Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Oracle unauthenticated remote system compromise (#NISR16022003a)

Oracle unauthenticated remote system compromise (#NISR16022003a)

From: <Jared.Still_at_radisys.com>
Date: Fri, 18 Apr 2003 18:56:40 -0800
Message-ID: <F001.0058541F.20030418185640@fatcity.com> 





>From Bugtraq:







"NGSSoftware Insight Security Research" <nisr_at_nextgenss.com>

 02/17/2003 02:09 PM

 

        To:     <bugtraq_at_securityfocus.com>
        cc: 
        Subject:        Oracle unauthenticated remote system compromise (#NISR16022003a)






NGSSoftware Insight Security Research Advisory



Name:    Oracle unauthenticated remote system compromise
Systems Affected:  All platforms; Oracle9i Database Release 2, 9i Release 
1,


8i, 8.1.7, 8.0.6


Severity:  Critical Risk


Category:               Remote System Buffer Overrun
Vendor URL:   http://www.oracle.com


Author:   Mark Litchfield (mark_at_ngssoftware.com)
Date:   16th February 2003


Advisory number: #NISR16022003a




Description




Oracle is the leader in the database market with a 54% market share lead
under ERP (Enterprise Resource Planning). The database server is 
vulnerable


to a remotely exploitable buffer overflow vulnerability. What exacerbates
this problem is that no valid User ID or password is required by an
attacker.



Details




There is a remotely exploitable buffer overflow vulnerability in the
authentication process with the Oracle Database Server.  By supplying an
overly long username when attempting to log onto the database server an
attacker can overflow a stack based buffer overwriting the saved return
address.  Any arbitrary code supplied by an attacker would execute with 
the


same privileges as the user running the service; this account is typically


"Oracle" on linux/unix based platforms and Local System on Windows based

operating systems such as NT/2000/XP. As such this allows for a complete
compromise of the data stored in the database and possibly a complete
compromise of the operating system.  As most client applications for 
Oracle


will tuncate the length of the username that can be supplied to the 
database


an attacker would need to write their own Oracle "Authenticator" to 
exploit


this issue. That said, NGSSoftware has found one client application that
will allow longer usernames so to test if you are vulnerable to this 
issue,


use the LOADPSP utility usually found in "bin" directory found under the
OracleHomeInstallDirectory. On Windows, for example, run:



C:\ora9ias\BIN>loadpsp -name -user LONGUSERNAME/tiger_at_iasdb myfile




Fix Information




NGSSoftware alerted Oracle to this vulnerability on 30th September 2002.
Oracle has reviewed the code and created a patch which is available from:



http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf



NGSSoftware advise Oracle database customers to review and install the 
patch


as a matter of urgency.



A check for these issues has been added to NGSSQuirreL for Oracle, a
comprehensive automated vulnerability assessment tool for Oracle Database
Servers of which more information is available from the NGSSite



http://www.ngssoftware.com/software/squirrelfororacle.html



It is further recommend that Oracle DBAs have their network/firewall
administrators ensure that the database server is protected from Internet
sourced traffic.




Further Information




For further information about the scope and effects of buffer overflows,
please see


http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf





About NGSSoftware




NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware 
have


offices in the South of London and the East Coast of Scotland. 
NGSSoftware's


sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.



http://www.ngssoftware.com/


http://www.ngsconsulting.com/



Telephone +44 208 401 0070


Fax +44 208 401 0076



enquiries_at_ngssoftware.com








"NGSSoftware Insight Security Research" <nisr_at_nextgenss.com>

 02/17/2003 02:12 PM

 

        To:     <bugtraq_at_securityfocus.com>
        cc: 
        Subject:        Oracle TO_TIMESTAMP_TZ Remote System Buffer Overrun (#NISR16022003b)






NGSSoftware Insight Security Research Advisory



Name:    Oracle TO_TIMESTAMP_TZ Remote System Buffer Overrun
Systems Affected:  All platforms; Oracle9i Database Release 2, 9i Release 
1,


8i, 8.1.7, 8.0.6


Severity:  High Risk


Category:               Remote System Buffer Overrun
Vendor URL:   http://www.oracle.com


Author:   Mark Litchfield (mark_at_ngssoftware.com)
Date:   16th February 2003


Advisory number: #NISR16022003b




Description




Oracle's database server contains fuctions for use within queries. The
TO_TIMESTAMP_TZ function exists to convert a string into a timestamp with 
a


time zone datatype. This function contains an exploitable buffer overflow
vulnerability.



