The Oracle security research firm Red Database Security GmbH has found 42 bugs, some serious, in Oracle Corp.s Metalink knowledge base, and determined that its possible to search Oracles bug database for customer e-mails, used configurations, test cases and other sensitive information in a foray similar to “Google hacking.”
“Within 42 hours I was able to find 42 bugs with security potential (e.g., denial of service, SQL Injection, …),” RDS Alexander Kornbrust said from Germany via an e-mail conversation. “I stopped after 42 bugs.” He said he then reported the bugs to Oracle.
These bugs are not addressed by Oracles latest security patch set, Kornbrust said. Oracle could not provide formal feedback to the report by the time this story was posted, although a spokesperson did point out some inaccuracies in the report regarding which and how many Oracle employees have access to search the global repository of technical knowledge and to query the bug database for known issues.
Oracle reportedly has blocked access to forum entries listed in RDS research. Those include, for example, an October 2004 report from an Oracle user in which he or she explained the following bug: When executing a scheduler job, the user was made SYS!—in other words, the user experienced inappropriately escalated user privileges. According to Kornbrusts research, this report was returned after searching on the term “security bug.” The user report was explicit in how the bug was inadvertently accessed.
Metalink hacking is similar to Google hacking, the use of Google as a hacking tool to uncover information on, for example, vulnerable servers, error messages that reveal too much information, and even passwords. It has spawned a wealth of how-to guides such as johnnyihackstuff.com.
Metalink hacking is a similar exploit, but it pertains to a private rather than a public domain since it is accessible only to Oracle customers who purchase a support contract and to authorized Oracle support staff, on a need-to-know basis.
Kornbrust found that search strings that returned sensitive information included “hacker,” “hacking,” SQL Injection,” “Cross Site Scripting,” Buffer Overflow,” “denial of service,” “crash,” “memory leak,” “abort,” and many more.
What makes the vulnerabilities particularly disturbing, security experts say, is that Oracle has built up such a rich repository in its Metalink forum.
“The Googles and the Yahoos, these … have definitely been the hot topic for the past six to 12 months,” said Aaron Newman, chief technology officer and co-founder of Application Security Inc., a database security company. “Those ideas of Google and Yahoo hacking—[Kornbrust] applied that to Oracles own semi-internal database. I guess you could do the same thing to Microsofts internal bug database or IBMs DB2 internal bug database, but … Metalink is a very good source for information on Oracle. I dont think other vendors have anything thats quite as similar.
“Its a great source of information, but also a great source of security information being leaked,” he said. “Its a double-edged sword.”
Newman said that the most egregious security hole discussed in Kornbrusts research note involves password-protecting the Listener. Listener is a proxy between the client and the Oracle database. When you connect to the database, you connect to the Listener, which hands you off to the database. By default, Listener lacked a password on Oracle 9i and earlier versions.
Without putting a password on Listener in those earlier versions, somebody could take full control of the database, Newman said. As it is, there are Listener attack tools available on the Internet.
Although the Listener problem has been known for several years, it doesnt mean that all pre-10g versions are patched, Newman said, and the majority of active Oracle databases do in fact predate 10g.
In Kornbrusts research note, he points to a January 2005 dialogue between a user and an Oracle employee in which the user asked if he or she needed to password-protect the Listener.
The answer from the Oracle employee was, “I know no one likes to use the password protection in the Listener. I used to be one of the first people to turn it off when working with [customers].”
Kornbrust called it a “funny comment from an Oracle employee. I believe she is not aware how easy it is to become DBA [database administrator] or destroy a database via an unprotected Listener.”
In the dialogue, the employee continued on to emphasize the importance to database security of password-protecting the Listener. However, Newman said, its scary to think that Oracle employees had once been in the habit of turning it off.
“The point [Kornbrust] is making is an employee in Metalink is saying, I removed the password whenever somebody turned this on,” Newman said. “Which means the employee is turning the security to Off and leaving a big, wide hole in Oracle. Its kind of a reflection on Hey, people need to start thinking security is important. If Oracle employees are out there turning security off, its a little bit scary.”
Pete Finnigan, founder of PeteFinnigan.com Ltd., a British firm that specializes in Oracle and security, said he found the employee note “funny, sad and worrying at the same time.
“This is a serious issue for Oracle: explosive, in fact!” Finnigan wrote in an e-mail. “It also has much wider implications for many other companies big and small that use public searchable knowledge bases for their customers. … Security is becoming more of a widespread issue and researchers and hackers alike will look for bugs everywhere. Companies need to be very aware of what they write down and publish. They also need to filter all input through the security department to ensure that security bugs are not made public in this way.”
Meanwhile, users of Metalink should also take precaution, Kornbrust warned in his research note, by using a free Webmail account in forum entries where possible. He also advises Oracle customers to make configuration files anonymous before posting on Metalink and to remove passwords before posting content.
Also, if Metalink users report a bug to Oracle, Kornbrust recommends that they think about the possibility of the bug being relevant to security and to escalate the issue if necessary. “Even if this costs additional time, it makes Oracle more secure in the long run,” he wrote.
Check out eWEEK.coms for the latest database news, reviews and analysis.