January 23, 2007

Enteprise-Bug 10G R2

I remember a chat with one of my friends back in 2001, about ultimate secure design of MS operating systems and various ways an MS product can be owned by talented intruders. Those days I had very low level of knowledge about security mechanism and attacks against data-base systems . anyway we agreed to call MS windows 2000 'Enterprise-Bug 2000' . I`m sure you`ll confirm us about the term we selected !
Some time later I focused on DB systems and learned cool tricks about attacking & securing them . but the more I learned about DB-Sec the more I found it funny. years ago AKA good old days it was not that shocking if you could find a critical remote pre-auth vulnerability in one of those giant softwares like MS-SQL by simple fuzzing of user supplied data , as D.Litchfield did it multiple times . After a while developers learned to replace strcpy with it`s secure clone and define size of their buffers before any fuzzer fill them with a 0x41 storm. Nowadays it`s rare to find cool things by targeting old techniques against well-developed softwares . In order to find something interesting you must be that experienced to dive into your debugger and follow thousands of instructions in order to catch something . as a result , number of people being able to hunt down something cool is getting lower and lower . well , this story match many of well-known vendors but NOT ORACLE .
I`m not going to judge their product but I just follow my own samples . years ago while ORACLE was as insecure as MS-SQL, DB2 and others we had some known attack vectors exist in any RDBMS out there , including simple buffer overflows , privilege escalation attacks due to weak permissions , abusing design-flaws and finally PL/SQL injections . In about 5 years ( assuming MS-SQL 2000 SP0~3 as source of comparison ) most of vendors learned how to mitigate such attack vectors and we had much lower amount of advisories affecting RDBMS products by use of mentioned attack vectors . for example , try to find first and last reported PL/SQL injection attacks or even buffer oveflows in stored procedures of MS-SQL , or another RDBMS . As you may notice some of these attack vectors are getting disappear in recent versions . Now let`s turn back to Oracle ; comparing results . No matter which attack vector you choose for comparison you`ll see that every single trick of attacking oracle is used repeatedly since it`s first public discloser , to discover new flaws ! it may look funny but it`s real . Try to check it yourself by following examples :

-Try to google first and last reported flaws in Oracle , in class of PL/SQL injection , sort PoCs together and compare them. funny huh ? you`ll see techniques demonstrated back in 2002 still affecting 2007 version of product ! nothing new in term of technique or attack vector . bug just moved from line X of code to line Y . recent Milw0rm submissions (1,2,3) are just some more samples of OLD tricks.

-Again , try to google first and last reported buffer-overflow attacks against Oracle stored procedures . same results as above !

And we have these results ,considering Oracle have tried to massively audit their codes TWO times . Most of RDBMS vendors out there learned the lesson but Oracle is still getting hurted by any medium-level knowledged person , have few hours to spend with his 10g . If you think you`re free too , why not giving it a try?
I remember an interview with RED-Database-Security CEO , announcing more than 800 unpatched flaws in Oracle products , discovered by many security firms and individual researchers.
btw , Litchfield recently released a paper about comparing MS-SQL and Oracle by number of reported vulnerabilities reported for each one . I bet you can guess the result without reading it ;)

Now, Will you let me call ORACLE the 'Enterprise-Bug' and let MS rest for a while ?

No comments:

Post a Comment