus "/ as sysdba" @becomedba.sql'.
Actually, the possibilities to compromise the system and its
neighborhood further are limitless. Combined with some unauthenticated
remote PL/SQL code execution exploit (for unpatched mod_plsql/OWA for
example,) this hole is very dangerous indeed. You can grab whatever
you please from such system or wreak havoc on it, map the internal
network and its services, siphon data from nearby Oracle databases by
creating DB links to them, etc.

Before posting the above I quickly swept the net about this and found
that Alex Kornbrust posted the details in his blog at
http://blog.red-database-security.com/ and it's exactly this kind of
attack. He also suggests the workaround (revoking EXECUTE from PUBLIC
on certain Java-related packages.) Actually, I'd check the privileges
on these packages and revoke EXECUTE from everyone else, too. SYS is
just enough.

By the way, DBMS_SCHEDULER has the capability to execute external
programs, too. Hope default privileges for it are better thought out
and it's locked tight out of the box...

Regards,
Vladimir M. Zakharychev
N-Networks, makers of Dynamic PSP(tm)
http://www.dynamicpsp.com

From: Maxim Demenko on
On 07.02.2010 12:19, Vladimir M. Zakharychev wrote:
> On Feb 7, 2:47 am, John Hurley<johnbhur...(a)sbcglobal.net> wrote:
>> Based on David Litchfield ...
>>
>> http://www.computerworld.com/s/article/9151318/Black_Hat_Zero_day_hac...
>

> He also suggests the workaround (revoking EXECUTE from PUBLIC
> on certain Java-related packages.) Actually, I'd check the privileges
> on these packages and revoke EXECUTE from everyone else, too. SYS is
> just enough.

>
> Regards,
> Vladimir M. Zakharychev
> N-Networks, makers of Dynamic PSP(tm)
> http://www.dynamicpsp.com
>

Taking in account the complexity of underlying code, it seems to be
*not* a straightforward action - i would rather share the Gary Myers
thoughts on this subject -
http://blog.sydoracle.com/2010/02/exploits-and-revoking-risks-of-revoking.html
For sure only Oracle can confirm (or deny), such revoke won't break
anything in provided functionality. Even Oracle would have probably
difficulties to test against all usual scenarios in context of such
revoke - much easier will be probably to remove vulnerability in the
underlying packages. On the other side, the vulnerability is so
dangerous, that i hope, Oracle's fix should follow rather sooner ( at
least for those, who get lucky to login into MOS).


Best regards

Maxim
From: Vladimir M. Zakharychev on
On Feb 7, 3:24 pm, Maxim Demenko <mdeme...(a)gmail.com> wrote:
> On 07.02.2010 12:19, Vladimir M. Zakharychev wrote:
>
> > On Feb 7, 2:47 am, John Hurley<johnbhur...(a)sbcglobal.net>  wrote:
> >> Based on David Litchfield ...
>
> >>http://www.computerworld.com/s/article/9151318/Black_Hat_Zero_day_hac....
>
> > He also suggests the workaround (revoking EXECUTE from PUBLIC
> > on certain Java-related packages.) Actually, I'd check the privileges
> > on these packages and revoke EXECUTE from everyone else, too. SYS is
> > just enough.
>
> > Regards,
> >     Vladimir M. Zakharychev
> >     N-Networks, makers of Dynamic PSP(tm)
> >    http://www.dynamicpsp.com
>
> Taking in account the complexity of underlying code, it seems to be
> *not* a straightforward action - i would rather share the Gary Myers
> thoughts on this subject -http://blog.sydoracle.com/2010/02/exploits-and-revoking-risks-of-revo...
> For sure only Oracle can confirm (or deny), such revoke won't break
> anything in provided functionality. Even Oracle would have probably
> difficulties to test against all usual scenarios in context of such
> revoke - much easier will be probably to remove vulnerability in the
> underlying packages. On the other side, the vulnerability is so
> dangerous, that i hope, Oracle's fix should follow rather sooner ( at
> least for those, who get lucky to login into MOS).
>
> Best regards
>
> Maxim

Well, that's a quick and dirty workaround, not a proven remedy. You
gotta decide between the real chance of your databases being
compromised any time now and some remote possibility that some obscure
Java-related stuff in the database will not work as expected. Finding
out where the package is used is not too complex - check the
dependencies, scan strings from Oracle executables for references to
the package and context in which it is being called. Then decide if
it's important to have it executable by anyone or by some select group
of accounts where it's really needed, or only by SYS. But leaving this
particular door open is a clear invitation to local and remote
burglars and it better be closed one way or another. For now, the only
way is to seal it completely. When Oracle releases a more gentle fix,
we'll use that.

Regards,
Vladimir M. Zakharychev
N-Networks, makers of Dynamic PSP(tm)
http://www.dynamicpsp.com
From: Vladimir M. Zakharychev on
On Feb 7, 2:47 am, John Hurley <johnbhur...(a)sbcglobal.net> wrote:
> Based on David Litchfield ...
>
> http://www.computerworld.com/s/article/9151318/Black_Hat_Zero_day_hac...

[rant]
Well, the weekend's over, been 4 (if I didn't miscalculate) days since
disclosure and guess what - no alert from Oracle still. Neither public
at http://www.oracle.com/technology/deploy/security/alerts.htm, nor
paying-customer-only at MOS, nor on their security blogs... Even a
simple acknowledgment that they are aware and are working on a fix
would do at this point... Do they think that if they just ignore the
threat it will eventually go away? Or are they too busy rebranding Sun
sites and cleaning up after CVE-2010-0073? (this one's a nice BEA
heritage, full-fledged user-friendly backdoor, even no need to compose
and inject shellcode to instantiate one of your own...)
[/rant]

Regards,
Vladimir M. Zakharychev
N-Networks, makers of Dynamic PSP(tm)
http://www.dynamicpsp.com