Details




There is a remotely exploitable buffer overflow vulnerability in the
TO_TIMESTAMP_TZ function. A normal statement would look like the 
following,


converting a character string string to a value of timestamp with time 
zone:



SELECT TO_TIMESTAMP_TZ('2003-02-016 12:00:00 -8:00','YYYY-MM-DD HH:MI:SS

TZH:TZM') FROM DUAL;


By supplying a long character string for the second parameter an attacker
can overwirte a saved return address on the stack of Oracle process. 
Before


this issue can be exploited an attacker must be able to log on to the
database server with a valid user ID and password, but as the
TO_TIMESTAMP_TZ() function can be executed by PUBLIC by default any user 
of


the system can gain control. Any arbitrary code supplied by an attacker
would execute with the same privileges as the user running the service; 
this


account is typically "Oracle" on linux/unix based platforms and Local 
System


on Windows based operating systems such as NT/2000/XP. As such this allows
for a complete compromise of the data stored in the database and possibly 
a


complete compromise of the operating system.



Fix Information




NGSSoftware alerted Oracle to this vulnerability on 30th September 2002 
and


Oracle has produced a patch which is available from



http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf



A check for these issues has been added to NGSSQuirreL for Oracle, a
comprehensive automated vulnerability assessment tool for Oracle Database
Servers of which more information is available from the NGSSite



http://www.ngssoftware.com/software/squirrelfororacle.html



Further Information




For further information about the scope and effects of buffer overflows,
please see


http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf





About NGSSoftware




NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware 
have


offices in the South of London and the East Coast of Scotland. 
NGSSoftware's


sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.



http://www.ngssoftware.com/


http://www.ngsconsulting.com/



Telephone +44 208 401 0070


Fax +44 208 401 0076



enquiries_at_ngssoftware.com








"NGSSoftware Insight Security Research" <nisr_at_nextgenss.com>

 02/17/2003 02:17 PM

 

        To:     <bugtraq_at_securityfocus.com>
        cc: 
        Subject:        Oracle9i Application Server Format String Vulnerability (#NISR16022003d)






NGSSoftware Insight Security Research Advisory



Name:    Oracle9i Application Server Format String Vulnerability
Systems Affected:  All platforms; Oracle9i Application Server Release 
9.0.2


Severity:  Critical Risk


Category:               Format String Vulnerability
Vendor URL:   http://www.oracle.com


Author:   David Litchfield (david_at_ngssoftware) and Mark Litchfield
(mark_at_ngssoftware.com)


Date:   16th February 2003


Advisory number: #NISR16022003d




Description




Oracle's 9i Application Server offers a highly functional web server
designed to seamlessly integrate with an Oracle backend database server.
Based on Apache the server offers many environments for web based
applications such as Java/JSP, PL/SQL, Perl and FastCGI. With their latest
release of the Application Server, 9.0.2, Oracle has added support for
WebDAV, Web Distributed Authoring and Versioning, that turns the Web into 
a


file sharing system.




Details




DAV is turned on by default. Whilst this is bad in and of itself, as
attackers can anonymously upload files to the server, an attacker can
exploit a format string bug in the one of the logging functions. If an
attacker uses the COPY method and supplies a destination URI that uses a
different scheme or port then a 502 Bad Gateway response is returned. This
is logged and in doing so the format string can be exploited. Although the
Apache mod dav module is not vulnerable itself the vulnerable code is
there - it is just not ever executed. Oracle has modified the moddav 
module


and changed it so bad gateway responses are logged - and thus they are
vulnerable. Looking at the moddav source



>From mod_dav.c revision 1.157



..


..


lookup = dav_lookup_uri(dest, r);


if (lookup.rnew == NULL)


{

      if (lookup.err.status == HTTP_BAD_REQUEST)
      {
            ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO,
r,lookup.err.desc);
            return HTTP_BAD_REQUEST;
      }
      return dav_error_response(r, lookup.err.status, lookup.err.desc);


}


..


