Posted By: medved (A~z na v~eky Mikov~ce.) on 'CZdatabases'
Title:     Oracle 8i - bezpecnosti doura
Date:      Tue Jul 10 09:58:46 2001


Podle PGP Security ( http://www.pgp.com/research/covert/advisories/050.asp )
je v Oracle 8i Standard a Enterprise (8.1.5, 8.1.6, 8.1.7 a predchozich) 
bezpecnostni doura, ktera umoznuje libovolnemu uzivateli ziskat plnou 
kontrolu na db serverem, na NT platforme i nad celym OS.

Tady je informace v anglictine:

The Oracle database management system (DBMS) has a "high risk" security flaw 
that will allow any user to take over the database system, or in the case of 
Windows NT, the entire operating system.
Covert Labs has discovered a security vulnerability that was ranked as a 
"high risk" on June 27th 2001.  Details can be found at 
http://www.pgp.com/research/covert/advisories/050.asp.  The issues involve 
the Oracle listener process and highlight a fundamental weakness in Oracle's 
security architecture.
Oracle's DBMS is a hard to manage, multiprocess system. If any of these key 
processes stops running, the entire system will come to a grinding halt. 
Among the key processes in this complicated system is the listener process 
which is like the gatekeeper of the system. It routes clients to appropriate 
servers. The listener process by default is configured without any 
username/password authentication facility. It listens on a standard port 
(1521) for Unix and NT systems. On Unix systems, the listener process 
normally runs as "oracle" user and on Windows NT/2000 runs with "LocalSystem" 
privileges.
Once inside the firewall any hacker can connect to the listener process and 
send command sequences including arbitrary shell commands without any 
security check. If the command sequence has too many arguments, the listener 
process will get a buffer overflow and terminate. Worse, if shell commands 
are sent, these commands will be passed to the operating system for execution 
without further security checks. 

Bye

Medved

Si vis pacem, para bellum.