Oracle 9i Isn't Quite Unbreakable

BillTheKatt writes: "The formerly (as in a couple of weeks) "unbreakable" Oracle 9i has been found to be vulnerable to a Denial Of Service bug. ... Thanks [H]ardOCP for the link to the Article At SiliconValley.com. For more information see the official notice on SecurityFocus. More proof that Microsoft does not hold a monopoly on bugs. And of course a black eye to Mr. Larry 'Big Mouth' Ellison. I'm still waiting for my network computer, Larry."

It's a Win-Win for Larry

[Greyfox]

Shooting your mouth off like that. You either get good publicity after announcing that the skript kiddies were unable to own your server or you get free security testing.

heh.. makes me wonder

[MoceanWorker]

if this is going to affect Larry's Oracard project. Maybe the government should consider using mySQL? ;-)

Another Oracle problem not mentioned in post

[krogoth]

I can understand readers not reading the articles all the time, but shouldn't the editors look at it in case the submitter wasn't completely acurate? The inaccuracy is that Oracle 9i also has a buffer overflow that can allow the attacker to gain control of the system. The DoS is another issue that took eEye 4 hours to find:

Maiffret was more critical of Oracle. At the Comdex computer show last month, Oracle CEO Larry Ellison dared hackers to try to break into his company's software. Maiffret, a 21-year-old reformed hacker who has testified before Congress about computer security, said it took eEye programmers four hours to identify weaknesses in Oracle's programs that would have exposed users to a problem known as "denial of service" attack.

The buffer-overflow flaw in Oracle's 9i application server was found by David Litchfield of Next Generation Security Software, based in Surrey in the United Kingdom.

So what?

[jfeasel]

Why would any admin put their database server out on the open internet, exposed to this anyway? Databases should be kept behind firewalls, where it's safe.

Re:So what?

[ConsumedByTV]

It doesnt help that many "inside" attacks come from poorly developed networks that allow outside access to the internal intranet.

Re:So what?

[treat]

Firewalls are a nice addon, but they're giving a false sense of security if you still keep your systems behind these firewalls unpatched, out-of-the-box-installed and poorly configured.

Of course security on an internal machine is important, but let's be realistic. Someone inside your network is likely in a position to sniff the unencrypted connection to Oracle. In that case, they have access to the only interesting thing on the box. And Oracle's logging is so poor (you can't log each query) that you will never know what they did.

Re:Well, we all knew...

[ct]

Exposure here one /. aside, watch for just how much press this, as well as the recent XP hole, get's in the "mainstream" mailout periodical press.

As a SysaAdmin (who never explicitly subscribed) to any of the 3 CMP/techweb publications I now receive weekly/biweekly/monthly or the electronic C|net shite I'm now eternally a "customer" of, it's pretty obvious who pays the bills for the (largely) waste of bandwidth reviews they provide. Wake up... they aren't going to bite they hands that feeds them - particularly MS or Oracle.

While you/I/every other jaded IT employee with half a brain can be critical of this two faced advertising driven BS, the individual with a tight grip on the purse strings for IT expenditures is getting the same mailings & treating them as dogma - because he doesn't know/care that he's being fed crap with a fancy ribbon around it.

Until the push-periodicals are no longer driven by big bucks advertising contracts & therefor biased coverage of these products, IT "managers" will have a steady supply of bullshit benchmarks & reviews IN WRITING to reinforce & perpetuate their decision making process.

-ct

Of course nothing is unbreakable

[bryan1945]

The difficulty may be assomtopic to infinity, but it never hits the "unbreakable" axis.

Now for my beef- /. really needs to revamp their whole moderator system. I post info (not like the dribble I posted above) and get modded down 3 times for being redundent?!? Hello, just because someone posted a similar reply 4 seconds before I hit "submit" doesn't mean I'm redundent, it means I type slower.

As some other poster has in his/her sig, the more good comments you right the greater the chance you get modded down! (Gee, how long until this post gets "offtopic" (even though the first paragraph deals with the topic) or flamebait (for speaking about the bias that occurs here?)

