Oracle on Tuesday will release a huge number of security fixes as part of its quarterly critical patch update, and one of them is a patch for a vulnerability that a well-known security researcher said looks a lot like a back door but was likely just a terrible mistake.
The flaw is found in Oracle’s eBusiness Suite, a set of apps that includes financial management, CRM and other functions. David Litchfield, an accomplished security researcher who has been poking holes in Oracle products for more than a decade, discovered the vulnerability and reported it to the vendor last year.
A remote attacker could have the ability gain control of an affected database, which is game over for the target system. Litchfield said that when he discovered the vulnerability on a client’s network, his first thought was that the client had been owned and the attacker had left the back door there for later use.
“On investigation, it turns out the ‘backdoor’ is part of a seeded installation! I’m was flabbergasted. Still am,” he said on Twitter Monday.
Litchfield said that while he was doing the client’s database security assessment, he ran a set of SQL scripts that check for various things, including whether a table is owned by one use but has granted the INDEX privilege to another user.
“If I worked at Oracle I’d be starting an investigation to get to the bottom of it.”Tweet
“The DUAL table is a dummy table and has only one record – this is by design. As such there’s absolutely no legitimate need to create an index on the DUAL table. Further, there’s absolutely no legitimate need for PUBLIC to be given the ability to create indexes on the DUAL table. The only reason I can think of for PUBLIC to be granted the INDEX privilege is as a very subtle backdoor,” Litchfield said via email.
“By creating a function that specifies ‘pragma autonomous_transaction’ an attacker can execute any SQL they want – e.g. EXECUTE IMMEDIATE ‘GRANT DBA TO PUBLIC’ and then using this function in function based index they create. Anyway, when I ran my scripts and saw PUBLIC had index privs on dual I was shocked and spoke of my concerns to the customer. We initiated an investigation to determine who and why had granted this privilege – just in case it was a backdoor left after a compromise. Turns out it was a default setting for that particular version of e-Business suite.”
Despite how bad the vulnerability looks, Litchfield said he doesn’t think that it is actually an intentional back door inserted for law enforcement or an intelligence agency.
“I don’t think Oracle as a company would do that. Could it be a disgruntled employee? Maybe, though, giving them the benefit [of the] doubt, it could be that some dev was testing something and they forgot to turn it off. Who knows. What is concerning however is that Oracle seem not to know who and why this privilege was granted, either,” he said.
“How could a critical change like this creep into the release build with nothing to show for it in their change control? That’s worrying, and if I worked at Oracle I’d be starting an investigation to get to the bottom of it. Security sensitive changes should not just be able to creep into the release build, imo.”