During Black Hat last week, David Litchfield disclosed that he had discovered an 0-day in Oracle 11G which allowed him to acquire administrative level credentials. Until today, I was unaware that the attack details were made available as well, meaning anyone can bounce the exploit off your database server to see if it is vulnerable.
From the NetworkWorld article, the vulnerability is …
… the way Java has been implemented in Oracle 11g Release 2, there’s an overly permissive default grant that makes it possible for a low privileged user to grant himself arbitrary permissions. In a demo of Oracle 11g Enterprise Edition, he showed how to execute commands that led to the user granting himself system privileges to have “complete control over the database.” Litchfield also showed how it’s possible to bypass Oracle Label Security used for managing mandatory access to information at different security levels.
As this issue allows for arbitrary escalation of privileges in the database, it’s pretty much a complete compromise. At least Oracle 11G R2 is affected, and I have heard but not confirmed that 10G R2 is as well. This is serious and you will need to take action ASAP, especially for installations that support web applications. And if your web applications are leveraging Oracle’s Java implementation, you may want to take the servers offline until you have implemented the workaround.
From what I understand, this is an issue with the Public user having access to the Java services packaged with Oracle. I am guessing that the appropriate workaround is to revoke the Public user permissions granted during the installation process, or lock that account out altogether. There is no patch available at this time, but that should serve as a temporary workaround. Actually, it should be a permanent workaround – after all, you didn’t really leave the ‘Public’ user account enabled on your production server, did you?
I have been saying for several years that there is no such thing as public access to your database. Ever! You may have public content, but the public user should not just have its password changed, but should be fully locked out. Use a custom account with specific grant statements. Public execute permission to anything is ill advised, but in some cases can be done safely. Running default ‘Public’ permissions is flat-out irresponsible. You will want to review all other user accounts that have access to Java and ensure that no other accounts have public access – or access provided by default credentials – until a patch is available.
Update
A couple database assessment vendors were kind enough to contact me with more details on the hack, confirming what I had heard. Application Security Inc. has published more specific information on this attack and on workarounds. They are recommending removing the execute permissions as a satisfactory work-around. That is the most up-to-date information I can find.
Reader interactions
3 Replies to “Litchfield Discloses Oracle 0-Day at Black Hat”
Slavik, Gary,
Yes, of course. Brain freeze on my part and I know better than to blog when I am under the weather. My point is ‘public’ and ‘execute’ don’t belong together. We have been advising and checking for public execute on things like UTL packages since Oracle 8.
And Gary, thanks for the link. Heck, I also missed Alexander Kornbrust’s post as well: http://blog.red-database-security.com/2010/02/04/oracle-11g-0day-exploit-published/
-Adrian
Adrian, PUBLIC is not a user, it’s a role. Permissions and roles granted to public are available to all database users. The latest version of Oracle has ~28000 objects granted to public by default:
SYS> select count(*) from dba_tab_privs where grantee = ‘PUBLIC’;
COUNT(*)
—————
28164
So, the “least privilege” principal and secure by default are not exactly followed 🙁
Regarding the vulnerability disclosed, I can confirm it works on 10g databases as well (with minimal changes).
BTW – Sentrigo vPatch provides a protection against this attack for a while now without the need to make database changes.
Slavik
“you didn’t really leave the ‘Public’ user account enabled”.
It isn’t a public user, but a procedure with a grant to public (which means every user gets it), just like a program on a PC that everyone can use such as notepad.
There’s a good analysis of the potential impact of the fix here:
http://www.oracleforensics.com/wordpress/index.php/2010/02/07/securing-java-in-oracle-and-dbms_jvm_exp_perms