|
|
|
Oracle Bug Database Susceptible to Metalink Hacking
By: Lisa Vaas
2005-05-27
Article Rating: / 1
There are 0 user comments on this Database story.
Oracle Bug Database Susceptible to Metalink Hacking (
Page 1 of 2 ) An Oracle security researcher finds that it's possible to search Oracle's Metalink knowledge base for customer e-mails, used configurations and other sensitive information using an attack similar to "Google hacking."The Oracle security research firm Red Database Security GmbH has found 42 bugs, some serious, in Oracle Corp.s Metalink knowledge base, and determined that its possible to search Oracles bug database for customer e-mails, used configurations, test cases and other sensitive information in a foray similar to "Google hacking."
"Within 42 hours I was able to find 42 bugs with security potential (e.g., denial of service, SQL Injection, …)," RDS Alexander Kornbrust said from Germany via an e-mail conversation. "I stopped after 42 bugs." He said he then reported the bugs to Oracle.
These bugs are not addressed by Oracles latest security patch set, Kornbrust said. Oracle could not provide formal feedback to the report by the time this story was posted, although a spokesperson did point out some inaccuracies in the report regarding which and how many Oracle employees have access to search the global repository of technical knowledge and to query the bug database for known issues.
Oracle reportedly has blocked access to forum entries listed in RDS research. Those include, for example, an October 2004 report from an Oracle user in which he or she explained the following bug: When executing a scheduler job, the user was made SYS!—in other words, the user experienced inappropriately escalated user privileges. According to Kornbrusts research, this report was returned after searching on the term "security bug." The user report was explicit in how the bug was inadvertently accessed.
Metalink hacking is similar to Google hacking, the use of Google as a hacking tool to uncover information on, for example, vulnerable servers, error messages that reveal too much information, and even passwords. It has spawned a wealth of how-to guides such as johnnyihackstuff.com.
 Click here to read about a tool designed to help enterprises use Google to discover any sensitive information about the company that might have leaked onto the Internet.
Metalink hacking is a similar exploit, but it pertains to a private rather than a public domain since it is accessible only to Oracle customers who purchase a support contract and to authorized Oracle support staff, on a need-to-know basis.
Kornbrust found that search strings that returned sensitive information included "hacker," "hacking," SQL Injection," "Cross Site Scripting," Buffer Overflow," "denial of service," "crash," "memory leak," "abort," and many more.
What makes the vulnerabilities particularly disturbing, security experts say, is that Oracle has built up such a rich repository in its Metalink forum.
"The Googles and the Yahoos, these … have definitely been the hot topic for the past six to 12 months," said Aaron Newman, chief technology officer and co-founder of Application Security Inc., a database security company. "Those ideas of Google and Yahoo hacking—[Kornbrust] applied that to Oracles own semi-internal database. I guess you could do the same thing to Microsofts internal bug database or IBMs DB2 internal bug database, but … Metalink is a very good source for information on Oracle. I dont think other vendors have anything thats quite as similar.
"Its a great source of information, but also a great source of security information being leaked," he said. "Its a double-edged sword."
Next Page: Password-protecting Listener is biggest security hole.
