|
|
|
Oracle Bug Database Susceptible to Metalink Hacking
By: Lisa Vaas
2005-05-27
Article Rating: / 1
There are 0 user comments on this Database story.
Oracle Bug Database Susceptible to Metalink Hacking (
Page 1 of 2 ) An Oracle security researcher finds that it's possible to search Oracle's Metalink knowledge base for customer e-mails, used configurations and other sensitive information using an attack similar to "Google hacking."The Oracle security research firm Red Database Security GmbH has found 42 bugs, some serious, in Oracle Corp.s Metalink knowledge base, and determined that its possible to search Oracles bug database for customer e-mails, used configurations, test cases and other sensitive information in a foray similar to "Google hacking."
"Within 42 hours I was able to find 42 bugs with security potential (e.g., denial of service, SQL Injection, …)," RDS Alexander Kornbrust said from Germany via an e-mail conversation. "I stopped after 42 bugs." He said he then reported the bugs to Oracle.
These bugs are not addressed by Oracles latest security patch set, Kornbrust said. Oracle could not provide formal feedback to the report by the time this story was posted, although a spokesperson did point out some inaccuracies in the report regarding which and how many Oracle employees have access to search the global repository of technical knowledge and to query the bug database for known issues.
Oracle reportedly has blocked access to forum entries listed in RDS research. Those include, for example, an October 2004 report from an Oracle user in which he or she explained the following bug: When executing a scheduler job, the user was made SYS!—in other words, the user experienced inappropriately escalated user privileges. According to Kornbrusts research, this report was returned after searching on the term "security bug." The user report was explicit in how the bug was inadvertently accessed.
Metalink hacking is similar to Google hacking, the use of Google as a hacking tool to uncover information on, for example, vulnerable servers, error messages that reveal too much information, and even passwords. It has spawned a wealth of how-to guides such as johnnyihackstuff.com.
 Click here to read about a tool designed to help enterprises use Google to discover any sensitive information about the company that might have leaked onto the Internet.
Metalink hacking is a similar exploit, but it pertains to a private rather than a public domain since it is accessible only to Oracle customers who purchase a support contract and to authorized Oracle support staff, on a need-to-know basis.
Kornbrust found that search strings that returned sensitive information included "hacker," "hacking," SQL Injection," "Cross Site Scripting," Buffer Overflow," "denial of service," "crash," "memory leak," "abort," and many more.
What makes the vulnerabilities particularly disturbing, security experts say, is that Oracle has built up such a rich repository in its Metalink forum.
"The Googles and the Yahoos, these … have definitely been the hot topic for the past six to 12 months," said Aaron Newman, chief technology officer and co-founder of Application Security Inc., a database security company. "Those ideas of Google and Yahoo hacking—[Kornbrust] applied that to Oracles own semi-internal database. I guess you could do the same thing to Microsofts internal bug database or IBMs DB2 internal bug database, but … Metalink is a very good source for information on Oracle. I dont think other vendors have anything thats quite as similar.
"Its a great source of information, but also a great source of security information being leaked," he said. "Its a double-edged sword."
Next Page: Password-protecting Listener is biggest security hole.