Hint for newbies, always LOVE Linux, always HATE Microsoft, be ambiguent about MaxOSX, and speek a lot of "Elite" words like symmetric anal rapings- 'cause you would be in jail And I mean IN

Re:Of course nothing is unbreakable

[BillTheKatt]

You're totally right Bryan. In fact, my original submission of this story was edited down.
In my original submission I pointed out how the notice of this Oracle exploit occured the same day as the XP hole, yet guess which one made it to /.?
Apparently whoever decides which submissions are valid edited this little fact out. Granted, the XP hole is HUGE and Microsoft is absolutely clueless when it comes to security, but Ellison and the trade mags hyped 9i's being "unbreakable" to the moon. It took forever for /. to pickup the problem with the Mac/ipod as well as the Linux kernel problem with lost data, but if Bill Gates breaks wind there's 15 critiques on /. within seconds.
The people who run /. have a right to post what they want, edit what they want and do whatever the heck they choose. It's their servers and their bandwidth. I don't want to foster the age-old MS vs Linux vs Mac vs BSD debate. Use whatever the hell works best for you and your company, get off your high horse, and let other people use what they want. Opinions are truely like assholes (everyone has them, especially me).
My rambling point is that /. has become a news site. People look to this place to see what's going on in the world and the Internet. Too many people today (including the media) have forgotten that news is supposed to be OBJECTIVE. That means you report all of it, even the stuff you don't like, and you leave the spin and editing for the comments/editorials. I see a lot about censorship on slashdot, but not reporting, modding down or editing other people's posts because you disagree with their opinion is just that. Lets get back to seeing all the facts on the front page and the rants in the comments.

Nobody in their right mind.....

[Raindeer]

Nobody in their right mind declares software to be unbreakable. It is just like in science, even after the closest scrutiny all you can say about a theory is: "Not YET disproven". Even after the closest scrutiny you'll say about the program: "not yet broken". Because no matter how much review you did, there could be someone smarter then you.

Re:Nobody in their right mind.....

[nels_tomlinson]

It is just like in science, even after the closest scrutiny all you can say about a theory is: "Not YET disproven".

This is just a technical quibble: It is possible to disprove a theory which predicts an observable fact. Here is the counter-example to your statement:

On a clear day, theorize that the sun is up. Observe that it is indeed up. Theory proven.

This is a trivial and stupid example; the sun is easy to see. But if you were to theorize the existance of a planet, and some one found it where you said it should be (wasn't that the case with Pluto?), it wouldn't seem quite so trivial.

Re:Nobody in their right mind.....

[Kirkoff]

My program is unbreakable. I wrote it in QBasic 4.5 and it beeps a number of times based on which menu item you chose. ph33r mY m4d b4s1c S|y11z!!!

(Just a note, I'll bet there is probably a nice flaw in every C/C++ program I've ever written. I've got the only Hello World that can get you rooted, sheesh.)

--Josh

Oracle9i Database vs. Oracle9i Application Server

[briansmith]

Some people are confusing the Oracle9i Database with the Oracle9i Application Server. I agree that the naming is confusingly similar but they are two very different products. The article refers to Oracle9i Application Server, not the database.

Oracle9i Application Server is basically Apache 1.3 bundled with Orion Application Server and and embedded (yes, embedded!) Oracle database server used for data caching. There are a variety of add-ons included as well, depending on how many tens of thousands of dollars (per processor) one wants to spend.

Also, Larry's term "unbreakable" refers not just to security issues but also availability and scaleability.

Buffer overflows

[Tim+Ward]

Why are people still coding buffer overflows anyway?

Sure, I've seen fixed size buffers with no checking, or calls to malloc with no checking, on ancient Unix code written in C dating back to the 1980s, but surely nobody has written gibberish like that for years?

Or are there still hordes of new graduates, with no commercial training or experience, let loose on real products with no checking of their work?

Who said Oracle is unbreakable?