|
|
�������xr㶲(;; Yڦx�)%Xk,Ҍפ*�EB�c")_v8x��%2o-�`n4�w�~ IM�kmJ9;D�{{}.ЇP|oS�o92t=z#�m��)>M3ة��5�w��{#|6�%߽w *s�R{��wɄZIP�Qߗ>Q/?F
�Lbh9&qG٤XC#�: rWӺ#~hzN$E%�k4E�hD��>vn3gGdY��u(X(QuB,M˟!�ڮq�4]�"�X'�[vkx!D�y!rs�#�gߎ�03dc7l#205b )�V�,"&�3ýе�:s���z08ryj5jfO-�=K�;O=k��\w=j�P?bA2xư!$ne$DJH�n6�,uUj)BmMϳؖ�cq�H8C�EnU [۾�t�syHf��e�$ENX*�o�~�cn�!Lj�X�vL<:�CYͼaF3l˸;4
HSKVUBX)ڑx>o9{ۖ3p*sgyÝ|k[7�~](eU�]ϯr$QPw;@�ږu`(:n{'Owqq ��is,/wD_*�0QI-�i|��-�DǏY^��oVqW-b)ڑVP]GF[<,"�J�1~̢J
:eu}uHur~|n!|c9̠V*�PFfЊ%+��2Zuܜ<_sܴ/O7=rֽ&OV�Y;��i
O�ɗV:�['^=:$~~z>54�01\�]Z-$532�ݓ�� I|S8)ysA��{[-t[[9K
}!zc-? ,�_�� f��k��ķLJo$SNE ;��@:9�]sfZ[c�W M�X�r)
t$uWϝ�7�>hr�
Ce)#p?�݃I��hJq�䰉k>ذ�1�"%��hJ@{�e��$�}ВEtBAͨO��%ތ��EDwެ,�U*մ-~ӢKsqnUOV|߂)W��F8�,h�eݴ��V)b1y+%Y��E*GX@8ʍ�??1m!SG�ñA
3M:v`: 0h��vz?�>RӚOCq�OCGs�>H2AG66^�zK
tcb���>'�a�
�p|w��͇v1s��/|�\aR���֔zN�j$�nh��-D�&q}@9q�HhQ0<�sz0Y[Sσ�5[
�JC�ˋ�F0����P6��x���Be^~>�a�xs݀�ܧP��r`@=XS9;ݲeǀxԜ�Ї�uK�w2J}c�>�(G))(?�]HPw9�J�
B�!\��0H�#`PR1i�Jl�Ri �w�RTD;7 KŔ=*%�nqR%a 934YIjL=?�j1!U�G�,D`v9J,L��.�Y
ϴ��je[+�R,4�T(9
+ZIQ���Q#�U^?u�w<-��vF�}��`�&�1 7R�'��~Xz�/���,Â�IșuS�=L{"0-f�
ӛm�S�Zԛ01�M�,dk6q?:2`
Mbb6g��{A3u�OP#'Կ����;7ס�.g;N/=]҇1 4f�כ��d5�0�J%gYA�3�'|(@]4>+WUPÃ"`"+42[�m�̞�w(Vf;NrB@S*,�H@fmdz?;�Oq)2Sf�$�),4�tOݡ~��~uV�kCT]^u 9�R@{4�m�
�246@Ȱ\k_X5QW(:���,�)T�saŰ,Bl6<�E9̆ɨ_-iMf�@v:=F�5}n�&�V�U�O�G,m+Z�rirX,y|-lD0(2n( 鿙R&a+\ڨ�`O�w�Asm0Ho��O]����=<�f�M\?&)'V
�L
Mڊ(1@�/��ŵa�a�{�68c*tҝŅebiQ;k-)eS_HXQ6Ϯ[- �V�U}�>8`C�L�mRGM}Bu߲��&]�)W=ٰ\R
�1I16�D�ȸau-`by��gS�]WѹqH8l�1D:3��`_�mpf
Z�FZ�.�"�~~~029
