Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers
From: Cesar <cesarc56 () yahoo com>
Date: Thu, 6 Oct 2005 11:41:33 -0700 (PDT)

I support David 100% and I would like to add a few
comments (I can't avoid doing this :)):

I remember reading an article where Larry Ellison said
that Oracle database
server were used by FBI, CIA, USSR goverment, etc. he
referenced that as
saying our software is the most secure, top goverment
agencies from the most
powerful nations use it. If you hear or read that it
sounds great and if you
were looking for a database server at that moment
maybe you would run to buy
Oracle software, the same when you hear and read
Oracle Unbreakable
everywhere. What Larry Ellison says it is very easy to
say but it is also
very difficult to prove. It seems that this kind of
statements have been
useful for Oracle since the company continues doing
the same, "just
talking".
I can say that we at Argeniss break Oracle database
server all the time, we
are tired of breaking Oracle, it's so easy, Oracle
software is full of
security vulnerabilities and this is nothing new, most
security researchers
know about this and also the bad guys who are actively
exploiting the
vulnerabilities. But I can say this and I can also
prove it, we have found
more than a hundred vulnerabilities and we can show
them to people. I wonder
if Larry Ellison can prove all the statements he says
or Oracle people say.

What I  have seen is Oracle doesn't care much about
security, it's just a PR
issue for Oracle. When you report a vulnerability to
Oracle you get an
answer saying we will take a look at this, then months
or sometimes years
after the initial vulnerability report they release
(or not) a patch , that
sometimes doesn't work, but what is amazing is that
they just fix the bugs
you reported they don't audit similar bugs to fix all
at once, I can't
understand this, we are working for free for them and
they are not doing any
effort.
Basically when Oracle security problems arise, Mary
Ann Davison and Oracle
PR team try to deviate attention and blame anyone
without focusing on the
real problem: "Oracle insecurity". Oracle security has
not improved over the
last years, everytime there are more and more holes,
also security patches
are having holes, QA seems that it is not being done
at all!. But everytime
you hear Oracle people, they will say "Oracle
Unbreakable",  "An oracle d/b
has not been broken into in 15 years...", "We have 14
security
certifications", "Security researchers are evil", 
"some people complain
it's too secure - literally cannot break into it..."
etc. but you never will
hear and also see something like: "We are working hard
on improving security
because we are doing this and this", "We are fixing
all the bugs",  "We want
to work with security resarchers", "We stopped
development to fix the
security bugs"...  etc.
I think that Oracle will start to suffer more and more
because security
problems, Oracle reminds me Microsoft some years ago,
when MS had a lot of
security issues that were reflected on sales, until
Oracle doesn't see side
effect on sales or customers start to pressure,
everything will be the same.

I'm seriously thinking to release some Oracle remote
0day next time I hear Larry o Mary saying bullshit to
shut their mouths.


Related info:
http://www.crn.com/sections/security/security.jhtml?articleId=171000880
http://www.eweek.com/article2/0,1895,1860184,00.asp
http://www.argeniss.com/research/SQL-Oracle.zip
http://www.argeniss.com/research/CWM2_OLAP_AW_AWUTILVuln.txt


Regards.

Cesar Cerrudo.
CEO & Founder.
Argeniss - Information Security
http://www.argeniss.com



--- David Litchfield <davidl () ngssoftware com> wrote:

Dear security community and Oracle users,
Many of my customers run Oracle. Much of the U.K.
Critical National
Infrastructure relies on Oracle; indeed this is true
for many other
countries as well. I know that there's a lot of
private information about me
stored in Oracle databases out there. I have good
reason, like most of us,
to be concerned about Oracle security; I want Oracle
to be secure because,
in a very real way, it helps maintain my own
personal security. As such, I
am writing this open letter

Extract from interview between Mary Ann Davidson and
IDG

http://www.infoworld.com/article/05/05/24/HNoraclesecurityhed_1.html

IDGNS: "What other advice do you have for customers
on security?"

Davidson: "Push your vendor to tell you how they
build their software and 
ask them if they train people on secure coding
practices. "

Now some context has been put in place I can
continue.