..



This code calls the dav_lookup_uri() function in dav_util.c. From 
dav_util.c


revision 1.84



..


dav_lookup_result dav_lookup_uri(const char *uri, request_rec * r)
{


..


..


if (strcasecmp(comp.scheme, scheme) != 0 || comp.port != port)
{

      result.err.status = HTTP_BAD_GATEWAY;
      result.err.desc = ap_psprintf(r->pool,
      "Destination URI refers to different "
      "scheme or port (%s://hostname:%d)\n"
      "(want: %s://hostname:%d)",
      comp.scheme ? comp.scheme : scheme,
      comp.port ? comp.port : port,
      scheme, port);

      return result;





..


..


}



When dav_lookup_uri() returns to mod_dav.c the format strings occurs



..


lookup = dav_lookup_uri(dest, r);


if (lookup.rnew == NULL)


{

      if (lookup.err.status == HTTP_BAD_REQUEST)
      {
      // THIS IS THE FIRST FORMAT STRING VULNERABILITY
      ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO,


r,lookup.err.desc);


..


..


}




Of course the code should have read



ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO,
r,"%s",lookup.err.desc);



to not be vulnerable.



By crafting a specially formed format string and sending to the server an
attacker can overwrite arbitrary address with arbitrary values which can
allow an attacker to gain control of the web server. To do this they could
overwrite a saved return address on the stack, an exception handler or
pointer to a function with an address that points to a buffer that 
contains


the arbitrary code to execute.



Fix Information




NGSSoftware alerted Oracle to this vulnerability on 24th September 2002.
Oracle has developed a patch which is available from



http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf



A check for these issues has been added to OraScan, a comprehensive
automated vulnerability assessment tool for Oracle Application Servers of
which more information is available from the NGSSite



http://www.nextgenss.com/software/orascan.html



About NGSSoftware




NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware 
have


offices in the South of London and the East Coast of Scotland. 
NGSSoftware's


sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.



http://www.ngssoftware.com/


http://www.ngsconsulting.com/



Telephone +44 208 401 0070


Fax +44 208 401 0076



enquiries_at_ngssoftware.com









"NGSSoftware Insight Security Research" <nisr_at_nextgenss.com>

 02/17/2003 02:15 PM

 

        To:     <bugtraq_at_securityfocus.com>
        cc: 
        Subject:        Oracle TZ_OFFSET Remote System Buffer Overrun (#NISR16022003c)






NGSSoftware Insight Security Research Advisory



Name:    Oracle TZ_OFFSET Remote System Buffer Overrun
Systems Affected:  All platforms; Oracle9i Database Release 2, 9i Release 
1,


8i, 8.1.7, 8.0.6


Severity:  High Risk


Category:               Remote System Buffer Overrun
Vendor URL:   http://www.oracle.com


Author:   Mark Litchfield (mark_at_ngssoftware.com)
Date:   16th February 2003


Advisory number: #NISR16022003c



Description




Oracle's database server contains fuctions for use within queries. The
TZ_OFFSET function returns the time zone offset corresponding to the value
entered based on the date the statement was executed. For example:



SELECT TZ_OFFSET('US/Eastern') FROM DUAL;



would return the time zone offset value of -04:00. The TZ_OFFSET() 
function


contains a remotely exploitable buffer overflow vulnerability.




Details




There exists a remotely exploitable buffer overflow vulnerability in the
TZ_OFFSET function. By supplying a long character string for the time zone
name an attacker can overwrite a saved return address on the stack of 
Oracle


process.  Before this issue can be exploited an attacker must be able to 
log


on to the database server with a valid user ID and password, but as the
TO_TIMESTAMP_TZ() function can be executed by PUBLIC by default any user 
of


the system can gain control. Any arbitrary code supplied by an attacker
would execute with the same privileges as the user running the service; 
this


account is typically "Oracle" on linux/unix based platforms and Local 
System


on Windows based operating systems such as NT/2000/XP. As such this allows
for a complete compromise of the data stored in the database and possibly 
a


complete compromise of the operating system.