|
|
�������x}r㶲s\@♵MR-ƶ,xMT(��S$�I~u~|�.dxjl��Fwh4#�I"nZΘ\̦dwꚃ�>}K$wB}��N��UQV C7((�bP�<�HwO7n[cQ0�R�a���᳙*,�Q � tjGt0]2x�6;k:&o4veki cߨ_�[&``1Z�|R �j��9iݑ |i @I>R(áh]
](
Ѽ��e�MGQR`F
Cw*�Nul9�Q��)+X^DP~�FDM:ǎ-4rwN�̚0/Pcw��Ҵ���v[P�;U�{Q5hw��/E�@^���cBȡ[Boi�=3dc7.���{$�͑�w2K*-a{е�:�9�z�u
v}�j:GJ�73ҧ
}KH;R@}k��y�>5I
i�b�1lp2�E%$�7
��.mq_0/<m��dRr�-2Q�Ȳn�Mw�3a[mѡlطZkuE9,},^/[��,\hӟoF/sj_.;gW���~�`h-v4}�u=;yؼ} �d}#5��*%`ZJ4��_����::~\B^�,9@FI?n�|%ܲ_/iv�d�f1{�Pd!XI#/YTUGf9괏'}o__]wzmo��]wڧ>ߘecfy�3�?T�r�Jw3B~��,W�7'7�7˓MvISCV|BCj`BәcYueUo~9�Wc�_C燩M�XCE�C�0ʾ�~Ff{|&�xt9&�IoJDz|?!:_��C��j�ݖe�B_*X_��KŗG)LY4C�� ! ,#2ɔS�Hu��t:���d9AcI'}6kiBu�V�!`JC�̺k�R�49�(��蟉$�m�4�@r5�YSl �R揇o4'M�XZE�U��>hi"A[T]ϧ+foF">��23y�B(&�pHq�b��&�μb8O�yp>rY[4'jtamAi3ӟ��ӲKwqnUO�^
S�3�G#�洋вn�s榣V'cW*P\?,Ëʾ��b�(7ZdL��,��5,{Lt차�ϳp:� 0h��v?S�Oiͦ89y��t$�AG61^�zK
ucb���>'ݸä��7X�(}Zc�Og6�/|�\a��֔�^탉�i$�i��-D�@wM0I�e+�f!S uG �νdrg�oMA�(oInP��X^0 vji�q�Hp�yY?���»g��{`� ���閭�-�L<�ħ̠>x�x?ɜK)
�Dt|JIIL"D%� R
h��4�A�G�EBEN�m�bo$H�XVph�T6ݞ�H:w@T�*esRأXB�Y�X/E_R�23#Cdɬa���X�91{M�f�T`"[ᛥLKa�k`FX,CMۯ!M{�ڣeXyD�}= 3̲M҂%�Ll;!9?f! s WQ�'�:� x�BoBCEs;J�0aEiŬ9c 9��i|X#<~GWM'�9�X0N,cBb+H5L��ôLhD�,iocӏ�5�SN`cܒn�̜07ÚL ~D�g�詅m>`T4fs)wdmrn)�RЛvs9n$!+x�WY� ��2gdRUY8:[�(,�O7�\EYbꞦ5�X�ScX`D~w�zb0q�m/n)Na�V|�\t�ΖU�kͲT]ٽ/ 7�JeO0sm-�VJ{",6@1�+_w��jQtT�(*��АTtm6dXdž��J>}Cb&^dthQ?mM�*`��5:m���_&TYV0>2ei[�FNbhd�l�[�� �ʸCfJ�g~c+&�*d-ë��?v= �ڇkO�Gn&z&�ϐ|pR9��g3?']dp�$D80V�}2Pa�Iu5��烊7@ƕ/0k�%�&}c*:tǩg2읶��]%ϥ_(̧6�y+�Co��{Lu�D�m�G
�#�~\EM�R^ z0kٰZQJ1M16�D�ȸpa,r�i�*wڶ{O�?QɺH`WK�˙@�'@**ZC/�ç�V��"IJ8riPzP*�cW�E�.ϳ�1F�A?�%�hPcfJf�-`\.xcJ�rE}�X))J5��` L�` �T<�t&{[=
