Security researcher David Litchfield has identified a vast number of attacks against Oracle application servers and has written them up in a paper which includes defensive strategies as well.

From this we learn, contrary to Oracle President Larry Ellison's claims, that Oracle is vulnerable to buffer overflow attacks, DoS attacks, and remote exploitation to name but a few difficulties.

First up we have a PL/SQL buffer overrun vulnerability. This is in the Apache front end affecting Windows NT/2K, where Apache runs in the System (root) account and consequently allows code to run with full privileges.

One problem is that the admin help pages are not PW protected. Thus a call to one of the pages can initiate a buffer overflow if it contains enough garbage (around 1K bytes). A quick fix would be to alter the admin path with something unique, making it difficult to guess.

Next, a directory traversal is possible due to a URL decoding glitch. This would allow an attacker to move from the Web environment to read files readable to the OS.

It's also possible to administer PL/SQL DADs (Database Access Descriptors) without authentication, Litchfield has discovered. An obvious goal in this case would be to add a password so the attacker can escalate his privileges.

These are only the first three taken in order for illustration. There are in fact scores of attacks listed in this compendium, including authentication bypassing, path mapping, SOAP vulnerabilities, weak default paths, and terribly guessable or forcable default passwords (examples are provided -- but system/manager is our absolute favorite).

Litchfield's paper should be required reading for anyone who owns or administers an unbreakable Oracle box. ®