The recent Oracle exploit posted to Bugtraq
actually an 0day
and has no patch.
The referenced exploit seems to use
GET_DOMAIN_INDEX_METADATA with a
TYPE_NAME that references an attacker-defined
package with a
(modified?) ODCIIndexGetMeta function.
Your last example uses GET_V2_DOMAIN_INDEX_TABLES,
with arguments that
reference an attacker-defined package with a
Is this a surface-level discrepancy, or is your
different than the one in the exploit? If these
are different, then
is it possible that last week's exploit was
No; the same problem occurs. This is the kind of
general problem I'm
speaking about. Most vendors that actually
understand security will look for
other bugs in the same functional area if you point
out a bug. IMO, my job
as a security vulnerability researcher is to
highlight problem areas - i.e.
areas of functionality that are rife with issues.
How can Oracle fix one
issue but miss the same flaw two lines later??? In
this case though, we're
not just talking about one flaw but several. Really,
it is inconceivable,
yet they, somehow, manage to do it.
God forbid that any of our critical national
infrastructure runs on this
product.... oops it does :(
And every version from 8 through 9 to 10 release 2
is vulnerable. That's
every supported version of Oracle on every operating
Oracle customers: honestly - Oracle are not going to
listen to the likes of
me - but they will listen folks like you. If you're
not happy with the
response you're getting from Oracle then get on the
'phone - call them up
and tell them that you're not happy. Please, demand
By the way, this is not an isolated incident. I have
many examples to hand
where Oracle have tried to fix problems in the same
functional area but only
whitewashed it. They should be proactively looking
for similar issues in the
same code just like Microsoft does.
The "champion of quality coding movement"
who "applauds ethical
hacking", asks "Why isn't that standard development
I don't know... but I don't think we'll find out in
the two year time frame
posited; we've got less than a year to go.
P.S. For those of you who are paying attention at
level of detail, it seems that David's original
GET_DOMAIN_INDEX_METADATA in 2004 directly
included the code in the
NEWBLOCK argument, whereas last week's exploit was
an indirect reference to the code in the TYPE_NAME
Just to clarify the issues:
are all vulnerable to the exploit.
+44 (0) 208 401 0070