��F:�7�G�\d�����0!a�P��\Q0"sK��sKU1SO�nʻhC�z-X]�L,'8Aò?DNQc�G}ܸ~?CÜU^ٯV�Rx�w.$ZT�rɡUUR;,Z
8;z�f�w͂wq�)4G
@rF�g}qs`ћx?Sc`9g?7��`3�|x+G��UXY81f�-��1_0+E
��/k,5�ܧ+i
fR9!}�l��eA{���늦�u�V8V|�"� V@?�a�⢉�!h{+�E��&hӚ
n<�aJ��V�Lӳ)
l:L+y�WJ�=zG:yɿ,�YE8&}琩gc�c�~�GfqH)��Yf�:al<6`rO18��МN�%Z*`ҖM�PVťGl䘇%�b�
"�K,8.h#2"G=%��BXMV\�7@aOo[\JEVK`qՁDZ%y�9HǞ1�]�]2�Y1�Gci��}�[U�ה1�Zeƌ7)Ь6ڴ���#�iA/J2|�]��{6
��8xYʒnVv` dV֪Ρ��~h�uJJ]��aQ"�fQ�rM�E�7uOM5:VJ'l"I�(}O,Ke嵤:i1RʵRM()5CoE�D\vOJ�9MLt�M� J �l�KqXAK�kL9��-2j=sP/�
�K���d%3E���8@Xc.&̫{z;Atl;�:L̇y֏�B�Y�Թ~<:�m~XKs!�}��=#ɢj�+h�L؞;K^�+,k�Z�f·|C!2ZN�y�(��@�RPOh%[#N:TrVgp="�
Bt�X�1t�e�ES)Q\(�hI{LǠ"G(��^(/([ҷoDW蘧Y�GD_q-�s��z<~�,\2Z9ntD{�Nbp
jwz`ySrg!�~�,/D�ec�.A-6Ծ�N9 �4�sJd"�:�%;�?m[ħ{�+�/䎑�D=:dSN�S.(�iQEn�-e9r�tJ9S"\� 6H PV,OҼe=lI1 iK"ih�$bbVF�o�wպܜ6<5ަmƙBƗH�Qt>fKE֊�p�kP�q<��+�b
�>�ϣ��g֢Ѭ]}+
ɏ��~x"��R̅)�c��x��9 gEuX.gTk�N�+tt��YȍNjFڰq�;eΫ�>f|m���v�,KKN�5�W�3lyRѵl�bdNƄ��`sBk;G�Q��v0&xl&�4�-�Ewy'("KxQ�~4qXx2u|SU�kͰ"ˀ"�3��Cӝꖃ(I\vuo_�arԆ�cA�ɼ��>#�ᛷ
6n�2�}2JO�$hבּ�~QO�ƯtGov/zfC�F=foݷvcW};Ǎ>m8t�ǠQC�Ҁ�I1&�ZQP�**sᔤ˞�v�X�Њ�&X�d1�0d&zvAK�JG3`̾�qK7�b��c�o�JP�>I.=]awQ;�ޝ{͞6vYiEe�K\�-"PnǸZ|>O%0)7Sq�uüMc�vc"�PbO��s�ގ#�mɘ7nj5YR1g�}-tR�vg샖+Rw^⪒^كXa��V &8O^R+IΣً@<,|h;ȇ. ez6#&Kx>��ۛ�?}�j#N*jz�(9�F-�~`ŶbZ�uz@�8gh/%;htD h+=ˋ�Z2h6�d!bIKz��DS*V6\�B��{��M�/hZj,&]�u|�Rߦ�尀R,&��ҟC`N BEy�oʹ-*�`s4#�a\SaW^K�\R*!r�1�+=4&G�;^�0@Te6���p@_rؘ�sbSߖ[�ɰ\ pdbB&�]'ѫX`)]Mhqއ9N:t�;n�Jutb1*B"1W�t8饨�67��U$e_RPuQ�rK-�Lnհ$rFH̼-iRyb�%�PL^�%e&K9=*�AB�^ڊ߀-va:��I놷VE�L ]de8H��(%�jschsLXJ2L%&� ���MR9]zcI�"�Ёc[�!���Wi/mL9{i�[�ZX:��uQ�
\\\\_�YWT�\zyO#NFBuo%MQ��x�aQoc�sͱ� E=Fgp�!�"�A$ D��W3-HM1B*JQ�j>
y< �Rv,BSvLJbGV(�!��@R�R'_rz�Zd�ܢ�R~m�I=%U�K70-c�h}�[,�$ �~>��$��-"�EFD�ܦ\b.�\��UqO��Mՙz7HQ�p�
ƀ7 I7I&Fn_ ?<��MPmnPi�Ym5f�P."�2�g^(.f$rm+Hrm
3fa�$jmQ�$nE�R%h`�?L͗!'^r�h.@��4]�/�
��בx6_a"#$4�$l x�n�1O�O!C /L~vMooooɯ7Y5&.�f�kUDC
x%�Gz�^�&�B1ܬٳ-b:lk���"0�:AXܪ�F��g��O H�=�OxݓKb536�$�,q@E�"|t0~'� ��=sL���"ǘonsÊ_Q87�;8zgϥs&�_t=H7o9#�nwę)NnX�?a =@�WQ^ls�$SE|idL^�5�[j v)��;�AH%g1hoksӚ_�#0~F/gg�w�縜z8X�f^߽�o|CwR❼we\lo`>3�]3h�Uiwd⠣>!i�^esj+�lQrޡ0tWŽ�!h..x/� #Vy*xsIܱk)D\eO~ӚrnA蹞nO_���HE&����i=u<9-B$5+Snz�TxZ�f
y;fAS�+�Y�ʹ��m�Cl�(I#�ۀچձ�I(NcH^uσ�dUoko#fEN;Hm^)˪jhk�>ˈqb�lC�؆_�߳��
JRˬ�+JEI3�Ʊ)�k1b*Nh�T&P2էQfT��o�p�@�I`z�-IU
FO *`µl{;�hOf�>#n�b1D�b��@/j2]y|י [Dx[�Q�)weν�ީ�o�N VBv
xrٵ%�_Urc[A|��^SSE~;>W-��8�ɠ)"(lWh�Fu�<6,Ρ��A\ۦ"B7剨5Ns�ZyJ�(aVBScW�F�%3z�J�0;AX�^qQ3&IBp�~4#uT_RSW-��Z��oʼn�[#r�d! `,%7��vEa�B`8(ĒI
g{ h#8lqn/�%�ڜ93�͒EˉtE�Sc%5@T)r~Az)ZbYE-c
2^X!tOHkxUn<�vlNz� ԣ:BMşWNTU"j;�o�^b\y
z|dms|GYM13bmC��y�m�+=u`m;�bak�+mLtW8Ow|
evw�O�%YՉJ=[��mݹ]W=!5&A4�`�!N8Va6
jU9JJEV^�StqݗǮ5*yYVTl �}:9ǽ|z`{�g`ҧ9Edcu��sg
敊V.ի�ۺo?z#TXA�,x5Y/`|\I>HP)%$7�_`�ev:�Dɹ0���ǖC0%n4,ɦ�AgJ�S4 ٴ+^t����kd�̉�:u_a��i;t�]k�t+�3>нg B�Y$�/:Oļ\\sn`.=cXY��Yqc[QZJYb;7s"3)q8�@�ə莥��r$\Qq��6�~m�>9`VO0�oYlB��G�L��m�W1Ք6�ZvN[� 5kL(�xX�dL��W<00t#PγjN�T\OpY�}XC3 L�^\}ĭRA+o�S[Ⱥext J�"$�r[-i���#:�&Z���):�]Б���ߔjmO*oIgO.4��_ ��Pm̼DGRSx_�&��d.4���q;q5�;�5��
boE�іIv# ,@�yꊍBL��S��{I"�p�77�V\oz~}C��@>;C}m!���y;�]h���]�{�q
r�`(LZw�ga#.AȬ:q0�ra)��pV�%%A� HS�P+|k47�/{ʾR0F$u2��C:���Z�B�hiED#Rhb��GDcOs?��uǤ')�45aBx$l��d
�D�ps}�dlSۈ��(��0�װ�Þ�1;my^0Fl/u�J۹bb��WoH$P`��+wdcF>b|�9�+=�%G_$ F�K?E���T��&}�fA??~��e�KM)Qw3a/x#�S�N\<7��Y�ef��xp�Ƨ�x�}� 5tHM<��2BkQ.閣FMQpV#ߛ�~�Sg8�X�ذں9�PZ��Ay
YW'>;ȱkhw�j