?\v�>f}<~�A+�p��&��>Fk�wYвJzu6$�\.(J9�)` N� 2&|h�:�#H�& ,w�\d�����`�А��BrAa T+��S//��' 7(ڀ"P/?�ˇ%b�tXQ =j={e|h322
y�ӅZ�
JL�o39*GER�gD+Ϗ8NgԀN��_ଯ?�p�&o1z�pY
~_���^Jdw%�eXY81f�-��1_0kE
�/ÊTU5ݧ+i
fB1&}�l��eA{X�~\U4Uud�¹�`��Qе�a=E��CV0!��H�*�7hІ{e�gjڳVU;OP(�;Ђ#?=-�`"Kj�Uv�~Ie��(����#瞏~+kF�$�X�
�c5}�u��:*ZW}Z�XY
:څH�����i3
9�Sf5�NkqvϷ�
h#�քY[ў#WX�
tV ЛiQ~gVɲ �Նgy>#ΤMNU)XW<��N�~7z_EnMsU-y�F�x�w"�y@*FN=��9~܄yeb@m�y@�?몦�]m2�YhSYpg#HٚIuu�LY�vR�L5sݿy�Wj�=z{Ǻq;ɧ@d�C-s#�dKS0g'� ��Yn�:AjAy̧`꙯\�fZMf� 4D|�\D"p-n�ōap�؉v? �sc[~O�
n:R.��R
r1}]�ܙe>tgc:�7O7poUU�^S<:h93$P@hOXM\ X�\f�6}b;?/��i�)T",߸X,W̑�^`�3X�Z>2lz�
�|q6tGM4*H!I�(uO(�Eō:i2R�BE-) BoE���n,��:
�/6" ޜb��l[
ezפ\+ԕK��Oe3q1�8@X=x}�d6
�5C+jBgEr
`�3O?#[IdYy�Vum4uH�"5Hq+�$˴��I>N�����0atA�*}/*\&�IvSf
Ϛ���8_arOn{W9�0�J$7�rQӊ5�JR�}'0�X }��( rA-��ã,z(�d�2rY�j��dP��Hb.O}+�tS��Z1�wOXO\dK!O�%E�&!Z+5��8x�
26/ȟ�-�1{}A*o��P�[�/I6]S�0:;_�ݘ`30<�qR�(Jai�IAcg˾t/>� ��~�?<!o�&#rj?G���jiR��Y�pEj_uHJG��-�_w?^JN}j�Gya8dF&{Pv�B�,
oH13Q=/"W{隿z�>h��F��!$;�r��Ӽ~߾�_xt/��h_$1~J`&�=�y~yңU4*$Ey�|hq\3nmǛ&���L�kd�3;&W쐶CtO[לY0z!B3p&qXr!sdQ6h�N~{+^�+,k�̚_�f·|CAJNx�(G��b r
H)'4
�Est;3^t}h��!�V`!NU��HE*4ДK�e=ѓ:�M<;mt)�5�E_ѫ�ſ�F�}i�
T
�t6~OWK0wfAbQ+F+9ǭN۟H‐�
NAv��hq_<#慰sF�0xc�`3JP -Mu?So�2MD�Yk�NE�m�͘-O|�B�aqB�=LfPƓ4wɨˢ
ݖ2p�9G�:)!O\F02H P,O&e=l�I1 iKBih%bbVHGRo�wռܞ6<1ޥ]ƙBvmK$��Ζˬ�(�̗4.נ�E8��V�#[vx~�t7>XkI-�jշΫ���|D�s`�=C�D!aFCrWkb~�=ZU${ݝ:��h�cIs
��ذq�;eΫ� P|��v�,N��?݁CO6r=ICo6�OG2M ��.`�Y #z�}
D{O�,ik�n;�;=?P.zZĩUrcc�䰎M��l3,�LjDžܳbt`�?K.}Ҽ跮Is�09nJs ނ��#QG
6j��2�}qF[��ڭ�Fg
