Posted By: medved (A~z na v~eky Mikov~ce.) on 'CZdatabases' Title: Oracle 8i - bezpecnosti doura Date: Tue Jul 10 09:58:46 2001 Podle PGP Security ( http://www.pgp.com/research/covert/advisories/050.asp ) je v Oracle 8i Standard a Enterprise (8.1.5, 8.1.6, 8.1.7 a predchozich) bezpecnostni doura, ktera umoznuje libovolnemu uzivateli ziskat plnou kontrolu na db serverem, na NT platforme i nad celym OS. Tady je informace v anglictine: The Oracle database management system (DBMS) has a "high risk" security flaw that will allow any user to take over the database system, or in the case of Windows NT, the entire operating system. Covert Labs has discovered a security vulnerability that was ranked as a "high risk" on June 27th 2001. Details can be found at http://www.pgp.com/research/covert/advisories/050.asp. The issues involve the Oracle listener process and highlight a fundamental weakness in Oracle's security architecture. Oracle's DBMS is a hard to manage, multiprocess system. If any of these key processes stops running, the entire system will come to a grinding halt. Among the key processes in this complicated system is the listener process which is like the gatekeeper of the system. It routes clients to appropriate servers. The listener process by default is configured without any username/password authentication facility. It listens on a standard port (1521) for Unix and NT systems. On Unix systems, the listener process normally runs as "oracle" user and on Windows NT/2000 runs with "LocalSystem" privileges. Once inside the firewall any hacker can connect to the listener process and send command sequences including arbitrary shell commands without any security check. If the command sequence has too many arguments, the listener process will get a buffer overflow and terminate. Worse, if shell commands are sent, these commands will be passed to the operating system for execution without further security checks. Bye Medved Si vis pacem, para bellum.