Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Database

    Oracle Bug Database Susceptible to Metalink Hacking

    By
    Lisa Vaas
    -
    May 27, 2005
    Share
    Facebook
    Twitter
    Linkedin

      The Oracle security research firm Red Database Security GmbH has found 42 bugs, some serious, in Oracle Corp.s Metalink knowledge base, and determined that its possible to search Oracles bug database for customer e-mails, used configurations, test cases and other sensitive information in a foray similar to “Google hacking.”

      “Within 42 hours I was able to find 42 bugs with security potential (e.g., denial of service, SQL Injection, …),” RDS Alexander Kornbrust said from Germany via an e-mail conversation. “I stopped after 42 bugs.” He said he then reported the bugs to Oracle.

      These bugs are not addressed by Oracles latest security patch set, Kornbrust said. Oracle could not provide formal feedback to the report by the time this story was posted, although a spokesperson did point out some inaccuracies in the report regarding which and how many Oracle employees have access to search the global repository of technical knowledge and to query the bug database for known issues.

      Oracle reportedly has blocked access to forum entries listed in RDS research. Those include, for example, an October 2004 report from an Oracle user in which he or she explained the following bug: When executing a scheduler job, the user was made SYS!—in other words, the user experienced inappropriately escalated user privileges. According to Kornbrusts research, this report was returned after searching on the term “security bug.” The user report was explicit in how the bug was inadvertently accessed.

      Metalink hacking is similar to Google hacking, the use of Google as a hacking tool to uncover information on, for example, vulnerable servers, error messages that reveal too much information, and even passwords. It has spawned a wealth of how-to guides such as johnnyihackstuff.com.

      /zimages/1/28571.gifClick here to read about a tool designed to help enterprises use Google to discover any sensitive information about the company that might have leaked onto the Internet.

      Metalink hacking is a similar exploit, but it pertains to a private rather than a public domain since it is accessible only to Oracle customers who purchase a support contract and to authorized Oracle support staff, on a need-to-know basis.

      Kornbrust found that search strings that returned sensitive information included “hacker,” “hacking,” SQL Injection,” “Cross Site Scripting,” Buffer Overflow,” “denial of service,” “crash,” “memory leak,” “abort,” and many more.

      What makes the vulnerabilities particularly disturbing, security experts say, is that Oracle has built up such a rich repository in its Metalink forum.

      “The Googles and the Yahoos, these … have definitely been the hot topic for the past six to 12 months,” said Aaron Newman, chief technology officer and co-founder of Application Security Inc., a database security company. “Those ideas of Google and Yahoo hacking—[Kornbrust] applied that to Oracles own semi-internal database. I guess you could do the same thing to Microsofts internal bug database or IBMs DB2 internal bug database, but … Metalink is a very good source for information on Oracle. I dont think other vendors have anything thats quite as similar.

      “Its a great source of information, but also a great source of security information being leaked,” he said. “Its a double-edged sword.”

      Next Page: Password-protecting Listener is biggest security hole.

      Two

      Newman said that the most egregious security hole discussed in Kornbrusts research note involves password-protecting the Listener. Listener is a proxy between the client and the Oracle database. When you connect to the database, you connect to the Listener, which hands you off to the database. By default, Listener lacked a password on Oracle 9i and earlier versions.

      Without putting a password on Listener in those earlier versions, somebody could take full control of the database, Newman said. As it is, there are Listener attack tools available on the Internet.

      Although the Listener problem has been known for several years, it doesnt mean that all pre-10g versions are patched, Newman said, and the majority of active Oracle databases do in fact predate 10g.

      In Kornbrusts research note, he points to a January 2005 dialogue between a user and an Oracle employee in which the user asked if he or she needed to password-protect the Listener.

      The answer from the Oracle employee was, “I know no one likes to use the password protection in the Listener. I used to be one of the first people to turn it off when working with [customers].”

      Kornbrust called it a “funny comment from an Oracle employee. I believe she is not aware how easy it is to become DBA [database administrator] or destroy a database via an unprotected Listener.”

      In the dialogue, the employee continued on to emphasize the importance to database security of password-protecting the Listener. However, Newman said, its scary to think that Oracle employees had once been in the habit of turning it off.

      “The point [Kornbrust] is making is an employee in Metalink is saying, I removed the password whenever somebody turned this on,” Newman said. “Which means the employee is turning the security to Off and leaving a big, wide hole in Oracle. Its kind of a reflection on Hey, people need to start thinking security is important. If Oracle employees are out there turning security off, its a little bit scary.”

      Pete Finnigan, founder of PeteFinnigan.com Ltd., a British firm that specializes in Oracle and security, said he found the employee note “funny, sad and worrying at the same time.

      “This is a serious issue for Oracle: explosive, in fact!” Finnigan wrote in an e-mail. “It also has much wider implications for many other companies big and small that use public searchable knowledge bases for their customers. … Security is becoming more of a widespread issue and researchers and hackers alike will look for bugs everywhere. Companies need to be very aware of what they write down and publish. They also need to filter all input through the security department to ensure that security bugs are not made public in this way.”

      Meanwhile, users of Metalink should also take precaution, Kornbrust warned in his research note, by using a free Webmail account in forum entries where possible. He also advises Oracle customers to make configuration files anonymous before posting on Metalink and to remove passwords before posting content.

      Also, if Metalink users report a bug to Oracle, Kornbrust recommends that they think about the possibility of the bug being relevant to security and to escalate the issue if necessary. “Even if this costs additional time, it makes Oracle more secure in the long run,” he wrote.

      Check out eWEEK.coms for the latest database news, reviews and analysis.

      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×