RE: Recent Oracle exploit is _actually_ an 0day with no patch

To: "Cesar" <cesarc56@xxxxxxxxx>, "David Litchfield" <davidl@xxxxxxxxxxxxxxx>, "Steven M. Christey" <coley@xxxxxxxxx>
Subject: RE: Recent Oracle exploit is _actually_ an 0day with no patch
From: "Kornbrust, Alexander" <ak@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 28 Apr 2006 21:17:29 +0200
Cc: <bugtraq@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcZq8gp9Qz4Rla0LQJWM0k3sV7sNXQAAFIcQ
Thread-topic: Recent Oracle exploit is _actually_ an 0day with no patch
Cesar, David and Steve,

I agree with your opinion. Oracle is not really fast fixing security
issues. 

Currently I have 40+ OPEN/UNFIXED security issues in Oracle products. A
detailed list from Oracle secalert (Report March 2006) can be found at
the end of this email or (the latest version) on my webpage:

http://www.red-database-security.com/advisory/upcoming_alerts.html


Let's do some math. According to Mary Ann Davidson 75 % of all security
bugs are found by Oracle employees: If bugs are fixed independently by
the reporter then

   25  %  =  40 unfixed bugs       ( found by Red-Database-Security)
   75 %  =  120 unfixed bugs       ( found by Oracle employees)

 ==> 160 security bugs are still unfixed.

If Cesar, Esteban and David have a similar number of open security bugs,


   25 % = 100 unfixed bugs         ( ESTIMATED: reported by Argeniss,
NGS and RDS)
   75 % = 300 unfixed bugs         ( reported by Oracle employees) 

==> 400 (!!!) security bugs in Oracle are still unfixed. 


    UNBREAKABLE...


Regards

 Alexander

--
Red-Database-Security GmbH
http://www.red-database-security.com

#############
-----Original Message-----
From: Oracle Security Alerts [mailto:secalert_us@xxxxxxxxxx] 
Sent: Tuesday, March 14, 2006 7:29 PM
To: Kornbrust, Alexander
Subject: Status of Red Database Security open vulnerability reports


The following is a list of all open issues that you have reported to us,
and
their current status.

____________________________________________________
Reporter:       Alexander Kornbrust (ak@xxxxxxxxxxxxxxxxxxxxxxxxx)
Organization:   Red Database Security
____________________________________________________
        
Tracking #:     2005-S050E
Description:    plaintext password exposure using xxx
Status:         Under investigation / Being fixed in main codeline
        
Tracking #:     2005-S066E
Description:    xxx plaintext password in xxx
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     2005-S067E
Description:    xxx plaintext password in xxx
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     5448895
Description:    xxx ARE RUN AS SYS WHEN USING xxx
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     5883663
Description:    XSS in Oracle xxx using xxx and xxx
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     5883665
Description:    XSS in Oracle xxx using xxx and xxx
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6343787 (Duplicate -- Previously reported)
Description:    xxx CROSS SITE SCRIPTING VULNERABILITY USING xxx
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6343935 (Duplicate -- Previously reported)
Description:    CROSS SITE SCRIPTING IN xxx
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6454153
Description:    SQL INJECTION VULNERABILITY IN xxx  USING xxx
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6454409
Description:    xxx CAN BE BYPASSED USING xxx
Status:         Under investigation / Being fixed in main codeline
        
Tracking #:     6543483
Description:    SECURITY GUIDE NEEDS TO DOCUMENT DANGERS OF xxx
Status:         Under investigation / Being fixed in main codeline
        
Tracking #:     6543923
Description:    xxx
Status:         Under investigation / Being fixed in main codeline
        
Tracking #:     6914665
Description:    xxx CAN CRASH (POSSIBLE BUFFER OVERFLOW) IF HANDCRAFTED
PACKET PRESENTED
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6980695
Description:    SQL Injection in xxx 
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6980701
Description:    SQL Injections in xxx 
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6980711
Description:    SQL Injections in xxx 
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6980717
Description:    SQL Injection in xxx
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6980725
Description:    SQL Injections in xxx 
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6980733
Description:    SQL Injections in xxx    and xxx
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6980737
Description:    SQL Injections in xxx
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6980745
Description:    SQL Injection in xxx
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6980751
Description:    SQL Injections in xxx
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6980753
Description:    SQL Injections in xxx
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6980761
Description:    SQL Injections in xxx
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6980765
Description:    SQL Injection in xxx
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6980771
Description:    SQL Injections in  xxx   and  xxx  
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6980775
Description:    SQL Injection in xxx
Status:         Issue fixed in main codeline, scheduled for a future CPU
        
Tracking #:     6980781
Description:    SQL Injections in xxx
Status:         Under investigation / Being fixed in main codeline
        
Tracking #:     6980783
Description:    SQL Injection in xxx
Status:         Under investigation / Being fixed in main codeline
        
Tracking #:     6980789
Description:    SQL Injection in xxx
Status:         Under investigation / Being fixed in main codeline
        
Tracking #:     6980793
Description:    SQL Injections in xxx
Status:         Under investigation / Being fixed in main codeline
        
Tracking #:     6980797
Description:    SQL Injections in xxx
Status:         Under investigation / Being fixed in main codeline
        
Tracking #:     6980807
Description:    SQL Injections in xxx
Status:         Under investigation / Being fixed in main codeline
        
Tracking #:     6980813
Description:    SQL Injection in xxx
Status:         Under investigation / Being fixed in main codeline
        
Tracking #:     6980817
Description:    SQL Injection in xxx
Status:         Under investigation / Being fixed in main codeline
        
