Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Oracle 9i Isn't Quite Unbreakable 113

BillTheKatt writes: "The formerly (as in a couple of weeks) "unbreakable" Oracle 9i has been found to be vulnerable to a Denial Of Service bug. ... Thanks [H]ardOCP for the link to the Article At SiliconValley.com. For more information see the official notice on SecurityFocus. More proof that Microsoft does not hold a monopoly on bugs. And of course a black eye to Mr. Larry 'Big Mouth' Ellison. I'm still waiting for my network computer, Larry."
This discussion has been archived. No new comments can be posted.

Oracle 9i Isn't Quite Unbreakable

Comments Filter:
  • by Greyfox ( 87712 ) on Sunday December 23, 2001 @04:28AM (#2743752) Homepage Journal
    Shooting your mouth off like that. You either get good publicity after announcing that the skript kiddies were unable to own your server or you get free security testing.
  • Hope their web site isn't running Oracle 9i, as it might suddenly start throwing up spurious errors...


    Oh, hang on [sneath.org], I think I've spotted something :-)


    There's a juicy irony in the content of that page...

  • if this is going to affect Larry's Oracard [templetons.com] project. Maybe the government should consider using mySQL? ;-)
  • I can understand readers not reading the articles all the time, but shouldn't the editors look at it in case the submitter wasn't completely acurate? The inaccuracy is that Oracle 9i also has a buffer overflow that can allow the attacker to gain control of the system. The DoS is another issue that took eEye 4 hours to find:

    Maiffret was more critical of Oracle. At the Comdex computer show last month, Oracle CEO Larry Ellison dared hackers to try to break into his company's software. Maiffret, a 21-year-old reformed hacker who has testified before Congress about computer security, said it took eEye programmers four hours to identify weaknesses in Oracle's programs that would have exposed users to a problem known as "denial of service" attack.

    The buffer-overflow flaw in Oracle's 9i application server was found by David Litchfield of Next Generation Security Software, based in Surrey in the United Kingdom.
  • A dollar dies

    http://www.securityfocus.com/vulns/stats.shtml

    And we pull this link for the 100'th time because we like to show that the only patch that works is the SYSADMIN/ADMINISTRATOR patch.

    To bad they can't be downloaded from the net.
    • While it is true that Linux (aggregate) will be higher than NT, look at the distribution of the actual vulns themselves. Compare two webservers, one running Linux/Apache, one running NT/IIS, Look at the services both would be running, and come back to me on which has more vulns per year.

      If anyone is running lpd, SunRPC, Telnet, FTP, etc on an internet facing server, they deserve what they get.

      Compare apples and apples, compare IIS to Apache. Same goes for IE and Outlook of course, you can't lump Outlook holes into those kind of stats either, although IE is fair game, since webapps can require IE, even if it's not explicitly open, it is still vulnerable.



      I see one maggot, it all gets thrown away -- My fiancee [nhdesigns.com]
  • So what? (Score:4, Insightful)

    by jfeasel ( 310506 ) on Sunday December 23, 2001 @04:48AM (#2743779)
    Why would any admin put their database server out on the open internet, exposed to this anyway? Databases should be kept behind firewalls, where it's safe.
    • In real world many "admins" don't care even about changing default passwords. And you asking them to configure firewall :)
    • Re:So what? (Score:1, Interesting)

      by Anonymous Coward

      Why would any admin put their database server out on the open internet, exposed to this anyway? Databases should be kept behind firewalls, where it's safe.

      Suuuure, let's just keep the internal networks completely insecure. Afterall, all attacks are done from the outside, we can always trust our employees, right? Not. Firewalls are a nice addon, but they're giving a false sense of security if you still keep your systems behind these firewalls unpatched, out-of-the-box-installed and poorly configured. Reports show that up to 80% (I think it was) of attacks happen from the inside.

      • It doesnt help that many "inside" attacks come from poorly developed networks that allow outside access to the internal intranet.
      • At least try to confirm them. :P

        A Google search [google.com] returns this article [bbc.co.uk] first that claims 70%, and carried some credibility.