Fix Information




NGSSoftware alerted Oracle to this vulnerability on 30th September 2002.
Oracle has developed a patch which is available from



http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf



A check for these issues has been added to NGSSQuirreL for Oracle, a
comprehensive automated vulnerability assessment tool for Oracle Database
Servers of which more information is available from the NGSSite



http://www.ngssoftware.com/software/squirrelfororacle.html



Further Information




For further information about the scope and effects of buffer overflows,
please see


http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf






About NGSSoftware




NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware 
have


offices in the South of London and the East Coast of Scotland. 
NGSSoftware's


sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.



http://www.ngssoftware.com/


http://www.ngsconsulting.com/



Telephone +44 208 401 0070


Fax +44 208 401 0076



enquiries_at_ngssoftware.com








"NGSSoftware Insight Security Research" <nisr_at_nextgenss.com>

 02/17/2003 05:09 PM

 


        To:     <bugtraq_at_securityfocus.com>, <vulnwatch_at_vulnwatch.org>, 
<ntbugtraq_at_listserv.ntbugtraq.com>

        cc: 
        Subject:        Oracle bfilename function buffer overflow vulnerability (#NISR16022003e)






NGSSoftware Insight Security Research Advisory



Name:    ORACLE bfilename function buffer overflow vulnerability
Systems Affected:  All platforms; Oracle9i Database Release 2, 9i Release 
1,


8i, 8.1.7, 8.0.6


Severity:  High Risk


Category: Remote System Buffer Overrun


Vendor URL:   http://www.oracle.com


Author:   David Litchfield (david_at_ngssoftware.com)
Date:   16th February 2003


Advisory number: #NISR16022003e




Description




Oracle's database server contains fuctions for use within queries. The
bfilename() function returns a BFILE locator to a binary large object 
stored


in the database.



Details




The bfilename() function suffers from a remotely exploitable buffer 
overrun


when an overly long DIRECTORY parameter is supplied. Before this issue can
be exploited an attacker must be able to log on to the database server 
with


a valid user ID and password, but as the bfilename() function can be
executed by PUBLIC by default any user of the system can gain control. Any
arbitrary code supplied by an attacker would execute with the same
privileges as the user running the service; this account is typically


"Oracle" on linux/unix based platforms and Local System on Windows based

operating systems such as NT/2000/XP. As such this allows for a complete
compromise of the data stored in the database and possibly a complete
compromise of the operating system.




Fix Information




NGSSoftware alerted Oracle to this vulnerability on 30th September 2002.
Oracle has developed a patch which is available from



http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf



A check for these issues has been added to NGSSQuirreL for Oracle, a
comprehensive automated vulnerability assessment tool for Oracle Database
Servers of which more information is available from the NGSSite



http://www.ngssoftware.com/software/squirrelfororacle.html



Further Information




For further information about the scope and effects of buffer overflows,
please see


http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf





About NGSSoftware




NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware 
have


offices in the South of London and the East Coast of Scotland. 
NGSSoftware's


sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.



http://www.ngssoftware.com/


http://www.ngsconsulting.com/



Telephone +44 208 401 0070


Fax +44 208 401 0076



enquiries_at_ngssoftware.com








Muhammad Faisal Rauf Danka <mfrd_at_priorityzero.com>
 02/20/2003 12:59 AM


 Please respond to mfrd

 

        To:     bugtraq_at_securityfocus.com
        cc: 
        Subject:        Fwd: CERT Advisory CA-2003-05 Multiple Vulnerabilities in Oracle Servers









Tenha seu E-mail Grátis  @priorityzero.com
o domínio diz tudo: Urgente !!


Subscreva através do nosso site


http://priorityzero.mail.everyone.net



Subscribe for your Free URGENT  @priorityzero.com E-mail
click the link below


http://priorityzero.mail.everyone.net





Select your own custom email address for FREE! Get you_at_yourchoice.com w/No 
Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag





-----BEGIN PGP SIGNED MESSAGE-----


CERT Advisory CA-2003-05 Multiple Vulnerabilities in Oracle Servers



   Original release date: February 19, 2003
   Last revised: --


   Source: CERT/CC



   A complete revision history can be found at the end of this file.



