[VIM] Interesting Oracle FUBAR..

security curmudgeon jericho at attrition.org
Tue Apr 11 18:30:57 EDT 2006



---------- Forwarded message ----------
From: "Kornbrust, Alexander" <ak at red-database-security.com>
To: full-disclosure at lists.grok.org.uk
Date: Mon, 10 Apr 2006 14:11:38 +0200
Subject: [Full-disclosure] Oracle read-only user can insert/update/delete data
     via specially crafted views

Hello Full Disclosure

Last Thursday 6th April 2006, Oracle released a note on the Oracle 
knowledgebase Metalink with details about an unfixed security 
vulnerability (=0day) and a working test case (=exploit code) which 
effects all versions of Oracle from 9.2.0.0 to 10.2.0.3. This note 
"363848.1 - A User with SELECT Object Privilege on Base Tables Can Delete 
Rows from a View" was available last week to Metalink customers. The note 
was also displayed in the daily headlines section of the Metalink.

That's why this information can be assumed as public knowledge and 
DBAs/Developers which missed the note on Metalink should know this 
vulnerability in order to avoid/mitigate the risk (if possible) whilst 
waiting for a patch from Oracle.

After noticing the note, I informed Oracle secalert that releasing such 
information on Metalink is not a wise idea. Oracle normally criticises 
individuals and/or companies for releasing information about Oracle 
vulnerabilities (like David Litchfield from NGSSoftware for releasing 
information an ever not fixed bug in mod_plsql gateway). In this case, not 
only Oracle released detailed information on the vulnerability; they also 
included the working exploit code on the Metalink.

In an interview few months ago, the Oracle CSO stated:  "I've known 
customers to terminate contracts ... for releasing exploit code... you 
might get applause from hackers... but business will not pay you to slit 
their throats. With knowledge comes responsibility."

After my email, Oracle removed the note from Metalink.

[..]


More information about the VIM mailing list