        That article, however, was three years old, and I have to wonder if that statistic has changed with the proliferation of script kiddies and root kits. Perhaps "successful attacks" are that high, but in our company, we see attacks almost constantly from the outside, generally automated I grant you, but they are still attacks, whereas I doubt there have been very many inside attacks in our company of 6 people, two of whom are accountants.

      • Firewalls are a nice addon, but they're giving a false sense of security if you still keep your systems behind these firewalls unpatched, out-of-the-box-installed and poorly configured.

        Of course security on an internal machine is important, but let's be realistic. Someone inside your network is likely in a position to sniff the unencrypted connection to Oracle. In that case, they have access to the only interesting thing on the box. And Oracle's logging is so poor (you can't log each query) that you will never know what they did.

      • If you are so worried about your employees, set up the firewall in such a way that only allows connections from your webserver and your DBA station (etc... whatever other "trusted" machines are out there). In Oracle 9i's case, this doesn't seem to work as well, considering the webserver and database server are packaged together (this is a good idea???). However, since it is Apache, it shouldn't be too risky to leave port 80 open. Close off the rest.
    • Why would any admin put their database server out on the open internet, exposed to this anyway? Databases should be kept behind firewalls, where it's safe.

      Databases are in common use on internet-facing applications, that need to deliver stateful behavior. Think of 9IAS as an Apache server with an Oracle backend. No matter where you put it, there will have to be a tunnel to port 80. If it's a public application, such as an ecommerce website, that tunnel will lead to the internet. As others have pointed out, in larger enterprises this server's vulnerability to internal attack may also be a problem.

      Needless to say, any dbms that carries useful information must be secure.

      • Databases are in common use on internet-facing applications, that need to deliver stateful behavior.

        Yes, but a security-conscious organization will ensure that the webservers and the database/application servers are on separate machines, separated by a firewall (in addition to the border firewalls at the edges of the DMZ). If you run everything on the same box, it only takes a single hole in any part of it to compromise the whole shebang.
      • Actually, if you put the db behind the firewall, the tunnel is to port 1521, not port 80.
        • The whole point of the vulnerable program (Oracle Application Server) is to act as a webserver, not as a database server. This is so you can build web-accessible functions right on the Oracle box. Obviously then you will plan to expose port 80. Just because you can separate the database from the webserver doesn't mean that people will -- in some applications the immediate locality of the database will provide a substantial performance boost.

          Regarding CatherineCornelius's remark that any database that carries useful information must be secure, bzzt, sorry, wrong answer: any exposed service must be secure. The attackers aren't interested in what you have on your box -- that's just gravy. What most of them are trying to acquire is bandwidth for building their DDoS networks (and relays for bouncing IRC off of), and they don't bother to check what you're doing with your hardware before they attack it. All they need to know is that you have bandwidth and a vulnerable service.

          On the other matter of the prevalence of internal attacks, I think the huge number of automated attacks running now has rendered the famous 70% mark long obsolete. Think of Nimda & Code Red. The vast majority of attacks are indiscriminate and external.

          For specific attacks against this particular service, these might be carried out by locating Oracle 9i Apache servers using netcraft, or by searching inventories already collected by potential intruders.

          The important thing to remember about firewalls is that they don't take the place of host-based security. Once someone finds a way to compromise a host behind the firewall, your entire network is exposed, so if you're not taking care to secure the hosts anyway, you're facing a potential total meltdown.

          BTW, protecting against this particular vulnerability might be a good application of Hogwash.
    • Why would any admin put their database server out on the open internet, exposed to this anyway? Databases should be kept behind firewalls, where it's safe.

      Safe?

      Actually, I recall a lot of statistics indicating there is a considerable number of attacks on servers originating from INSIDE the firewall. Done by employees.