Systems Affected






Overview



   Multiple  vulnerabilities  exist  in  Oracle software that may lead to
   execution  of  arbitrary  code; the ability to read, modify, or delete
   information  stored  in  underlying  Oracle  databases;  or  denial of
   service.   All   of  these  vulnerabilites  were  discovered  by  Next
   Generation Security Software Ltd.



I. Description



   Multiple   vulnerabilities   exist  in  Oracle9i  Application  Server,
   Oracle9i  Database,  and  Oracle8i  Database.  The  majority  of these
   vulnerabilities are buffer overflows.



   Oracle has published Security Alerts describing these vulnerabilities.
   If you use Oracle products listed in the "Systems Affected" section of
   this  document,  we  strongly  encourage  you  to review the following
   Oracle Security Alerts and apply patches as appropriate:






   NGSSoftware  Insight  Security  Research  Advisories  describing these
   issues are listed below:






   The CERT/CC has published vulnerability notes for each of these issues
   as  well. The vulnerability in Oracle's mod_dav module (VU#849993) has
   been as assigned CVE ID CAN-2002-0842.



II. Impact



   Depending  on  the  vulnerability  being exploited, an attacker may be
   able  to  execute  arbitrary code; read, modify, or delete information
   stored  in  underlying Oracle databases; or cause a denial of service.
   The vulnerabilities in "ORACLE.EXE" (VU#953746) and the WebDAV modules
   (VU#849993, VU#511194) may be exploited prior to authentication.



III. Solution



Apply a patch



   Solutions  for  specific  vulnerabilities  can  be  found in the above
   referenced   Oracle  Security  Alerts,  NGSSoftware  Insight  Security
   Research Advisories, and individual CERT/CC Vulnerability Notes.



Mitigation Strategies



   Until  a  patch can be applied, the CERT/CC recommends that vulnerable
   sites






Appendix A. Vendor Information



   This  appendix  contains information provided by vendors. When vendors
   report  new  information,  this section is updated and the changes are
   noted  in  the  revision  history. If a vendor is not listed below, we
   have not received their comments.



Oracle Corporation



     Please see the following Oracle Security Alerts:






Appendix B. References






   The  CERT/CC  acknowledges both Next Generation Security Software Ltd.
   and  Oracle  for  providing  information  upon  which this document is
   based.





   Feedback can be directed to the author: Ian A. Finlay.





   This document is available from:


   http://www.cert.org/advisories/CA-2003-04.html





CERT/CC Contact Information



   Email: cert_at_cert.org

          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.





   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.



Using encryption



   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from


   http://www.cert.org/CERT_PGP.key



   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.



Getting security information



   CERT  publications  and  other security information are available from
   our web site


   http://www.cert.org/



   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo_at_cert.org. Please include in the body of your
   message



   subscribe cert-advisory






   NO WARRANTY



   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.





   Conditions for use, disclaimers, and sponsorship information



   Copyright 2003 Carnegie Mellon University.



   Revision History


February 19, 2003:  Initial release



-----BEGIN PGP SIGNATURE-----



Version: PGP 6.5.8



iQCVAwUBPlPkcmjtSoHZUTs5AQGFkAQAmTTDL3Tyn818VW59c0Ec5Tt+N78TKs8y
h6Mnp4gkZuFLaPXju8zw1oNat4HoR7JWefBo7Lj6QFMf9HANlg7NexYmmQZSupL/
TZrFF6Nisfg/jQ7H6hPH/kajm/siJO6BuPgQIyEWtHkrJ6ce4jgcPGmuJsLzuUW3
N4QKY3gFD2A=


=nkbt


-----END PGP SIGNATURE-----







Peter Conrad <conrad_at_tivano.de>


 03/31/2003 12:48 AM

 

        To:     bugtraq_at_securityfocus.com
        cc: 
        Subject:        Oracle JDBC: Inconsistent handling of timestamps






Product: Oracle database 8.1.7 & JDBC "thin" driver 8.1.7.1
Issue:   Inconsistent handling of timestamps
Impact:  Minor (as a security issue, what comes to mind is bad timestamps

         when logging to an Oracle DB)
         Could be a major problem for any application relying on certain
         timestamp properties, though.




