David Litchfield releases Workaround for
Unpatched Oracle Security Bug
Pete Finnigan has reported in his blog that David Litchfield has
found a workaround to a critical flaw in the Oracle PL/SQL gateway.
However Oracle Corporations struck-back claiming that this
workaround will break several Oracle components:
http://www.petefinnigan.com/weblog/archives/00000713.htm
At 6.25pm today David Litchfield has posted a workaround
for an un-patched critical flaw in the Oracle PL/SQL gateway.
This is a component in iAS, OAS and the Oracle HTTP server. The
bug allows an attacker to bypass the PLSQLExclusion list that
stops access to critical packages and procedures. The post to
the bugtraq mailing list is titled "Workaround for unpatched
Oracle PLSQL Gateway flaw" and it gives details of mod_rewrite
rules that can be added to the httpd.conf file. mod_rewrite is
available on the platforms. The rules check for a trailing right
hand bracket which is a signature of the attack.
I was aware of this issue as I had seen the NISCC post
previously. Anyone who has the Oracle HTTP server enabled needs
to apply this workaound immediatley.
David Litchfield posts the workaround here:
http://www.securityfocus.com/archive/1/423029
The workaround is trivial; using mod_rewrite, which is
compiled into
Oracle's Apache distribution it is possible to stop the attack.
The
workaround checks a user's web request for the presence of a
right facing
bracket, ')'.
Add the following four lines to your http.conf file then stop
and restart
the web server
RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*\).*|.*%29.*$
http://127.0.0.1/denied.htm?attempted-attack
Oracle Disagrees about the
workaround
However, Oracle Corporation does not agree and
claims that Litchfield’s workaround is dangerous:
http://www.networkworld.com/news/2006/012706-oracle-security.html?page=1
“Oracle is warning its
customers not to use a workaround written by David Litchfield for a
security vulnerability, saying the suggested workaround could break
its software. Litchfield, managing director of Next Generation
Security Software Ltd. in Sutton, England, said he posted the fix on
the BugTraq mailing list on Wednesday after warning Oracle about the
dangers the vulnerability posed. Oracle was notified of the
workaround before it was released, but has found it "inadequate,"
said Duncan Harris, Oracle's senior director of security assurance.
It will break a large number of E-Business Suite applications, he
said.
"We know it will break
a number of Oracle products higher in the stack than the Oracle
Application Server that the vulnerability exists in," Harris said.”
Oracle goes on to criticize these security
advisors, claiming that they actually perform a disservice to the
Oracle community by exploiting the internals of vulnerabilities and
Oracle rootkits:
"By just revealing
what he has in this workaround, it definitely is a very strong
starting point for any malicious hacker... to try and understand the
vulnerability and produce an exploit," Harris said. "Yes, we are
clearly disappointed that he felt the need to say anything about
this vulnerability before we had a patch available."
|