N^�^[sI���'M&7�b�S>o�I]hF&5+:�v<)��r_rʯzuq�8SޅnN9rzu झS~�ǫO>9y��NyY]9)4;'9пNN?ӹ)wrWh~ϫ�y�|�9s�_�/�}/r{�ȡ��E�^�^'e�SN��S~��909{ s#?0~9ׅws�?]/�r�q�WU?9�{9�^�}~��Z]�c�}Oyߧ�>�>�oʁor�ڿi�&s$CPʑ�.N�pr+Q�T/ޯ<�4|�sYU�~vïUX^йZ*4�ˑ*sҿw2~62A\�wO
aq�ʍz�^S_xڞꖽpLڭe]�9hq_l �^bϽ�s^楽ɤ< x�EB+�g�ٔ�@#X{#uO'NW6#�ﹺsd^)WsU}Ӊ{Z?Ś/�̙Y�mJ5Bf�aO@z6vD��4+�{HO9|\�z[,�G$q�=�PW].�6pqS0n/", �4`
�}Zy�緶xvY^]Z��j.�7�m!ϋ9y}2�o�فOh]��ߒč,{��%�h_10(\��?�}̪x��j'܌3�X�\w{A7�i__�WmЙM�%�Æ>a#^*�g�B8D#�0���<��1Sx�;1�1&11}үI��ν6�"u`-��i7�Jղ�VJZ8~G;F"k3�#81T5YUdN.��jUeR�L�3BA�yG�
�l];&h�̽ZCO�2CX)&ḇ�̹nk�$���<��tl̎�U|�s�y3sy"oTS;W%@9$�L�o��8�j/"v2ᵧ1W!+<2ȝ���?�dWɓ�.dЬ!�cv[F8̭c�6г(`НG ?n
3ɔ@y�7�h���x
qf9�SGiӰ��VH'ՃoB/ 7oH/ܳ�x��eK�1,֘,Dw�jcW@��:�~ {f�6a�ƘSCM��In�_!�x@{�`{slgΐM$�X)43gGKZDpa�w��./& ̥y4w},H\t<�Ap��b2� �A�L/u���x�n'qgŽ-̷&�$ʃH�Io�۩Bf@L��V$3>�t ktS'i߰l7g@oL`Xkt J7B��g��3ZfTm˙�
M7_|݆mwfJ�f1�0'O�=ሇ�\ق|8=;ztF"2��]3CK~�`xR
��Hv2'V``5�3vmtAu<,cB%Αܯ�.;$m�~26V6^$ul70H-��t{z [%fgiC͞c�fs(19J
|�X�=f&l��`���C~rh`=E(qs>}D.I��sE�yב�y,&Jh݄Z�sJ�dBQ}�M)��f/X�bQ#{۰xHn犱Lԛ�Zd�Lx7�]>1uV@U}��ÈC�1*�֭'j�:/F{�A�}F�垓gg_6�b
Gy&�3@3p6�+�%�^Πo'b/;K{K8���(&�]�a1W%$}�HRͤ_;=$qDJ2E)ߠ(b'<%���*`>=.�X�"�>m�<'6}Fu;H �"@DנKuOEnv��T�g7>��5ك|2p�}�π!XsCQs%7`
�};���=Ⱦ?J��B ϱy1ng/`�S7Dl
.7��mӴ1u�¥"UINR��X,8.� +l9i3;>�Ba2\�H��xkY�oc3gz ��?;���<�v;�fC
&K_2uy��D��#VJrX}P?)�:�OOg�sZ�nR��H�ʶ�!�Ͼ�,�{��QDb�VB�8u
vGѲ
v�7"ְ0ގq۷�NT�|@�wS�a
\ZX%e�ܔ�UF.Dm�hT4X %*l+�7�W
��/߶�7qݼg¶"yX\
ALXNڙF
X�<���s+��o5ȉe6�뙣\g0^n,eH}Kqd.5"�$$r嵖I��;;Q0��&iE-ȓl`C�v�_)~ph[?�ƒY�A� wVǰ�>|BLN7�S
3pRaL ��(b[и�g~C{%��m̈́�6�=L
i�$j1Bi6e1�}0�-X�+0V_�k��A�k�Le�U��ltCEYEL`�;[+ NJ_�9��N*D#la,�!r3 ��Eb F.�t3��RW04xq�~�Q��əȩ8|�m_|J�Ѭd�;j�+�3GOg |y>"�:xqeQ���Vs*�zkvV?Pv/isTO7uG��>;��&o:Rh\*Ioڝg%u��nңݏ'RTFYzhI:v��J]NN:�?`(X�E��h�M#01B4
|
