[17726] in bugtraq
Re: BUGTRAQ] vulnerability in Connection Manager Control binary
daemon@ATHENA.MIT.EDU (ksoze@OBSCURITY.ORG)
Tue Nov 21 14:40:37 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20001120181545.B20591@obscurity.org>
Date: Mon, 20 Nov 2000 18:15:45 -0800
Reply-To: ksoze@OBSCURITY.ORG
From: ksoze@OBSCURITY.ORG
X-To: Chris Calabrese <chris_calabrese@YAHOO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001120185140.16623.qmail@web213.mail.yahoo.com>; from
chris_calabrese@YAHOO.COM on Mon, Nov 20, 2000 at 10:51:40AM -0800
Go through your Oracle installation and remove the setuid bit on all those
little helper applications that you don't use. Don't wait for someone to tell
you that one of them is exploitable.
warning: all the stuff below is a rant.
>
> Meanwhile, giving a vendor only 4 days to respond, two
> of which are a weekend, seems a bit stingy.
>
Security is a 24/7 requirement. People don't stop owning you on the weekend,
or after 5pm, or on stat holidays, etc. A responsible vendor will have their
people working overtime, all night, over the weekend, through <insert holiday
here> to close security holes. (and if you're thinking about that saying this
is unfair don't bother. We all know, sometimes too well, that software
companies have no problem making their developers work stupid hours to meet
product shipping deadlines.) IMHO giving a vendor a whole 10 minutes to fix
things is _doing them a huge favor_. It was the vendor who screwed up in the
first place and as a whole I think we (users who are concerned with security)
cut them way too much slack for this.
Sadly, I think that with Oracle it's better to get the stuff out on bugtraq
right away than bother with thier internal procedures. If there's an overflow
in some little helper program that comes with Oracle it's far better for the
admin to make a special group for it and set permissions so that only certain
trusted users can run it, or just remove the setuid bit. I posted a minor issue
with their installer (with a good workaround) to bugtraq a while back and it
took more than 2 weeks for someone there to say anything to me about it. At the
time they had no security mailing list. I was told by their head security
person that I would be informed when there was one. I haven't been. I still
don't even know if they have such a list. Moreover, Oracle has never made an
effort to inform their customers about security problems. I guess we're just
expected to know somehow. Why isn't there a big section on technet for security
patches? If there is, someone give me the URL.
Anyway, we all know that giving people shells on your database box is just
asking for it right? and if you have to it's best to remove all the setuid
bits from the programs you don't use.. all standard procedure for hardening
a system.
(I know I really singled out Oracle here, but they're not the only company
I can think of that acts like this.. and I still think Oracle makes a great
database product.)
ksoze