History: Posted to Oracle JDBC web forum on October 28th - no vendor 
response

         (see http://www.oracle.com/forums/message.jsp?id=1422122&gid=390686 )
         Sent email to secalert_us_at_oracle.com on December 3rd
          - vendor acknowledged receipt on Dec 4
         Requested status from secalert_us_at_oracle.com on Feb 18 and Mar 17
          - no response so far






Description:



Certain java.sql.Timestamp values aren't written to (or retrieved from)
the database correctly. Timestamps affected are in the time interval just
before switchover from DST to non-DST (the bug was noticed on 
October 27th 2002 for the first time, when the switchover from MET/DST to 
MET



took place). Various timestamp values in the range
2:00 AM - 2:59:59 AM (MET/DST) on October 27th 2002 as well as on October
26th 2003 have been verified to reproduce the bug, with the database as
well as the JDBC client running in MET.



What happens is this:






Example code:



The following code snippet can be used to reproduce the bug in the MET 
timezone. The "problem" timestamp probably has to be adjusted for other
timezones.




    Connection c = DriverManager.getConnection(DB_URL, DB_USER, DB_PWD);
    PreparedStatement p = c.prepareStatement("CREATE TABLE BugTest (ts 
DATE NOT NULL)");



    p.execute();


    p.close();



    Timestamp problem = new Timestamp(1067130000000L); // 26.10.03 02:00 
MET/DST


    p = c.prepareStatement("INSERT INTO BugTest (ts) VALUES (?)");

    p.setTimestamp(1, problem);
    p.execute();
    p.close();





    p = c.prepareStatement("SELECT * FROM BugTest WHERE ts = ?");
    p.setTimestamp(1, problem);


    ResultSet rs = p.executeQuery();


    if (rs.next()) {

        Timestamp ts = rs.getTimestamp(1);
        if (ts.equals(problem)) {
            System.out.println("Everything's OK");
        } else {
            System.out.println("Gotcha! DB returns " + ts.getTime()
                               + " but we gave it "
                               + problem.getTime()
                               + "!");
        }




    }


    p = c.prepareStatement("DROP TABLE BugTest");

    p.execute();
    p.close();
    c.close();

-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071


Bahnhofstr. 18


63263 Neu-Isenburg



Germany






"Peter J. Holzer" <hjp_at_wsr.ac.at>



 04/02/2003 01:17 AM

 

        To:     bugtraq_at_securityfocus.com
        cc: 
        Subject:        Re: Oracle JDBC: Inconsistent handling of timestamps






On 2003-03-31 10:48:05 +0200, Peter Conrad wrote:
> Certain java.sql.Timestamp values aren't written to (or retrieved from)
> the database correctly. Timestamps affected are in the time interval 
just


> before switchover from DST to non-DST (the bug was noticed on 
> October 27th 2002 for the first time, when the switchover from MET/DST 
to MET


> took place). Various timestamp values in the range
> 2:00 AM - 2:59:59 AM (MET/DST) on October 27th 2002 as well as on 
October


> 26th 2003 have been verified to reproduce the bug, with the database as
> well as the JDBC client running in MET.
[...]


>     Timestamp problem = new Timestamp(1067130000000L); // 26.10.03 02:00 
MET/DST


That's a general problem with daylight savings time. On the switch from
DST to standard time, one hour (02:00:00 .. 03:00:00 in the case of MET)
occurs twice. If a timestamp is stored in the local timezone but without
timezone information, this information is ambiguous. 



This is not Oracle-specific but would happen with any database which
stores timestamps in "human readable" form without timezone information.



If you need to store unambiguous timestamps, use UTC or a numeric 


"units since the epoch" format (like POSIX time_t or Java millis).




