Oracle E-Business suite wide open to database attack
Researcher who found bug says Big Red to patch flaw in Tuesday fix roundup
Clear some time in you diary and drink an extra coffee, sysadmins: a top hacker has warned that Oracle will tomorrow patch a horror bug that needs urgent attention.
Datacom TSS hacker David Litchfield told The Reg he has reported to Oracle that versions of its E-Business suite contain a "major" misconfiguration flaw that allowed anyone to fully compromise the database server.
Litchfield told The Reg that the hole is a "real doozy" that could not be explained by Oracle.
"The technical details are that the PUBLIC role has been granted the INDEX privilege on the DUAL table owned by SYS," Litchfield told Vulture South.
"This allows anyone to create an index on the DUAL table and if they create a function based index that function executes with the privileges of SYS – i.e. the root of all authority on the DB.
"I'm flabbergasted. I'm hoping it was simply done in error and I'll leave the conspiracy theories for others.".
Oracle has been contacted for comment and is yet to respond, but has listed several patches for many versions of the E-Business suite, with the most significant rated 6.4 on the CVSS bug-scoring scale.
Litchfield feels there is "absolutely no good reason" for Oracle to have granted PUBLIC the INDEX privilege on the DUAL table since the DUAL table was a dummy of sorts containing one record.
Tomorrow, Oracle are patching 11 flaws I reported to them a while back. Some are critical and one of them I'm just gobsmacked by.— David Litchfield (@dlitchfield) January 19, 2015
Litchfield found the flaw while conducting security tests for a client and initially suspected it to be a backdoor left behind by an attacker.
"My first thought was that this had possibly been left as a backdoor by an attacker because it can be trivially exploited to gain SYSDBA privileges and was possibly an indication that the database server had been compromised," he said.
The un-named customer reported they had not granted the privilege, leading to the discovery that it was granted as part of a seeded install of Oracle's eBusiness suite.
The confusion didn't end there. Litchfield said Oracle told him it had no record of why the backdoor existed, in a reply he felt was brief reply for such a complex issue.
"I looked through the bug and there is no indication of when or why the grants were originally added. Development is going with the assumption that it was not necessary and removing the added grants. However, it is hard to tell for certain. As you can imagine, this requires a lot of additional testing to ensure it does not break existing functionality. Thanks."
- Oracle's response to Litchfield.
The fix for the bug will be among 11 flaws Litchfield reported that Oracle planned to fix tomorrow. It will issue 167 in total for a laundry list of products, according to its pre-release patch announcement. ®