108341 2003-07-25 22:31 /28 rader/ Tina Bird <tbird@precision-guesswork.com>
Importerad: 2003-07-25 22:31 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5742>
Ärende: question about oracle advisory
------------------------------------------------------------
Oracle's released three security-related patches today. I'm trying to
get my head around them to write up a Stanford Security Alert, but
there's conflicting information. According to
http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf the buffer
overflow in the EXTPROC code can only be triggered by an authenticated
user with the CREATE LIBRARY or CREATE ANY LIBRARY privilege.
According to the NGSSoftware advisory that announced the
vulnerability, the buffer overflow can be exploited without any
authentication or privilege-checking.
Anyone have any ideas?
thanks -- tbird
-- A computer lets you make more mistakes faster than any invention
in human history - with the possible exception of handguns and
tequila.
-- Mitch Ratliff
http://www.precision-guesswork.com
Log Analysis http://www.loganalysis.org
VPN http://vpn.shmoo.com
tbird's Security Alerts http://securecomputing.stanford.edu/alert.html
(108341) /Tina Bird <tbird@precision-guesswork.com>/(Ombruten)
Kommentar i text 108354 av David Litchfield <david@ngssoftware.com>
108354 2003-07-26 18:22 /68 rader/ David Litchfield <david@ngssoftware.com>
Importerad: 2003-07-26 18:22 av Brevbäraren
Extern mottagare: Tina Bird <tbird@precision-guesswork.com>
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5755>
Kommentar till text 108341 av Tina Bird <tbird@precision-guesswork.com>
Ärende: Re: question about oracle advisory
------------------------------------------------------------
Hello all, In our testing this bug can be exploited without a user ID
and password. In fact I demonstrated exploit code for this
vulnerability at the Blackhat Security Breifings in Amsterdam in the
May of this year. [Normally I don't do such demonstrations unless a
patch is available for a problem. Oracle had informed me a patch
would be available in time, but I think they found some regression
problems with the patches or something along those lines and were
unable to release the patch. We initially informed Oracle about this
issue around the end of September/start of October 2002.]
So, to put the record straight, as far as NGSSoftware is concerned,
this bug _can_ be exploited without a user ID and password.
Oracle customers can either install the patch [Patch matrix available
from http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf]
Alternatively customers can disable external procedure
functionality. To do this edit the listener.ora file, removing the
entries for extproc, and also delete the extproc binary which can be
found in $ORACLE_HOME/bin
Thanks,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
----- Original Message -----
From: "Tina Bird" <tbird@precision-guesswork.com>
To: <bugtraq@securityfocus.com>
Sent: Friday, July 25, 2003 8:59 PM
Subject: question about oracle advisory
>
> Oracle's released three security-related patches today. I'm trying to
> get my head around them to write up a Stanford Security Alert, but
> there's conflicting information. According to
> http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf the buffer
> overflow in the EXTPROC code can only be triggered by an authenticated
> user with the CREATE LIBRARY or CREATE ANY LIBRARY privilege.
>
> According to the NGSSoftware advisory that announced the vulnerability,
> the buffer overflow can be exploited without any authentication or
> privilege-checking.
>
> Anyone have any ideas?
>
> thanks -- tbird
>
> --
> A computer lets you make more mistakes faster than any invention in human
> history - with the possible exception of handguns and tequila.
>
> -- Mitch Ratliff
>
> http://www.precision-guesswork.com
> Log Analysis http://www.loganalysis.org
> VPN http://vpn.shmoo.com
> tbird's Security Alerts http://securecomputing.stanford.edu/alert.html
>
>
(108354) /David Litchfield <david@ngssoftware.com>/(Ombruten)