[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] ISV unwilling to provide security patches on Oracle?
- To: full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] ISV unwilling to provide security patches on Oracle?
- From: petard <petard@sdf.lonestar.org>
- Date: Fri, 7 Nov 2003 04:41:02 +0000
On Thu, Nov 06, 2003 at 07:05:48PM -0800, adam morley wrote:
> Hi,
>
> (Short version: ISV doesn't think security patches are needed, I need to
> convince them otherwise. Long version follows)
>
> I'm writing because I'm working with an ISV that develops accouting products
> on Oracle (Specifically Oracle 8i, 9i and 9i app). Currently, they license
> the Oracle database as an application specific license. My current problem
> is they refuse to offer security patches for 8i, 9i or 9i app server, saying
> that the functioning of their app is more important than security fixes, and
> that a customer will have a firewall which is "good enough." I'd love to
> suggest users get patches themselves, but that requires each customer that
> uses this product get a metalink account, which costs money and the ISV says
> they won't support the database once the patches are applied (which,
> obviously is a problem for accounting software!).
>
> I've done some preliminary google searches to find white papers/articles/etc.
> to support my argument that security patches *in addition* to best practices
> like firewalls, good passwords, etc. lead to a secure product. I've found
> some, but I'd love to get some other white papers/articles/etc. in order to
> convince the ISV that security patches aren't an "optional" kind of thing,
> but rather a requirement in today's world. Any pertinent legal pointers
> would be helpful too (though the ISV is in Canada, so. . .NAFTA)
>
Here's a very short version of why your firewall is not "good enough". Suppose
that
I want to 0wn your accounting system for some reason. With an unpatched Oracle
8i server,
here's an easy recipe:
1. Send email to your accounting department enticing them to visit a web page
that
I control... say I announce a contest whereby whomever correctly tells me the
number
of jelly beans in this picture wins $500:
http://www.fst.nus.edu.sg/images/jelly%20beans.jpg
2. Prior to directing them to my contest entry form, use a page like the one
Liu Die Yu
sent to cause them to execute my own code from within your firewall, at their
user account's
level of privilege. (This will, naturally, be sufficient to allow them to
connect to the
database server.) You've patched their IE browsers like a good administrator,
but this attack
is still trivial.
3. While they're happily counting jellybeans and imagining the joy that the
$500 and the
accompanying tax form will bring, my code scans their ODBC settings for
information on
how to connect to your database server then uses one of my old exploits to
execute
code of my choosing on your DB. I could exploit this:
http://www.securiteam.com/securitynews/5FP0L2A4KK.html
or this:
http://www.nextgenss.com/advisories/oraplsextproc.txt
or any of several others that have been patched by Oracle.
Since you don't say what industry you're involved in or where you're located,
it's hard
to provide legal pointers. If you're publicly traded, unauthenticated access to
your DB
server might pose audit problems. If you're bound by HIPAA regulations, this
hole could
land your C-levels in jail. ISTM that the threat of losing customers ought to
be enough
to persuade this vendor to clean up their act...
HTH,
petard
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html