'okA}i^�w�~Zؖ[q@�ǠC�R�#K1&�$Z^VP**sᔤ˞CȔ�X�N�Gƽ�b[�0d&zvA�JGs`̞�xqK7�bR�cR?�A�?�'L��w.�z@z@pSx�{Zg%QJW=�(qM@kjiAr\"~^YZ�䑽�أp l$>?GB�"fFc�ME[ofO�<|nF?�9bq�Ĩ`bo�x?�GX#o<:QguX(U~a.zşn:bp��KkQ�h��n8sh\F59!ꋐуtj9j;N�CF#jMQY.�,�66�Ix�?Z�h�ro4���S(qܲY�zNt/k.ov�ջ1b/*��o�WVt2Mb�$7w0}�-O~h`w�,ҙ2gЅA��H��IIс�_�")w8�՞?Ly�abZ�
w
^©¢9s���LL�xc Ȃ��p[m�`y4�J9`�vP�Y'�:�S$zL'|K~e0n!N렳t/�&g{.��)YMh�`^�*n�eg34k��Yb{P�Gv��Gl+JDVL;̂!=�n %�7&;x�XJ�i%W�ޮ8*��Cy-�-(q�+mNrX+&NOwg6�srۗgx��}�옸99;_,U5"5�x=>f{�0nS/�X3�2"�H0IT3Rbb6h6`c9{Xpޤwx�?�3llXZ� TL"?�j]|t^-�Jr)�b-F�-g2~8ƶ�Rd�
zH�p=,Żh~y-=|\2x>CM 8Zahfr)�.{D���iJ}}دƦ�w0쯊po�,)�IM�`�X�C��Х?a��_�
8�$ћIU0�{W
�v�}U*(ێ~�
|+��vΗ`R;b�v�D8C7���ʌ9�! ���T�[�aAUlnwe�jtF2,r|�Mrj;�3XJxY][bN]Γ]ҕʃYRRRRR#_jXJ_/5�tȱƎ$�>^c=�p�/;ZG��y϶Li1��$E��G�#���O~�Ko> q��h<&�=�ԗt_jEp&|t�?O"�W� )���/[ve/\�7_/(=N̷ccz̎Ŏ?Ja ;\�2.vo4�PK{�S|L|fB'�qE���{=
_tN^6֙�Q ώg����wkm}ex#nҚ9 ��Zͮ�廩{҃V2! �M1$GؽV0+�?A�WvW^k�Z�nM]?3ݶ˶&�.⫽Mh4��Ԙ+ķz4Y��E�3D)P!ʚjΡ�k1�Z_ɚLHj�~ж}A˽=V4�2
mY�[`}X�Ey>�*췱gyN;mV)Kcjhk�>KArjlj�`lï^�Ji��f-eĚD^a+I�錃qlrG/�S&eF�PC���7*>;P{����ٿgG4^;P��`܀ws*ZWqi{1so��%��f|��̭tX};i���F�a�*�'y{Dd�[h\)�ZTS1av�
7xZ#�c6�BO�.ړ{�z^{ly��r-ݳ�Itg#TXC�,x45i;0Y>G�N$(%vYm���ff'ly0��A�r�|jq_o�j�`v3%{ �,D^گ4K{]KjL_�"|trrOs'<@N}юMݺݵn�t�)g:w:�{^n9CEoO0�V��h
ͬ{[RJBYIva|�DOR�)q2�>s�K?��zq\\oF
Ki�~RBJuT{ЯDΡgZܳVܞVk�*>*1Xb
fZ*F6#ZIik84x���?ʘ�x�a*1aV
eզٝ$7�zg�U�\}ĭBA*o�[ȺexxJ�"�rK�'~e1�}�eNM���SxޒC�7�)(�ʁޒ�Fi48~l�@1"s?��
I:2�cMr'o\Ix##�:k ��:do��
�VIz# ,@(Eꊍ\D��Q��`B�p�7Z7�f\nz�~uC��@�;G}m!���H�y;���*
f�{�Z
r�`(L]`C_IJa#.Ƭ:�?�ra)�:嘭#!+^�bΑ,rV֨n>\_RHe�>�`8�.pgj9TtKdL*2&�B�s�8���or_zLYu�n�O�KZ�&G6@@P0H�ogS�|6XPϏ�B5D��SJn67p>9�͛x`J��Au�A"�\�dzX<>�� 4鐚 ��dj�B�,ywF7`C'[��E9�Y|ob{�LgA~&\b�@Ԑ0�(V$Ѕ:�y,@#!��9ω�k��ks9~6�_fi���@�h),f,�TՊR
