MOSC Hacking likened to Google Hacking
June 1, 2005
In this
eWeek article by Lisa Vaas, we
see reports of new security vulnerabilities, this time mentioning
the Oracle bug database and the Oracle MOSC portal:
Vaas references the super-popular book
by Johnny Long "Google
Hacking for Penetration Testers", and notes that the
newly-exposed Oracle vulnerabilities are related:
MOSC hacking is similar
to Google hacking, the use of Google as a hacking tool to
uncover information on, for example, vulnerable servers, error
messages that reveal too much information, and even passwords. .
. .
MOSC hacking is a
similar exploit, but it pertains to a private rather than a
public domain since it is accessible only to Oracle customers
who purchase a support contract and to authorized Oracle support
staff, on a need-to-know basis.
While
the article is unclear, it appears that MOSC users can issue
commands to reveal sensitive information from bug reports and
MOSC forum questions:
Kornbrust found that search strings that returned sensitive
information included "hacker," "hacking," SQL Injection," "Cross
Site Scripting," Buffer Overflow," "denial of service," "crash,"
"memory leak," "abort," and many more.
What makes the vulnerabilities particularly disturbing, security
experts say, is that Oracle has built up such a rich repository
in its MOSC forum.
The
bad news for Oracle professional is the report that Oracle MOSC
has allegedly cut-off access to forum reports of these new security
exposures:
Oracle reportedly has blocked access to forum entries listed
in RDS' research. Those include, for example, an October 2004
report from an Oracle user in which he or she explained the
following bug:
When executing a scheduler job, the user was made SYS!—in
other words, the user experienced inappropriately escalated user
privileges. According to Kornbrust's research, this report was
returned after searching on the term "security bug."
The user report was explicit in how the bug was inadvertently
accessed.
This
explosive usage of Google API to expose hacking vulnerabilities has
led to a new freeware tool called
SiteDigger (which requires a free license to use the Google
API):
There
has been other research into using Google to uncover Oracle
exposures:
|