What's nasty about your sample code is that you specify the timestamp in
Java millis, but it isn't stored that way. It is easy for a programmer
to forget about the type conversion and possible loss of information.


                 hp

-- 
   _  | Peter J. Holzer      | Unser Universum wäre betrüblich
|_|_) | Sysadmin WSR / LUGA  | unbedeutend, hätte es nicht jeder
| |   | hjp_at_wsr.ac.at        | Generation neue Probleme bereit.
__/   | http://www.hjp.at/   |             -- Seneca, naturales quaestiones







"Integrigy Security Alerts" <alerts_at_integrigy.com>

 04/10/2003 08:33 PM

 

        To:     <bugtraq_at_securityfocus.com>
        cc: 
        Subject:        Integrigy Security Advisory - Oracle Applications FNDFS Vulnerability







Integrigy Security Advisory





Oracle E-Business Suite FNDFS Vulnerability
April 10, 2003





Summary:



The Oracle Applications FNDFS program, used to retrieve report output from
the Concurrent Manager server, can be used to remotely retrieve any file
from the server without operating system or application authentication.  A
mandatory patch from Oracle is required to solve this security issue.



Product:    Oracle E-Business Suite


Versions:   10.7, 11.0 and 11.5.1 - 11.5.8
Platforms:  All platforms


Risk Level: High





Description:



There exists a weakness in the communications protocol used by the Oracle
Applications FND File Server (FNDFS) program, also referred to as the 
Report


Review Agent (RRA), that may allow an attacker to retrieve any file from
Oracle Applications Concurrent Manager servers bypassing operating system,
database, and application authentication.  The Concurrent Manager server 
is


usually also the database server in most implementations.  The FNDFS 
program


is used by the Report Viewer (FNDWRR.exe) and ADI Request Center to 
retrieve


reports and logs from the Concurrent Manager server.



An attacker can exploit this vulnerability to retrieve sensitive data or
files containing critical passwords from the server.  Any file accessible 
by


the oracle or applmgr accounts can be retrieved.  Direct access to the
Concurrent Manager server via SQL*Net is required.



Solution:



Oracle has released patches for Oracle Applications 11.0 and 11i to 
correct


this vulnerability.  Oracle has implemented a new security layer in the
communications protocol used by the FNDFS program.



The following Oracle patches must be applied to all servers --


      Version     Patch
      -------     -----
      11.0        2782950     (All Releases)
      11i         2782945     (11.5.1 - 11.5.8)





Application Desktop Integrator (ADI) users must also apply patch 2778660 
to


allow ADI clients to connect to the new FNDFS program.



Appropriate testing and backups should be performed before applying any
patches.



All firewalls should block or filter the SQL*Net protocol, not permitting
any SQL*Net access to the Concurrent Manager or database servers from the
Internet or unsecured networks.  Please note that the FNDFS program does 
not


run on the standard Oracle SQL*Net port 1521, thus multiple SQL*Net ports
must be blocked or filtered.



Security for the FNDFS TNS Listener should be evaluated and include a
password on the listener and connection limitations to only allow the
application servers access to the listener.  Customers running ADI may not
be able to limit access to the listener, since ADI's Request Center 
requires


direct access to the listener from the client. Additional information on
security for Oracle TNS listeners can be found at:



  http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf



Additional Information:



  http://www.integrigy.com/resources.htm
  http://otn.oracle.com/deploy/security/pdf/2003alert53.pdf



For more information or questions regarding this security alert, please
contact us at alerts_at_integrigy.com.



Credit:



This vulnerability was discovered by Stephen Kost of Integrigy 
Corporation.


Integrigy is a member of the Oracle PartnerNetwork.





About Integrigy Corporation (www.integrigy.com)



Integrigy Corporation is a leader in application security for large
enterprise, mission critical applications. Our application vulnerability
assessment tool, AppSentry, assists companies in securing their largest 
and


most important applications. Integrigy Consulting offers security 
assessment


services for leading ERP and CRM applications.



For more information, visit www.integrigy.com.










Content-Type: text/plain; name="ReadMe.txt"; charset="us-ascii"
Content-Transfer-Encoding: 7bit



The previous attachment was filtered out by the ListGuru mailing
software at fatcity.com because binary attachments are not appropriate
for mailing lists.  If you want a copy of the attachment which was
removed, contact the sender directly and ask for it to be sent to
you by private E-mail.



This warning is inserted into all messages containing binary
attachments which have been removed by ListGuru.  If you have questions
about this message, contact Postmaster_at_fatcity.com for clarification.



--=_mixed 000A892D88256D0D_=--

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: 
  INET: Jared.Still_at_radisys.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).









Received on Fri Apr 18 2003 - 21:56:40 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US