&uU��!2,���j)q_(O6kYh?�X; �0M蕴B��^��Ȉq~�/w�ӆ��_�Ч�6#&Dwn�`9�ͫ{M"ǽUݽ$ǭ
�m¶V��|G e}5,<·_�}eR<�e�jf9š�6u\�«Q_]drx�ixID_0}4��e8qO|ݿ@)Qe;�\VC�ĨҫSi0LLF�7OO[M֖C@VՉt.f53;x
M�/GcDǤ�\js���@1@C|k]N{5Bx_m^�;^d��@/�P~ (By7�9�hp(?g@��g#\_~5ۧF4�kgeF9C/(�ח_��05:�Ӂw2�,@N�};@N�}:NF;��v2�e2SF9g�QށNF9e^\f%eu�n�]?��/W�W�q�_e
s?=/=/}~��Z_�c�}OYпO��A�(*��h&��Ku1�Ay3CΚWpz~;"9(/��R*z�U�K˳�g賲���+F7_˰ʠsk3e_/C@1~dnleҾ:&�R+��]Q%5-{�[I�2}ח:
c|U$X2&4��e���^>&c����˼$=)>w�懤I��8j.�{%])W[O'´Z}5_9��9�*
t�=}}:1c{$%Y#/]#=D(�s�җ2��xwI0>ۓ{��g_�\�pm⦠n$oc 5�O��W�}n�.nmG;yh#ֽ2vb;�w�K췡^<� Of����'[�*8�uߚ� u8�y$�X
�H-L�{HN08
!r�虘TWCtJ#
�ۘn�;u`-�l>EM+�+J9wwrDa3�"B��&3�ITMV�YI2ZY�rF(�RB�4|;یW)57tSs�{εLM�=�)o��9/�{xrh`=E(Qs>},.q5sE�Eב�E,&JhӄZ�{JfBZ7}�M(�n�f/X�mQ#}]xHnLt6q�>+spn�nm(}cF«�U/=�ׇ"�2cX
�n'j�:F{&�W�n,='�IDπj���UMfR�;j3L类�$0\d�~\g;;n Lj9c<}�"�˞�_B �K]���gm|c�*5�S�2m-(E'.ir�}7��|Iɳdv/+
0b%O��#�HYUҎ_N�.L$CbF8]�
"!_S a�niy㲁%!}`3
h�9iw�sD:�9����A&{g;*\2R*4%NS��xSE�z�?X \� vH�V&%1S�pY .Ы�v.9|�x@NlM�^.e~���=-��/�p,�Zf�tO#6�C|�%Jo��z�r:���Y W�96!/[� !��ۂˌKmӴ>u¥"UX�HM���X,8.� k49;>�Ba2\�X�G�x
k�ok3gz��Ϸ;���<�v7�͇OV�e؋$�v/-�Ǭ�yvJ^�S.!�O�3�й?-{�/���e;�;��,�{ �QAb�fA�8u
vAѪ
V�7"60^q۷�KR�l@�swS
a
\Nսv�)E=b�농tD]�hT_�)**��
�9/�߉n^﹨]e�#�X#&�7I;s�__9V0�|6,�cz��#ɾ���Yf+3s�ƫӳ-I>2��e�pCdkZK�0Dq]�
�XNǢȖWqTR:!�;/����k`�bOP���1,,�oԛ'T�S*�4.v>ϝn<^e0�,X�+0W_ǀ�5�2lt*�
X*!KŬ"D0H��'%]��'�'��60M���Är"+roq=y[��יJ��p��8g0N^Zɩȩ(v�U_|J�Ѭd�;j�+sGOg
|I>"��`\YB��C�^EkN�~g!g˾t/>�Jz�`�gɳ^VX�vQ��J=۽w�D^8�%ܖmJPU&s)#�M�W_\)M�S9Q�/;�VM��Z2c{͵N_�l?5+��
|