On the 31st of August 2004, Oracle released a
security update (Alert 68 

[http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf])
to 
address a large number of major security flaws in
their database server 
product. The patches had been a long time in coming 

[http://www.eweek.com/article2/0,1759,1637213,00.asp]
and we fully expected 
that these patches would actually fix the problems
but, unfortunately this 
is not the case. To date, these flaws are still not
fixed and are still 
fully exploitable. I reported this to Oracle a long
time ago.

The real problem with this is not that the flaws
Alert 68 supposedly fixed
are still exploitable, but rather the approach
Oracle took in attempting to
fix these issues. One would expect that, given the
length of time they took
to deliver, these security "fixes" would be well
considered and robust;
fixes that actually resolve the security holes. The
truth of the matter
though is that this is not the case.

Some of Oracle's "fixes" simply attempt to stop the
example exploits I sent
them for reprodcution purposes. In other words the
actual flaw was not
addressed and with a slight modification to the
exploit it works again. This
shows a slapdash approach with no real consideration
for fixing the actual
problem itself.

As an example of this, Alert 68 attempts to fix some
security holes in some
triggers; the flaws could allow a low privileged
user to gain SYS privileges
- in other words gain full control of the database
server. The example
exploit I sent to Oracle contained a space in it.
Oracle's fix was to ignore
the user's request if the input had a space. What
Oracle somehow failed to
see or grasp was that no space is needed in the
exploit. This fix suggests
no more than a few minutes of thought was given to
the matter. Why did it
take 8 months for this? Further, how on earth did
this get through QA? More,
why are we still waiting for a proper fix for this?

Here is another class of thoughtless "fix"
implemented by Oracle in Alert
68. Some Oracle PL/SQL procedures take an arbitrary
SQL statement as a
parameter which is then executed. This can present a
security risk. Rather
than securing these procedures properly Oracle chose
a security through
obscurity mechanism. To be able to send the SQL
query and have it executed
one needs to know a passphrase. This passphrase is
hardcoded in the
procedure and can be extracted with ease. So all an
attacker needs to do now
is send the passphrase and their arbitrary SQL will
still be executed.

In other cases Oracle have simply dropped the old
procedures and added new
ones - with the same vulnerable code!

I ask again, why does it take two years to write
fixes like this? Perhaps
the fixes take this long because Oracle pore through
their code looking for
similar flaws? Does the evidence bear this out. No -
it doesn't. In those
cases where a flaw was fixed properly, we find the
same flaw a few lines
further down in the code. The DRILOAD package
"fixed" in Alert 68 is an
example of this; and this is not an isolated case.
This is systemic. Code
for objects in the SYS, MDSYS, CTXSYS and WKSYS
schemas all have flaws
within close range of "fixed" problems. These should
have been spotted and
fixed at the time.

I reported these broken fixes to Oracle in February
2005. It is now October
2005 and there is still no word of when the "real"
fixes are going to be
delivered. In all of this time Oracle database
servers have been easy to
crack - a fact Oracle are surely aware of.

What about the patches since Alert 68 - the
quarterly Critical Patch
Updates? Unfortunately it is the same story. Bugs
that should have been
spotted left in the code, brand new bugs being
introduced and old ones
reappearing.

This is simply NOT GOOD ENOUGH. As I stated at the
beginning of this letter,
I'm concerned about Oracle security because it
impinges upon me and my own
personal security.

What is apparent is that Oracle has no decent bug
discovery/fix/response
process; no QA, no understanding of the threats; no
proactive program of
finding and fixing flaws. Is anyone in control over
at Oracle HQ?

A good CSO needs to more than just a mouthpiece.
They need to be able to
deliver and execute an effective security strategy
that actually deals with
problems rather than sweeping them under the carpet
or waste time by blaming
others for their own failings. Oracle's CSO has had
five years to make
improvements to the security of their products and
their security response
but in this time I have seen none. It is my belief
that the CSO has
categorically failed. Oracle security has stagnated
under her leadership and
it's time for change.

I urge Oracle customers to get on the phone, send a
email, demand a better
security response; demand to see an improvement in
quality. It's important
that Oracle get it right. Our national security
depends on it; our companies
depend on it; and we all, as individuals depend on
it.

Cheers,
David Litchfield






        
                
______________________________________________________ 
Yahoo! for Good 
Donate to the Hurricane Katrina relief effort. 
http://store.yahoo.com/redcross-donate3/ 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault