[prev in list] [next in list] [prev in thread] [next in thread] 

List:       best-of-security
Subject:    BoS: Three security holes in oracle RDBMS
From:       Julian Assange <proff () suburbia ! net>
Date:       1996-03-12 3:09:40
[Download RAW message or body]


Date: Sat, 9 Mar 96 18:13:05 CST
From: [Identity withheld by request]
Subject: Backdoors, bugs, and Oracle

On 22 Jun 1995, I reported a "flaw" with Oracle7 and its ALTER USER
instruction that enabled any userid beginning with "sys" to "ALTER USER SYS
IDENTIFIED BY <pw>", giving complete system permission to ordinary users.
Amazingly, the command would fail for any user except "sys".  I sent a
notice to our Oracle contact and they fixed the problem in minutes (over the
phone).  I discovered the problem in release 7.1.4 and it is no longer
present in 7.2.3.

When I upgraded to 7.2.3, I noticed another "feature" (new to me anyway)
"ALTER SESSION SET CURRENT_SCHEMA= <user>".  It's a nifty little command
that allows you to change ids without a password (the import utility uses
it).  Anyway, during a restore (disk failures), I noticed that any user
could use the "ALTER SESSION" instruction regardless of whether they had
been granted that privilege or not.  I breathed a sigh of relief when it
seemed that "actual" authorities were enforced based upon the real userid.
Whew!  But, it sure does make me wonder if I haven't looked hard enough.

This reminded me of the Oracle6 export utility and how it placed passwords
for database links in plaintext.  Oracle 6 and 7 database files contain
plaintext strings.  All of this is ok if you simply change the permissions
on files, directories, or file systems (as Oracle recommends).  One other
thing that was a neat idea on Oracle's part, using a userid "scott" with the
password "tiger" to install the demos to.  Unfortunately, I've seen too many
systems that either did not disable the account when finished, or that
actually gave total permissions to "scott".  Ouch.  There have even been a
few cases of the "system" password still being "manager" from the install.

I think Oracle has an excellent RDBMS.  It performs quite well, and I've
survived many failures (knock on wood).  I I haven't used anything else in a
while, so I relate only to Oracle.  Anyway, the risks...  With any large,
complex sets of software "bugs" might silently hide, backdoors can remain
undetected, and a whole lot is handled without any human intervention.
Oracle has had its share of bugs and they have been good about correcting it
in some way.  The "backdoors" have implications that go beyond Oracle...

[prev in list] [next in list] [prev in thread] [next in thread]