[jsse]

Remind them to change the idiotic 'CHANGE_ON_INSTALL' SYS's(highest privilege user) default password first. :)

Re:The Distinction is Very Important

[Khalid]

>face it, Apache was never designed to handle
>mission-critical, Enterprise-level applications.
>It's great for serving web-pages out of your
>dorm-room, but for a $$$ piece of software like
>Oracle 9i, I don't know.

>you are never going to be able to fully vet a
>piece of software like Apache that was developed
>by non-professionals

Why are you spreading fud like this ? what is your hidden agenda ?

Many professional programmers particularly from IBM and SUN participate to the Apache project, plus, IIS has been developed by so called professionals, well sorry, it's not particularly known for it's robustness.

Please check out your facts before posting uninformed posts, or stop spreading fud.

Memory Models

[Detritus]

Back in prehistoric times, I ran UNIX on an 80286. One of the "features" of the 80286 was the use of segments to address memory. The maximum size of a segment was 64KB. Although this caused problems, it had a useful side effect. Due to the way that the C compiler allocated memory to segments in the large memory model, many buffer overflows produced immediate segmentation faults instead of silenting corrupting other areas of memory. This was actually useful for testing programs that would run without obvious errors on systems with 32-bit linear address spaces. Tagged and segmented memory systems have fallen out of favor with the increasing popularity of systems written in C. If we are not going to replace C with something safer, such as Ada, maybe we should look at the use of more sophisticated memory models as a way of detecting errors.

Monopoly on bugs

[tmark]

More proof that Microsoft does not hold a monopoly on bugs.

Oh, the self-righteous smarniness of chauvinists everywhere. If we needed more proof that Microsoft does not hold a monopoly on bugs, one only need look at any major open-sourced project. The Changelog for the Linux kernel, for instance, documents beaucoup bugs that users were living with on their OS (forget about their DB, which as someone else pointed out is most likely stashed away behind a firewall anyways). Why does such bugginess there not bear the same level of ridicule ?

Nice fact-checking, Timothy

[hatless]

1. It's a buffer overflow in affecting the 9i Application Server--specifically, a PL/SQL Apache module--and not the database. Still a Bad Thing, but not the same thing.
   
2. The crack regarding "still waiting for [your] Network Computer" is pretty dopey. Ellison's NIC Company has been shipping them going on two years now.

You'd think they'd be a big hit with the Slashdot set seeing as they boot Linux with X off a CD, and have Ethernet, USB, a modem and VGA support built in, all for $200. I guess lame jokes predicated on them not existing are more fun.

Re:Nice fact-checking, Timothy

[zulux]

NIC's are cool - They x86 and the bios is not weird. Their CD-Rom is a laptop form factor, and the while thing is quite small. Their memory is normal 100 Mhz SDRAM (there's only one slot). Because there is no hard-drive, there is no swap space - adding 256 Megs helps, and if you burn your own Linux, you can get them to boot off a network.

My only gripe, is that the fans could be a *bit* quieter, and the keyoard is one of those stupid ones with all the extra 'internet' buttons. I just throw it away and use an normal one.

If you're going to make up statistics...

[Some+guy+named+Chris]

At least try to confirm them. :P

A Google search returns this article first that claims 70%, and carried some credibility.

That article, however, was three years old, and I have to wonder if that statistic has changed with the proliferation of script kiddies and root kits. Perhaps "successful attacks" are that high, but in our company, we see attacks almost constantly from the outside, generally automated I grant you, but they are still attacks, whereas I doubt there have been very many inside attacks in our company of 6 people, two of whom are accountants.

network computer

[Nebrie]

You're still waiting for his network computer? It's been out for years, and he's actually making a profit off it. www.thinknic.com

When will vendors learn?

[Karl+Cocknozzle]

BillTheKatt writes: "The formerly (as in a couple of weeks) "unbreakable" Oracle 9i has been found to be vulnerable to a Denial Of Service bug...

Just as there is no truly free lunch, nothing is truly "unbreakable".

We've said it before so lets go once more around the old oak tree: When you claim something is unbreakable you 1) Immediately mobilize an army of dorks trying to prove you wrong and 2) Are lying to sell more goods since nothing in this universe is truly unbreakable.

