ARLINGTON, Va.—British security researcher David Litchfield used the spotlight of the Black Hat Federal Briefings here to call attention to a gaping flaw in the Oracle PL/SQL Gateway that remains unpatched three months after it was first reported to the database server giant.
In a rare departure from his companys policy of withholding technical details on unpatched vulnerabilities, Litchfield provided a blow-by-blow demonstration of an exploit that could be used to gain full database administrator control of the back-end database server.
The Oracle PLSQL Gateway is a component of the Oracle Internet Application Server, the Oracle Application Server and the Oracle HTTP Server.
It serves as a proxy to send queries between the Web server and the database back-end server, providing an easy target for malicious hackers wishing to bypass certain exclusions to gain access to “excluded” packages and procedures, Litchfield explained.
In a presentation titled “Breakable,” the co-founder of NGSS (Next Generation Security Software) said the company reported the vulnerability to Oracle on Oct. 25, 2005, and was expecting to find a comprehensive fix in the batch of patches released earlier this month.
Once he realized the flaw had not been patched, Litchfield said, he alerted London-based NISCC (National Infrastructure Security Coordination Center), which subsequently released a warning to potential high-profile targets.
“This is a very critical issue and its disappointing that Oracle hasnt fixed it, especially since the workaround is rather simple,” Litchfield said, warning that government systems are known to be exposed to an attack vector that can be launched from the Internet.
“An attack can be launched without a user name ID or password to gain full access to the back-end server. This is a data breach waiting to happen,” he said in an interview with eWEEK.
“I dont think its reasonable for Oracle to leave their customers vulnerable until the next CPU [Critical Patch Update]. Thats another three months of waiting. Thats not fair to customers,” he added.
Oracle officials could not be immediately reached for comment.
Immediately after his talk, Litchfield posted a brief warning on the Bugtraq mailing list” with what he described as a “trivial” mod_rewrite workaround.
Litchfield, who is renowned for his work on database vulnerabilities, has had several run-ins with Oracle in the past. The company has accused him—and other security researchers—of seeking notoriety while putting customers at risk, but Litchfield fired back, accusing the Redwood City, Calif., vendor of putting serious security issues on the back burner.
“The politics of disclosure is always involved when I find something but Oracle doesnt want me to talk about it. Its normal for me to get to Black Hat and be told by Oracle that they didnt get the patch done in time and that I shouldnt do the talk. Ive always agreed to talk around these things at the last minute,” he said.
In this case, because of the severity of the flaw and the high-profile agencies that are at risk, Litchfield said he decided there were good enough reasons to go public with his findings and propose a temporary workaround.
“We disclosed this to Oracle on Oct. 25 last year. Around the same time, they were alerted to another high-risk flaw that is not as serious as this one. They fixed that one in the January CPU but neglected to fix this. Its not a case of not having enough time, because the fix is trivial and the risks are severe,” Litchfield said.
He said the actual bug was discovered several years ago, but, despite several attempts by Oracle to fix it, NGSS researchers kept finding ways to defeat the patches. “Its been four years and Oracle still cant fix something thats very simple thing to fix. Considering how critical this is, they could have and should have put a workaround into the January CPU,” he said.
“Its quite astonishing how backwards they are in their approach to security,” Litchfield said, accusing the company of putting public relations and marketing concerns ahead of protecting customers.
“Ive asked Oracle in the past if they want me to review their patches before the release. Let me help them test it so they dont have all these problems with re-releases and broken patches. They said no. They refuse any help weve offered,” he added.
He said he believes the decision to go public with technical details will nudge Oracle into prioritizing and getting a fix into the hands of its database server users sooner. “This is one case that demands an out-of-cycle fix. They cant continue to sit on this, theres too much at stake. Customers should get the kind of respect they are paying for.”