[18260] in bugtraq
Re: Oracle WebDb engine brain-damagse
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Thu Dec 21 00:58:02 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.30.0012202251560.8705-100000@dione.ids.pl>
Date: Thu, 21 Dec 2000 01:04:01 +0100
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
I would like to explain some issues related to this bugreport. I've
received some critical responses, and some people missed the point of this
advisory:
First of all, there were TWO separate bugs reported - IAS bug allowing
attacker to inject PL/SQL queries and/or other code within external HTTP
query and WebDB bug allowing unauthorized proxy reconfiguration attempts
(the second problem is common in WebDB+Apache configurations):
* The risk related to first problem depends on privledges on which
PL/SQL query is processed; in multi-user, structural systems where
privledges are strictly controlled, the impact is less damaging (eg.
if this user can't access any tables, create any objects, and can
call public procedures in secure *only*). This means on most
installations, the problem persists and is real.
* The second problem has really huge security impact on almost every
system (including these listed as examples, e.g. www.oracle.com)
which is using Apache integrated with WebDB interface (no information
about other systems).
The second issue I would like to bring here are some legal / ethical
problems:
* I've tried to provide useful information, which can be verified
easily and can be used to defend against attacks; this approach has
some costs: for example, I *HAD* to provide examples proving the
problem exists (I haven't provided any complete break-in example, but
referred an examples how to check if you are vulnerable and proofs
that numerous sites are affected, including vendor's site); I believe
I haven't provided any information smart attacker couldn't collect
or find on his own having enough time. Unfortunately, most of us
- system administrators - have not so much time as blackhats for
investigating such issues. Effectively, I've made administrators'
task much easier. If you believe providing incomplete / useless
information would be better, I wouldn't agree.
* Vendor notification: I am not working for Oracle and I can't find any
reason to provide them confidential security audits for free, giving
them enough time to fix the problem silently. That's why I've decided
to disclose this information about observed functionality, not violating
copyrights or other laws, as a result of my experiments based on
publicly available knowledge and techniques. On the other hand, I would
like to minimize eventual damage caused to Oracle clients, that's
obvious. That's why I've choosen this form of publication - informative to
both sides, but - instead of CERT-alike advisories - giving administrators
better chances - because they have all the information required for
eventual testing and fix, while blackhats do not have an exploit or
all knowledge required to write it. Sorry, that's my point of view.
Thank you,
--
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=