      Mind you, the servers at the company I work for are doubly firewalled (outside and inside), but people still need to use the databases and other services so there need to be some holes in the internal firewall, potentially making the servers vulnerable for attacks. Despite the firewalls there are still a lot of things to worry about...
    • A firewall in front of a secured network with properly secured servers and databases is going to be much more effective. Ideally, you should be able to take the firewall away and still have no major vulnerabilities showing to the public internet.

      The reason for this is that configuring a perfect firewall is near-impossible. Even if it were, it is easy to breach this security by opening the wrong port. If the rest of the infrastructure is secure, though, the firewall becomes a way of covering unanticipated (or as yet undiscovered) security holes. Security systems like firewalls only buy you time: if a new vulnerability appears they will keep you safe until a patch is available, but if you never apply the patch, the firewall will eventually be breached and your data exposed.

      You can't rely on security systems to make safe systems which are intrinsically vulnerable. So, a secure database of the kind Oracle are trying to deliver makes a significant contribution to Internet security, even if such systems properly should be behind a firewall.

  • The difficulty may be assomtopic to infinity, but it never hits the "unbreakable" axis.

    Now for my beef- /. really needs to revamp their whole moderator system. I post info (not like the dribble I posted above) and get modded down 3 times for being redundent?!? Hello, just because someone posted a similar reply 4 seconds before I hit "submit" doesn't mean I'm redundent, it means I type slower.

    As some other poster has in his/her sig, the more good comments you right the greater the chance you get modded down! (Gee, how long until this post gets "offtopic" (even though the first paragraph deals with the topic) or flamebait (for speaking about the bias that occurs here?)

    Hint for newbies, always LOVE Linux, always HATE Microsoft, be ambiguent about MaxOSX, and speek a lot of "Elite" words like symmetric anal rapings- 'cause you would be in jail And I mean IN
    • Moderation points:
      -1 Bitter
      -1 Slow typist
      -1 Way off topic
      +1 Vocabulary!
      Total= -3(OT)
      No, the moderator thing works. You just need to say something really intelligent before anyone else.

      Look at my recent comments and my moderation totals [slashdot.org] :)
    • You're totally right Bryan. In fact, my original submission of this story was edited down.
      In my original submission I pointed out how the notice of this Oracle exploit occured the same day as the XP hole, yet guess which one made it to /.?
      Apparently whoever decides which submissions are valid edited this little fact out. Granted, the XP hole is HUGE and Microsoft is absolutely clueless when it comes to security, but Ellison and the trade mags hyped 9i's being "unbreakable" to the moon. It took forever for /. to pickup the problem with the Mac/ipod as well as the Linux kernel problem with lost data, but if Bill Gates breaks wind there's 15 critiques on /. within seconds.
      The people who run /. have a right to post what they want, edit what they want and do whatever the heck they choose. It's their servers and their bandwidth. I don't want to foster the age-old MS vs Linux vs Mac vs BSD debate. Use whatever the hell works best for you and your company, get off your high horse, and let other people use what they want. Opinions are truely like assholes (everyone has them, especially me).
      My rambling point is that /. has become a news site. People look to this place to see what's going on in the world and the Internet. Too many people today (including the media) have forgotten that news is supposed to be OBJECTIVE. That means you report all of it, even the stuff you don't like, and you leave the spin and editing for the comments/editorials. I see a lot about censorship on slashdot, but not reporting, modding down or editing other people's posts because you disagree with their opinion is just that. Lets get back to seeing all the facts on the front page and the rants in the comments.
  • by Raindeer ( 104129 ) on Sunday December 23, 2001 @05:25AM (#2743821) Homepage Journal
    Nobody in their right mind declares software to be unbreakable. It is just like in science, even after the closest scrutiny all you can say about a theory is: "Not YET disproven". Even after the closest scrutiny you'll say about the program: "not yet broken". Because no matter how much review you did, there could be someone smarter then you.
    • It is just like in science, even after the closest scrutiny all you can say about a theory is: "Not YET disproven".

      This is just a technical quibble: It is possible to disprove a theory which predicts an observable fact. Here is the counter-example to your statement:

      On a clear day, theorize that the sun is up. Observe that it is indeed up. Theory proven.

