Re: Oracle 0 day

From: Andre van Winssen <dreveewee_at_gmail.com>
Date: Mon, 22 Feb 2010 16:32:42 +0100
Message-ID: <9b46ac491002220732q441105a3n1d0e3b89a541fa4c_at_mail.gmail.com>



Hi Jay,

no, you better revoke execute to public from all three mentioned ones. But you need to test for consequences for things like datapump or any other feature that relies one way or the other on the database jvm when you do that.

to see the whole presentation of David Litchfield see http://www.blackhat.com/html/bh-dc-10/bh-dc-10-archives.html , and look for his movie and mp3

to see a good assessement of the DBMS_JVM_EXP_PERMS issue see PaulWright's update (
http://www.oracleforensics.com/wordpress/index.php/2010/02/07/securing-java-in-oracle-and-dbms_jvm_exp_perms  )

Note that exploits exist that work in 10g also.

to all: be warned, do not just let the bad guys know of features like this one.

Regards,
Andre

2010/2/22 <Jay.Miller_at_tdameritrade.com>

> Quick question, does revoking just SYS.DBMS_JVM_EXP_PERMS fix the problem
> or do we need to do all 3? From looking at the exploit it seems that
> SYS.DBMS_JVM_EXP_PERMS is the problem but the published recommendation is to
> revoke all three.
>
> We have a some databases without SYS.DBMS_JVM_EXP_PERMS but which have one
> or the other so that might save some work.
>
> Thanks,
>
> Jay Miller
>
>
> ------------------------------
> *From:* oracle-l-bounce_at_freelists.org [mailto:
> oracle-l-bounce_at_freelists.org] *On Behalf Of *Andre van Winssen
> *Sent:* Friday, February 05, 2010 6:31 AM
> *To:* oracle-l_at_freelists.org
> *Subject:* Oracle 0 day
>
> Hi listmembers,
>
> the exploit code as published on http://blog.red-database-security.com/ by
> Alex works against 11gR1 and 11gR2 using a database user that only has
> CREATE SESSION priv.
>
> so production dba's : be warned. Obvious workaround is to revoke EXECUTE
> privilege from public on package SYS.DBMS_JVM_EXP_PERMS but impact of that
> revocation on your own database needs to be tested.
>
> the blackhat movie (
> https://media.blackhat.com/bh-dc-10/video/Litchfield_David/BlackHat-DC-2010-Litchfield-DefeatSSL-video.mov)
> is currently unavailable for some reason :-
>
> Regards,
> Andre
>

--
http://www.freelists.org/webpage/oracle-l
Received on Mon Feb 22 2010 - 09:32:42 CST

Original text of this message