Oracle Unbreakable? Maybe Not


A British security expert has found security vulnerabilities in what Oracle has touted as its "unbreakable" database and application server.

In postings Wednesday to www.nextgenss.com, NGSSoftware researcher David Litchfield described a "high-risk" vulnerability in which an attacker could use the PL/SQL package in Oracle 8 and 9 databases to pose as an Oracle process and "execute any function in any DLL on the file system."

NGSSoftware researchers list several preventative measures, including barring Oracle processes from running as local systems on Windows NT/2000 servers. Oracle was alerted about this possible weakness last summer, received working code last October and is working on a patch, according to the posting. Additionally, a firewall could prevent any user from accessing the "listener port."


TEMPTING FATE?
A british security expert last week posted information on the Web that described so-called vulnerabilities in the Oracle 8 and Oracle 9 databases. Last fall, Oracle Chairman and CEO Larry Ellison challenged developers to try to break into the company's software, causing attacks on its Web site to spike.

NGSSoftware "has discovered a way to fool the Oracle database server into loading arbitrary libraries and executing arbitrary functions without ever having to authenticate," the research firm concluded.

Citing another "high-risk" weakness, Litchfield said the use of an Apache PL/SQL module in Oracle 9iAS can enable an attacker to create buffer overflows that could allow "execution of arbitrary code."

"On Windows NT/2000 systems, the Oracle Apache Web server by default runs in the context of the local SYSTEM account so any code will run with full privileges," according to the posting. NGSSoftware's Insight Security Research Advisory terms this vulnerability high risk.

Oracle has been tempting fate since last November when it launched its "Unbreakable" campaign, observers said. At Comdex and Oracle OpenWorld, Oracle Chairman Larry Ellison said even Oracle insiders were nervous about the "unbreakable" claims, fearing they would provoke every hacker and cracker on the planet. He also said at Oracle OpenWorld in December that attacks on the company's sites soared astronomically after the campaign launched, but Oracle's technology withstood the onslaught.

On its Web site, Oracle said it works fast to address security concerns. The company said it is "committed to providing robust security in our products. Occasionally, security vulnerabilities are found in Oracle products. Oracle makes every attempt to rectify these vulnerabilities quickly, yet effectively, culminating in the issuance of a Security Alert ... including description of the vulnerability, the risk associated with it, applicable workarounds, and/or patch availability."

Competitors have been circling around Oracle's unbreakable claims, with one major database rival spreading word of the NGSSoftware findings before they were made public.

Oracle could not be reached for comment.