Even the our beautiful Earth will one day be burnt to cinders when the Sun expands before dying...

Has anybody that isn't as paranoid as me considered that this may have been a reasoned move on the part of Oracle? (Or on the part of any company that has claimed it's software to be "Unbreakable"...) After all, QA people cost money. It would be relatively simple to do a short QA on functionality, call it unbreakable, and let somebody else find the "show-stopper" bugs for you, for free. For the myopic business man, this looks like a win-win.

"If I say it's unbreakable, and nobody finds any problems, we sell $1 billion worth of software and I'm happy...if they find bugs I can always say all software has bugs and we'll have found a big problem without paying QA an extra month's salary to find it."

oracle.com security hole..

[slashkitty]

They have a cross site scripting vulnerability that was still open the last time I checked. Dunno how they can claim it's unbreakable when they have unfixed holes.

http://www.devitry.com/security.html

OR, just use strncat, strncpy, etc.

[Ars-Fartsica]

The fucntions you desire already exist - they are the range-checking standard functions. Yet few people use them in favor of the unsafe originals.

In the end, the ultimate issue is the use of a programming language (C or C++) that provides no memory management or garbage collection. Memory management issues lurk behind a vast number of the bugs and exploits you hear about, and on that fine day when people start executing their code in memory-managed sandbox environments, the world will be a safer place. Unfortunately C will likely be in heavy use for the next twenty years and exist in legacy code until you die, so maybe learning how to find overflow exploits is a good career move.

Re:OR, just use strncat, strncpy, etc.

[john@iastate.edu]

The strn* functions are miserable piles of excrement. They were not intended for range-checking but for making sure a fixed-size buffer was completely filled (because of the brain-dead directory structure on some early Unixes).

char buffer[8192];

strncpy(buffer, "hello, world", sizeof(buffer));

Neat, we just spent time copying 8179 extra nuls! And heaven help you if your source is exactly as big as the buffer -- no nul for you!

You're better off writing your own.

Re:OR, just use strncat, strncpy, etc.

[Pinball+Wizard]

Actually this seems to be a common misconception. You have to manually keep track of the size of the string you are copying to ensure you always copy a null-terminated string. Most programmers don't, and thus introduce potentially unsafe code. Additionally, there is a performance loss when you don't use the whole buffer when copying -the strncpy function fills it with 0's.

A better set of functions to use is the strl* functions invented by OpenBSD's Todd Miller.

But, the bug is worse with a MSFT OS!

[Malc]

MSFT might not have a monopoly on bugs, but the crappiness of the default security model in the MSFT OSes makes this bug much worse under Windows.

"On Microsoft Windows NT/2000 systems this may mean that the attacker-supplied code is executed with SYSTEM level privileges, as this is the privilege level that the Apache process runs under. On other operating systems successful exploitation may merit local access for the attacker. "

So what?

[lamj]

A buffer overflow on a DB server isn't as deadly as on a web server or other offered public services.

If the perimeter defense is setup properly, DB should never be directly accesible from the Internet (unless some abnormal setup). Just for information, for those web application driven by DB, I prefer to have a different subnet behind the web server using the internal IP address, so the DB is only accessible through the Web server (from the Internet). Any overflow attacker will have to go through the Web server and then the DB server.

Having said that, there is still risk for internal attack (not to mention a lot of security risk comes from internal). So a quick patch is still very necessary.

I have had a few sites the require access from business partners thru VPN to directly access the DB, I see this as a high threat and try my best effort to guard it. Especially because you cannot have a proxy type of filter from another vendor to screen the content (such as e-mail and web). IDS and firewall will not catch a lot of the direct attack. So, the best way to allow access to DB is still via indirect method (such as letting business partner use a web interface to access data.

Re:The Distinction is Very Important

[Vicegrip]

Ok, lets have a little game, whats the name of the web server that has seen more worms than my garden's compost heap in the last year??

*notices all the geeks waving hands saying oh oh I know*

Heres a clue: it's not Apache.