Hello Daymon and All, I have CC'd in the Oracle Security Team.... > Do you have any plans to release proof of concept code for the Oracle > exploit? The reason I ask is that "due to architectural constraints," > Oracle is not planning on releasing a patch for 8i releases. We contacted > them about this, but they're sticking to their guns about the exploit > requiring oracle authentication, and thus being a low(er)-risk > vulnerability. I know Oracle 9 is vulnerable and can be exploited without a user ID or password. I demonstrated an exploit for this problem at the European Blackhat Security Briefings. I know a number of the Oracle security guys have actually read the associated paper and are (or at least should be) _FULLY_ aware that this vulnerability _CAN_ be exploited without credentials. Oracle: let me know if you need more proof of this and I can send you the exploit. As this new bug was introduced in the patch for the problem I reported here - http://www.nextgenss.com/advisories/oraplsextproc.txt - and Oracle will not give out patches to those who are not customers, I've never had the opportunity to test this on 8. At an educated guess, however, I believe 8 will be the same as 9. > To quote the analyst that responded, "I'm not able to comment on David > Litchfield's claims, but with SECURITY ALERT 57, you need the CREATE LIBRARY > or the CREATE ANY LIBRARY privilege. The exploit is dependent on these > privileges, so if they are not granted to users, the exploit fails. How a > user could exploit these without being able to connect is difficult to even > imagine." The analyst should do more analysis then. It is really very simple. > > I'd like to see them put out a patch for this, but without some more proof > of the anonymous exploit, and motivation to fix the problem regardless of > "architectural constraints", I don't think they will. I believe the Oracle security guys know this can be done without credentials and if this is the case then it seems that one hand is not speaking to the other. If however, the Oracle security guys believe this is not exploitable without a userID and password then let me know. I'm more than happy to supply Oracle with the exploit. Can we get this resolved, once and for all, please. Thank you, David Litchfield
