There are two vulnerabilities in some of Oracle’s older database packages that allow an attacker to access a remote server without a password and even view the server’s filesystem and dump arbitrary files. Oracle has not released a patch for one of the flaws, even though it was reported by a researcher more than two years ago, and the researcher said the potential attack scenarios are frightening.
The first vulnerability, which affects Oracle Forms and Reports 10g and 11g–and perhaps older versions, as well–allows an attacker to dump the list of database passwords without authenticating. The researcher who discovered the bugs, Dana Taylor, reported the issue to Oracle in April 2011, but the company’s security response team told her they didn’t consider it an actual vulnerability but just a configuration error.
“They made the claim it was simply a configuration error? I was absolutely shocked by their reply. They basically forgot about the first vulnerability and then came along a second vulnerability I discovered and reported to them in October 2011,” Taylor wrote in her rundown of the interactions with Oracle regarding these vulnerabilities.
The second bug she found was even more worrisome. Rather than allowing her to grab the list of database passwords, the second flaw also gave here the ability to view the server’s file system form an unauthenticated browser, dump any file that the Oracle account can access and take other unintended actions on the server and network. Taylor sent the new details to Oracle In October 2011, and also refreshed their memory on the original bug she’d reported. She asked whether the company still thought this was just a configuration problem rather than a vulnerability and said that she was considering publicly disclosing the issues, as Oracle didn’t consider them vulnerabilities. This time, she got an immediate response.
“As you requested, we have reviewed your original report and had additional discussions with our development group. We have concluded that this issue does in fact constitute a vulnerability,” Oracle said in an email to Taylor.
The company said it was tracking both of her reported issues as vulnerabilities and sent Taylor monthly status updates up until it released its patch, which Taylor says didn’t actually fix the vulnerability. In an email interview, Taylor said that she has no doubt Oracle only chose to acknowledge these issues as bugs because she had mentioned the possibility of disclosing.
“Yes, absolutely. When I reported the parsequery vulnerability they said it wasn’t a vulnerability but a configuration error. So I told them okay, then I am going to publish this. They came back the same day and stated that in fact, it is a vulnerability and gave me a tracking number. From what I can tell they didn’t actually fix this vulnerability but obfuscated it by instructing customers to disable “diagnostic output”. I have tested this on their latest release of Weblogic/Oracle Reports 11g. The vulnerability still exists. Some customers may not be able to disable diagnostic output for one reason or another and could still be vulnerable. And to clarify, this didn’t just affect 11g but 9i to 11g,” Taylor said.
Oracle eventually released a patch for version 11.x, but only workarounds for older versions, suggesting that customers upgrade to newer versions in order to protect themselves. In the meantime, Taylor had shared the details privately with some other security folks, and the team at the University of Texas found a method for using the vulnerability to plant files on a vulnerable server. But that’s only one portion of what an attacker could do with these flaws, Taylor said. After publishing some details of the bugs, Taylor said that someone else sent her a video that shows an attack using Shodan to find vulnerable servers and retrieve passwords.
Also, the folks at Metasploit are working on remote code execution exploits for these vulnerabilities right now.
“The author of the exploit and video above was brilliant but it put me into a state of shock to see the real impact of these vulnerabilities on such a massive scale. I did NOT want to release these exploits and was under great distress in even thinking about it. I felt I had no choice, however. So seeing this video didn’t put a smile on my face but made me aware of how devastating these vulnerabilities actually are,” Taylor said.
“Oracle servers often have ssh keys that allow sharing of data between other trusted Oracle servers and require no password. So, if you break into one Oracle server on a network you are likely able to break into numerous others. For Windows servers exploiting ‘pass the hash attacks’ are being discussed. Another thing that is frightening is that once you gain a remote shell on an Oracle server you can use sqlplus.sh /nolog to gain sysdba privileges to the database.”
Taylor said that because the vulnerabilities were given a low priority by Oracle, even the workarounds that the company released for older versions of vulnerable products likely won’t be implemented quickly. That means a large potential target base for attackers.
“To be honest, there are so many things you can do with this it is hard to come up with a complete list. If here is a remote code execution vulnerability then that means it could be wormable. The first Oracle Botnet might be born. I used to chase botnets years ago and know this could be possible,” Taylor said.
Other researcher say that this chain of events isn’t surprising.
“I’ve not tested these yet but I trust that the researcher is correct. Given that, I’d rate these as critical; fortunately for Oracle though most Reports servers are not exposed to the Internet and the threat would be internal. That provides little comfort to those that are exposed however,” said security researcher David Litchfield. who has spent more than a decade doing research on Oracle security.
“That Oracle has not given these flaws the attention they are due is not atypical. They still approach security wearing “common criteria” t-shirts and hats. They need to adapt to the realities of the Internet in 2014 – protection profiles that they wrote (and assumes the existence of a “non-hostile network”) are not and have never been realistic.”