A well-known security researcher yesterday showed how to subvert security in the Oracle 11g database by exploiting zero-day vulnerabilities that would let a savvy user gain full and complete control.
David Litchfield, a researcher at NGS Consulting, demonstrated how a user can subvert security to elevate his privileges to take complete control over Oracle 11g and also showed how to bypass the Oracle Label Security used to set mandatory access controls over information depending on security level. At the same time, Litchfield announced this was his final day at NGS, saying he was considering changing his focus to computer forensics.
The security-industry veteran said ever since he heard Oracle's chief Larry Ellison touting his database as being "unbreakable, I took umbrage at that." Litchfield noted he and Oracle have had a "rocky relationship" for a long time.
Litchfield's latest reported discovery shows that due to the way Java has been implemented in Oracle 11g Release 2, there's an overly permissive default grant that makes it possible for a low privileged user to grant himself arbitrary permissions. In a demo of Oracle 11g Enterprise Edition, he showed how to execute commands that led to the user granting himself system privileges to have "complete control over the database." Litchfield also showed how it's possible to bypass Oracle Label Security used for managing mandatory access to information at different security levels.
Until Oracle remedies the zero-day flaws he exposed, Litchfield advised Oracle 11g administrators to revoke public execute access to certain Java-based functions. He said he expects Oracle to soon release patches for the problems he identified and he intends to publish a white paper on the topic.
Litchfield said he thinks Oracle probably deserves a "B+" for security in the current version of its database, which he characterized as an improvement over the previous version, but criticized Oracle for not finding these problems in the requirements and design phases of the product. He added Oracle appears to be relying too much on security tools to catch problems after its product is shipped.