      This is a trivial and stupid example; the sun is easy to see. But if you were to theorize the existance of a planet, and some one found it where you said it should be (wasn't that the case with Pluto?), it wouldn't seem quite so trivial.

    • You are wrong in so many ways. First of all, a statement about the properties of a program need not be empirical science. If one really wants to, these properties can be proven, for example by lambda-calculus. Thus programming is like mathematics; and just like maths you can of course make mistakes in your proof (the most common being perhaps mistaken assumptions). However, mathematical theorems are generally regarded to be proven (not just "not YET disproven") when enough people have seen it.
      One of the true achievements of the 20th century was the philosophical understanding that the meaning of a word (in this case "proven") is not definable by anything else than the sum of its usage. To say that we cannot have absolute knowledge on the workings of our programs is to take the first step towards a solipsistic view of the world (we cannot know anything with certainty, thus I assert nothing more than that I exist).
      I am willing to debate any solipsists on slashdot on this subject. I am also quite willing to debate those who have not understood the lessons of Wittgenstein, thus making uneducated statements on epistemology to the effect of "software cannot be theoretically unbreakable".
      I find it strange that while most people have some knowledge on what the new findings in physics since the 17th century are, virtually no one knows in what way philosophy have progressed.
    • My program is unbreakable. I wrote it in QBasic 4.5 and it beeps a number of times based on which menu item you chose. ph33r mY m4d b4s1c S|y11z!!!

      (Just a note, I'll bet there is probably a nice flaw in every C/C++ program I've ever written. I've got the only Hello World that can get you rooted, sheesh.)

      --Josh
  • by briansmith ( 316996 ) on Sunday December 23, 2001 @05:31AM (#2743826) Homepage
    Some people are confusing the Oracle9i Database with the Oracle9i Application Server. I agree that the naming is confusingly similar but they are two very different products. The article refers to Oracle9i Application Server, not the database.

    Oracle9i Application Server is basically Apache 1.3 bundled with Orion Application Server and and embedded (yes, embedded!) Oracle database server used for data caching. There are a variety of add-ons included as well, depending on how many tens of thousands of dollars (per processor) one wants to spend.

    Also, Larry's term "unbreakable" refers not just to security issues but also availability and scaleability.
  • Buffer overflows (Score:2, Interesting)

    by Tim Ward ( 514198 )
    Why are people still coding buffer overflows anyway?

    Sure, I've seen fixed size buffers with no checking, or calls to malloc with no checking, on ancient Unix code written in C dating back to the 1980s, but surely nobody has written gibberish like that for years?

    Or are there still hordes of new graduates, with no commercial training or experience, let loose on real products with no checking of their work?
  • Remind them to change the idiotic 'CHANGE_ON_INSTALL' SYS's(highest privilege user) default password first. :)
  • I'm still waiting for my network computer, Larry.

    Well, you didn't have to wait for it since last year, when the NIC [thinknic.com] computer came out, one of Larry's brainchilds [thinknic.com].

  • Back in prehistoric times, I ran UNIX on an 80286. One of the "features" of the 80286 was the use of segments to address memory. The maximum size of a segment was 64KB. Although this caused problems, it had a useful side effect. Due to the way that the C compiler allocated memory to segments in the large memory model, many buffer overflows produced immediate segmentation faults instead of silenting corrupting other areas of memory. This was actually useful for testing programs that would run without obvious errors on systems with 32-bit linear address spaces. Tagged and segmented memory systems have fallen out of favor with the increasing popularity of systems written in C. If we are not going to replace C with something safer, such as Ada, maybe we should look at the use of more sophisticated memory models as a way of detecting errors.
  • I gotta say, as totally irresponible as his statements were, he sure did find an easy way to come up with the fastest, cheapest, most thorough QA department in the world.
  • I shuddered when I first read that Oracle ad. I knew it would be only a few weeks before exploits were announced from 9i. Larry, did you learn nothing from Titanic besides that with enough money, even a terrible, terrible movie can win oscars?

