Exploit code for a malicious worm capable of wreaking havoc through Oracle databases has been tweaked and published, prompting a new round of warnings that an actual attack is inevitable.
Two months after an anonymous researcher released the first public example of an Oracle database worm, the code has been advanced and republished on the Full Disclosure mailing list, adding additional techniques to attack databases.
“Its still very theoretical right now, but I dont think any DBA should be underestimating the risk,” said Alexander Kornbrust, CEO of Red-Database-Security GmbH. “If youre running a large company with hundreds of valuable databases, a worm can be very destructive. It is very possible to use this code to release a worm. I can do this right now if I wanted to.”
Kornbrust, renowned for his research work around security in Oracle products, claims he has already created an actual exploit that uses default usernames and passwords to target Oracle databases.
In an interview with eWEEK, Kornbrust said the tweaked exploit takes the attack beyond the use of known default username/password schemes. “This exploit connects to the Oracle listener and renames the log file. By doing this, he can create a new database account and set up a scenario where the next time the user connects to the database, the code executes,” he explained.
“Depending on the payload, if one of these worms gets out, a business under attack can lose every database within 1 or 2 minutes. This is a very serious issue,” he added.
Aaron Newman, chief technology officer at Application Security Inc., described the modified code as “more advanced” than the original proof-of-concept that included an apparent taunt aimed at Oracle Corp. CEO Larry Ellison.
“[It is] still lacking the actual implementation to propagate—although it does have the capability. Change one line of code, and this thing would propagate,” Newman said in an e-mail note.
According to Red-Database-Securitys Kornbrust, database administrators should be fearful of a targeted attack that combines workstation vulnerabilities with a working Oracle exploit. “A successful attack can take aim at the DBA workstation through a Windows vulnerability, gain access to that local machine and use the Oracle worm as a payload to cause damage.”
For the most part, Oracle is an innocent bystander, since the proof-of-concept is not using an actual product flaw to propagate. Instead, Kornbrust said customers are responsible for using strong password schemes in database products. “In this environment, it is not acceptable to have databases with default defaults.”
Kornbrust has published his own analysis of the modified exploit to explain the risks. He also warns that the code can be used to create database links and try to guess passwords for additional databases on a network.