The Oracle security research firm Red Database Security GmbH has found 42 bugs, some serious, in Oracle Corp.s Metalink knowledge base, and determined that its possible to search Oracles bug database for customer e-mails, used configurations, test cases and other sensitive information in a foray similar to "Google hacking."
"Within 42 hours I was able to find 42 bugs with security potential (e.g., denial of service, SQL Injection, …)," RDS Alexander Kornbrust said from Germany via an e-mail conversation. "I stopped after 42 bugs." He said he then reported the bugs to Oracle.
These bugs are not addressed by Oracles latest security patch set, Kornbrust said. Oracle could not provide formal feedback to the report by the time this story was posted, although a spokesperson did point out some inaccuracies in the report regarding which and how many Oracle employees have access to search the global repository of technical knowledge and to query the bug database for known issues.
Oracle reportedly has blocked access to forum entries listed in RDS research. Those include, for example, an October 2004 report from an Oracle user in which he or she explained the following bug: When executing a scheduler job, the user was made SYS!—in other words, the user experienced inappropriately escalated user privileges. According to Kornbrusts research, this report was returned after searching on the term "security bug." The user report was explicit in how the bug was inadvertently accessed.
Metalink hacking is similar to Google hacking, the use of Google as a hacking tool to uncover information on, for example, vulnerable servers, error messages that reveal too much information, and even passwords. It has spawned a wealth of how-to guides such as johnnyihackstuff.com.
Metalink hacking is a similar exploit, but it pertains to a private rather than a public domain since it is accessible only to Oracle customers who purchase a support contract and to authorized Oracle support staff, on a need-to-know basis.
Kornbrust found that search strings that returned sensitive information included "hacker," "hacking," SQL Injection," "Cross Site Scripting," Buffer Overflow," "denial of service," "crash," "memory leak," "abort," and many more.
What makes the vulnerabilities particularly disturbing, security experts say, is that Oracle has built up such a rich repository in its Metalink forum.
"The Googles and the Yahoos, these … have definitely been the hot topic for the past six to 12 months," said Aaron Newman, chief technology officer and co-founder of Application Security Inc., a database security company. "Those ideas of Google and Yahoo hacking—[Kornbrust] applied that to Oracles own semi-internal database. I guess you could do the same thing to Microsofts internal bug database or IBMs DB2 internal bug database, but … Metalink is a very good source for information on Oracle. I dont think other vendors have anything thats quite as similar.
"Its a great source of information, but also a great source of security information being leaked," he said. "Its a double-edged sword."