    Also, the security adage comes to mind: security is a process, not a product.
  • buffer overflows.... (Score:1, Interesting)

    by Anonymous Coward
    Right, now I'm a fourth-rate programmer, most of whose work is at too high a level to deal with malloc, pointers, etc, (although I have used that stuff before), so I realise its not as simple as all this. But I cant understand why buffer overflows exist, as they all seem to be a common type of weakness.

    To my limited understanding of what these vulnerabilities are, they could be fixed by a few simple IFs when recieving things into the bugger. I know programmers typically often expect things to work, and dont built in checks against everything which a user (or a socket) could throw at them, whether through stupitidy or maliciousness, but on products like this or XP, you'd think they WOULD bother with error-checking. Perhaps 70% of my web application [dnbscene.com] is error-checking and idiot-proofing: laborious, but if an amateur hack like me can do it in the unpaid coding of a tiny website, why cant professionals?

    And most of all... Surely common weaknesses can be handled by a common error-checking routine?

    ie, they write buffer_overflow_check(buffer,incomingdata) and religiously use it every time? This way any security flaws will affect every buffer use in the whole program equally - making them easier to spot, I would have thought - and by the same token, if there are no flaws, the whole program is safe.

    AND its easier to debug and patch.

    Perhaps a better programmer than me could explain why this isnt possible?

    • The fucntions you desire already exist - they are the range-checking standard functions. Yet few people use them in favor of the unsafe originals.

      In the end, the ultimate issue is the use of a programming language (C or C++) that provides no memory management or garbage collection. Memory management issues lurk behind a vast number of the bugs and exploits you hear about, and on that fine day when people start executing their code in memory-managed sandbox environments, the world will be a safer place. Unfortunately C will likely be in heavy use for the next twenty years and exist in legacy code until you die, so maybe learning how to find overflow exploits is a good career move.

      • The strn* functions are miserable piles of excrement. They were not intended for range-checking but for making sure a fixed-size buffer was completely filled (because of the brain-dead directory structure on some early Unixes).
        char buffer[8192];


        strncpy(buffer, "hello, world", sizeof(buffer));
        Neat, we just spent time copying 8179 extra nuls! And heaven help you if your source is exactly as big as the buffer -- no nul for you!

        You're better off writing your own.

      • Actually this seems to be a common misconception. You have to manually keep track of the size of the string you are copying to ensure you always copy a null-terminated string. Most programmers don't, and thus introduce potentially unsafe code. Additionally, there is a performance loss when you don't use the whole buffer when copying -the strncpy function fills it with 0's.


        A better set of functions to use is the strl* functions [usenix.org] invented by OpenBSD's Todd Miller.

  • Monopoly on bugs (Score:4, Insightful)

    by tmark ( 230091 ) on Sunday December 23, 2001 @09:02AM (#2744015)
    More proof that Microsoft does not hold a monopoly on bugs.

    Oh, the self-righteous smarniness of chauvinists everywhere. If we needed more proof that Microsoft does not hold a monopoly on bugs, one only need look at any major open-sourced project. The Changelog for the Linux kernel, for instance, documents beaucoup bugs that users were living with on their OS (forget about their DB, which as someone else pointed out is most likely stashed away behind a firewall anyways). Why does such bugginess there not bear the same level of ridicule ?
  • by hatless ( 8275 ) on Sunday December 23, 2001 @09:03AM (#2744020)
    1. It's a buffer overflow in affecting the 9i Application Server--specifically, a PL/SQL Apache module--and not the database. Still a Bad Thing, but not the same thing.
    2. The crack regarding "still waiting for [your] Network Computer" is pretty dopey. Ellison's NIC Company [thinknic.com] has been shipping them going on two years now.

