Metalink Hacking likened to Google Hacking
June 1, 2005
In this eWeek article by Lisa Vaas, we
see reports of new security vulnerabilities, this time mentioning
the Oracle bug database and the Oracle MetaLink portal:
http://www.eweek.com/article2/0,1759,1821232,00.asp?kc=enews052705dtx1k0000599
Vaas references the super-popular book
by Johnny Long "Google
Hacking for Penetration Testers", and notes that the
newly-exposed Oracle vulnerabilities are related:
Metalink hacking is similar
to Google hacking, the use of Google as a hacking tool to
uncover information on, for example, vulnerable servers, error
messages that reveal too much information, and even passwords. .
. .
Metalink hacking is a
similar exploit, but it pertains to a private rather than a
public domain since it is accessible only to Oracle customers
who purchase a support contract and to authorized Oracle support
staff, on a need-to-know basis.
While
the article is unclear, it appears that MetaLink users can issue
commands to reveal sensitive information from bug reports and
MetaLink forum questions:
Kornbrust found that search strings that returned sensitive
information included "hacker," "hacking," SQL Injection," "Cross
Site Scripting," Buffer Overflow," "denial of service," "crash,"
"memory leak," "abort," and many more.
What makes the vulnerabilities particularly disturbing, security
experts say, is that Oracle has built up such a rich repository
in its Metalink forum.
The
bad news for Oracle professional is the report that Oracle MetaLink
has allegedly cut-off access to forum reports of these new security
exposures:
Oracle reportedly has blocked access to forum entries listed
in RDS' research. Those include, for example, an October 2004
report from an Oracle user in which he or she explained the
following bug:
When executing a scheduler job, the user was made SYS!—in
other words, the user experienced inappropriately escalated user
privileges. According to Kornbrust's research, this report was
returned after searching on the term "security bug."
The user report was explicit in how the bug was inadvertently
accessed.
This
explosive usage of Google API to expose hacking vulnerabilities has
led to a new freeware tool called
SiteDigger (which requires a free license to use the Google
API):
There
has been other research into using Google to uncover Oracle
exposures:
 |
|
Need Oracle training?
- Get Oracle training from a practicing Oracle
expert
- Get custom training designed to
fit your needs
- Conveniently offered at your
workplace, anywhere in the USA
BC Oracle training offers some of the
USA's most respected Oracle experts and authors. Why spend
thousands on cookie cutter Oracle classes when you can have the
personalized attention of a real Oracle
guru? Just call now: |
|
 |
