LAS VEGAS—Buried in the pages of the secure configuration guide for Oracle EBusiness Suite 11i is a declaration that SQL injection just isn’t a thing for the ubiquitous enterprise software.
“Of the many potential SQL injections we have seen reported, we have yet to find a single confirmed example,” the guide says.
“That’s a like a red flag to a bull,” said longtime Oracle bug hunter David Litchfield.
Today at Black Hat USA, Litchfield poured through the results of a recent security assessment he conducted that turned over not only dozens of SQL injection vulnerabilities putting the database at risk, but also cross-site scripting, denial of service, directory traversal bugs and others exposing sensitive business data flowing through the product to attack.
“It’s a very large product with a massive attack surface,” Litchfield said during his talk. “The idea here was to assess and reduce the attack surface, making the security posture better than it currently is.”
In order to do that, Litchfield had to find vulnerabilities in versions 11.5 and 12.2, neither of which was a tall order.
Starting last November, Litchfield said he grepped the source code to examine some 15,000 JavaServer Pages (JSPs), the PL/SQL gateway (which was removed in version 12), the Oracle Database Server and the concurrent processing server.
“It’s a rich source of vulnerabilities,” Litchfield said. “There’s a lot of juicy stuff an attacker would look at and like to break in.”
Within a week, Litchfield had found and reported 50 vulnerabilities in 11i—a self-imposed threshold—21 of which were SQL injection and 26 cross-site scripting.
“This is not good since this is an aged product,” Litchfield said. “It goes back to 2001; it’s strange the code has not been fixed in that time. Oracle says it has a robust process to prevent this; one needs to question that.”
With 12.x, he devoted 80 hours of assessments and found fewer bugs: eight SQL injection, 2 Java deserialization flaws, cookie exposure and others, some of which were patched last month in the most recent Oracle Critical Patch Update.
“The SQL injection flaws are the most critical as they allow a full compromise of the database server and all its data without a username and password,” Litchfield said of the lot of bugs. “No special EBS knowledge is required by an attacker, just a basic understanding of SQL injection.”
Litchfield did leave the room with a batch of tactics he said have been used in real-world customer engagements that significantly reduced the attack surface of EBS to manageable levels. For example, he said that of the 15,000 JSPs he found, fewer than 200 required legitimate access, reducing the attack surface 99.99%, he said.
“Admittedly, some of the 200 JSPs left over were still vulnerable to SQL injection, but we addressed that by securing them ourselves,” Litchfield said. “Remove the ones that don’t’ need access, and do a deep dive for vulnerabilities yourself and take steps to remediate the risk.”
*Photo via Black Hat