    You'd think they'd be a big hit with the Slashdot set seeing as they boot Linux with X off a CD, and have Ethernet, USB, a modem and VGA support built in, all for $200. I guess lame jokes predicated on them not existing are more fun.
    • NIC's are cool - They x86 and the bios is not weird. Their CD-Rom is a laptop form factor, and the while thing is quite small. Their memory is normal 100 Mhz SDRAM (there's only one slot). Because there is no hard-drive, there is no swap space - adding 256 Megs helps, and if you burn your own Linux, you can get them to boot off a network.

      My only gripe, is that the fans could be a *bit* quieter, and the keyoard is one of those stupid ones with all the extra 'internet' buttons. I just throw it away and use an normal one.
  • network computer (Score:2, Insightful)

    by Nebrie ( 530329 )
    You're still waiting for his network computer? It's been out for years, and he's actually making a profit off it. www.thinknic.com
  • BillTheKatt writes: "The formerly (as in a couple of weeks) "unbreakable" Oracle 9i has been found to be vulnerable to a Denial Of Service bug...

    Just as there is no truly free lunch, nothing is truly "unbreakable".

    We've said it before so lets go once more around the old oak tree: When you claim something is unbreakable you 1) Immediately mobilize an army of dorks trying to prove you wrong and 2) Are lying to sell more goods since nothing in this universe is truly unbreakable.

    Even the our beautiful Earth will one day be burnt to cinders when the Sun expands before dying...

    Has anybody that isn't as paranoid as me considered that this may have been a reasoned move on the part of Oracle? (Or on the part of any company that has claimed it's software to be "Unbreakable"...) After all, QA people cost money. It would be relatively simple to do a short QA on functionality, call it unbreakable, and let somebody else find the "show-stopper" bugs for you, for free. For the myopic business man, this looks like a win-win.

    "If I say it's unbreakable, and nobody finds any problems, we sell $1 billion worth of software and I'm happy...if they find bugs I can always say all software has bugs and we'll have found a big problem without paying QA an extra month's salary to find it."
  • I always said it, Ellison is crazy. He should seek psychiatric help.
  • ...they may as well have painted a bull's eye on the box. I love it when giant software companies tout security and reliability of their products as the main selling point in their ads. It always comes back to bite them in the ass. Software companies should take the advice of the airline industry and never tout their safety records :)

    Chris
  • They have a cross site scripting vulnerability that was still open the last time I checked. Dunno how they can claim it's unbreakable when they have unfixed holes.

    http://www.devitry.com/security.html [devitry.com]

  • I'd like to say that no software is ever completely perfect, and flaws are in every thing. So, happy holidays,
    AJ
  • MSFT might not have a monopoly on bugs, but the crappiness of the default security model in the MSFT OSes makes this bug much worse under Windows.

    "On Microsoft Windows NT/2000 systems this may mean that the attacker-supplied code is executed with SYSTEM level privileges, as this is the privilege level that the Apache process runs under. On other operating systems successful exploitation may merit local access for the attacker. "
  • I'm still waiting for my network computer, Larry.

    Bill, Larry, everybody knows you guys don't like each other. Now why don't you just take this little spat to email.

  • So what? (Score:2, Insightful)

    by lamj ( 153635 )
    A buffer overflow on a DB server isn't as deadly as on a web server or other offered public services.

    If the perimeter defense is setup properly, DB should never be directly accesible from the Internet (unless some abnormal setup). Just for information, for those web application driven by DB, I prefer to have a different subnet behind the web server using the internal IP address, so the DB is only accessible through the Web server (from the Internet). Any overflow attacker will have to go through the Web server and then the DB server.

    Having said that, there is still risk for internal attack (not to mention a lot of security risk comes from internal). So a quick patch is still very necessary.

    I have had a few sites the require access from business partners thru VPN to directly access the DB, I see this as a high threat and try my best effort to guard it. Especially because you cannot have a proxy type of filter from another vendor to screen the content (such as e-mail and web). IDS and firewall will not catch a lot of the direct attack. So, the best way to allow access to DB is still via indirect method (such as letting business partner use a web interface to access data.

Mater artium necessitas. [Necessity is the mother of invention].

Working...