Tracking #:     6980819
Description:    SQL Injection in xxx
Status:         Under investigation / Being fixed in main codeline
        
Tracking #:     6980825
Description:    SQL Injection in xxx
Status:         Under investigation / Being fixed in main codeline

#############
> -----Original Message-----
> From: Cesar [mailto:cesarc56@xxxxxxxxx]
> Sent: Friday, April 28, 2006 6:33 PM
> To: David Litchfield; Steven M. Christey
> Cc: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Re: Recent Oracle exploit is _actually_ an 0day with no patch
> 
> David is right, we also have reported hundreds of
> vulnerabiities to Oracle and they only fix what you
> report to them, they don't care to fix the same
> vulnerability on different portions of code, one good
> example is that Oracle should have eliminated SQL
> injection bugs since long time ago but there are still
> SQL injection bugs all around because they only fix
> bugs reported by researchers. I remember Mary Ann
> Davidson saying "Oracle finds more than 75 percent of
> significant security vulnerabilities in-house"
>
(http://news.com.com/When+security+researchers+become+the+problem/2010-
> 1071_3-5807074.html)
> so WTF you don't fix them!!!!!
> 
> I really can't understand how customers don't demand
> better security to Oracle or switch to other vendor, I
> would like to have customers like that so you can sell
> very unsecure products to them and them won't ever
> complain so I can save billons not improving security
> on products and make a lot of money$$$$.
> 
> PS: Look at this paper dated February 2002, amazing
> how Oracle efforts are visible on 2006!
> http://www.cgisecurity.com/database/oracle/pdf/unbreak3.pdf
> 
> 
> Cesar.
> 
> --- David Litchfield <davidl@xxxxxxxxxxxxxxx> wrote:
> 
> > >
> > >>The recent Oracle exploit posted to Bugtraq
> > >>(http://www.securityfocus.com/archive/1/431353) is
> > actually an 0day
> > >>and has no patch.
> > >
> > > The referenced exploit seems to use
> > GET_DOMAIN_INDEX_METADATA with a
> > > TYPE_NAME that references an attacker-defined
> > package with a
> > > (modified?) ODCIIndexGetMeta function.
> > >
> > > Your last example uses GET_V2_DOMAIN_INDEX_TABLES,
> > with arguments that
> > > reference an attacker-defined package with a
> > (modified?)
> > > ODCIIndexUtilGetTableNames function.
> > >
> > > Is this a surface-level discrepancy, or is your
> > vector substantively
> > > different than the one in the exploit?  If these
> > are different, then
> > > is it possible that last week's exploit was
> > actually fixed?
> >
> > No; the same problem occurs. This is the kind of
> > general problem I'm
> > speaking about. Most vendors that actually
> > understand security will look for
> > other bugs in the same functional area if you point
> > out a bug. IMO, my job
> > as a security vulnerability researcher is to
> > highlight problem areas - i.e.
> > areas of functionality that are rife with issues.
> > How can Oracle fix one
> > issue but miss the same flaw two lines later??? In
> > this case though, we're
> > not just talking about one flaw but several. Really,
> > it is inconceivable,
> > yet they, somehow, manage to do it.
> >
> > God forbid that any of our critical national
> > infrastructure runs on this
> > product.... oops it does :(
> >
> > And every version from 8 through 9 to 10 release 2
> > is vulnerable. That's
> > every supported version of Oracle on every operating
> > system.
> >
> > Oracle customers: honestly - Oracle are not going to
> > listen to the likes of
> > me - but they will listen folks like you. If you're
> > not happy with the
> > response you're getting from Oracle then get on the
> > 'phone - call them up
> > and tell them that you're not happy. Please, demand
> > improvements.
> >
> > By the way, this is not an isolated incident. I have
> > many examples to hand
> > where Oracle have tried to fix problems in the same
> > functional area but only
> > whitewashed it. They should be proactively looking
> > for similar issues in the
> > same code just like Microsoft does.
> >
> > The "champion of quality coding movement"
> > (http://www.cio.com/archive/031505/security.html) ,
> > who "applauds ethical
> > hacking", asks "Why isn't that standard development
> > process?"
> >
> > I don't know... but I don't think we'll find out in
> > the two year time frame
> > posited; we've got less than a year to go.
> >
> > >
> > > - Steve
> > >
> > > P.S. For those of you who are paying attention at
> > this excruciating
> > > level of detail, it seems that David's original
> > use of
> > > GET_DOMAIN_INDEX_METADATA in 2004 directly
> > included the code in the
> > > NEWBLOCK argument, whereas last week's exploit was
> > performed through
> > > an indirect reference to the code in the TYPE_NAME
> > argument.
> >
> > p.p.s.
> >
> > Just to clarify the issues:
> >
> > GET_DOMAIN_INDEX_TABLES
> > GET_DOMAIN_INDEX_METADATA
> > GET_V2_DOMAIN_INDEX_TABLES
> >
> > are all vulnerable to the exploit.
> >
> > Cheers,
> > David Litchfield
> > NGSSoftware Ltd,
> > http://www.ngssoftware.com/
> > +44 (0) 208 401 0070
> >
> >
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
Follow-Ups:
- Re: Recent Oracle exploit is _actually_ an 0day with no patch
  - From: David Litchfield
Prev by Date: [Kurdish Security #2] Artmedic Event Remote File Include Vulnerability
Next by Date: Neomail.pl Local Cross Site Scripting
Previous by thread: Re: Recent Oracle exploit is _actually_ an 0day with no patch
Next by thread: Re: Recent Oracle exploit is _actually_ an 0day with no patch
Index(es):
- Date
- Thread