Oracle’s promise of “unbreakable” databases and application servers has yet again found to be wanting, but New Zealand’s Oracle User Group (NZOUG) president says the company has actually been very clever.
Last month Oracle issued patches for flaws in its 8i and 9i databases and application server. British security researcher Mark Litchfield noted potentially dangerous weaknesses in the Oracle.exe binary of release two of the 9i database and in two versions of 8i. These could allow a hacker using a too-long user name to overflow a stack-based buffer — a temporary data storage area — and run arbitrary code.
Litchfield says that such an attack would only be successful if limits imposed by client applications on how much data could be sent to the database weren’t applied, but added that “it’s fairly simple to write your own Oracle authenticator”.
NZOUG president Michelle Teirney says Oracle has “actually been very clever” with its “Unbreakable” campaign.
“They issued a challenge to anyone with the inclination and the most sophisticated technical skills to find any obscure flaws and they’ve submitted Oracle product to extreme testing for no cost on their part. Some of the 8i database versions that the potential flaw relates to have been out for quite a while now.”
The flaws aren’t the first uncovered since Oracle launched its “Unbreakable” campaign in November 2001, but Oracle users don’t appear to be overly worried.
Teirney says users should review their own versions, their organisation’s risk profile and data sensitivity and take appropriate steps to address risks.
“While any severe bug that has widespread implications to Oracle users is of concern, the resolution is equally important, and in this particular instance Oracle have taken the issue seriously and taken steps to resolve it promptly.”
Teirney says a fellow NZOUG committee member told her the risk to the organisation they work for is fairly low, “due to low sensitivity of data and other security features such as firewalls. Also, it is felt it would take a fairly knowledgeable hacker to exploit this flaw.”
Teirney says Litchfield was quoted recently in Oracle Magazine praising an e-voting system based on Oracle software, making “apparently positive comments on a solution that appears to utilise at least some of the versions indicated in the security alert”.
Litchfield wrote of the flaws in an advisory on the BugTraq website. It noted that besides the buffer overflow vulnerability, which affects 8i versions 8.1.7 and 8.0.6 and releases 1 and 2 of the 9i, two vulnerabilities exist in the 9i application server, version 9.0.2, which includes WebDAV, a feature that turns the web into a file sharing system. WebDAV is activated by default and hackers could potentially upload files to the server.
Litchfield’s employer, Next Generation Security Software, also says the logging function of WebDAV is flawed, with attackers able to take control of the server by sending it a string of code.