|
Oracle Hacker's Handbook. Hacking and Defending Oracle Authors: Litchfield D. Published year: 2004 Pages: 6-8/101 |
 |
Code Samples from the Book
To download relevant code samples from the book, please visit the book's web site at www. wiley .com/go/ohh .
Oracle and Security
In June of 1997, Larry Ellison and Robert Miner founded a company called Software Development Labs. Both had worked together at Ampex; Robert had been Larry's supervisor. Together they had a vision, inspired by the work of Edgar Codd. Codd worked as a researcher for IBM and developed ideas for relational database systems. In 1970 he published a paper entitled "Relational Model of Data for Large Shared Data Banks." While IBM was slow to see the potential of Codd's ideas, Larry and Robert were not. They changed their company's name to Relational Software, Inc., in 1979, and not long after that it again underwent a name change-becoming Oracle. "Oracle" had been the code name for a CIA project that both Larry and Robert had worked on while at Ampex. Indeed, by all accounts, in the early years , the biggest consumers of Oracle's software was the CIA and the NSA. Given this, one would assume that security would have been at the top of Oracle's agenda.
In 1999 Oracle started to gain the attention of the security research community. The first public record of a security bug in Oracle, according to SecurityFocus.com, was on April 29 of that year: Dan Sugalski posted that the oratclsh program was setuid root and executable by the *nix group , "others". This meant that anyone could run TCL scripts as the root user . Not long after this a number of flaws were revealed relating to the Oracle Web Listener, posted by the author and Georgi Guninski, as well as additional problems relating to default permissions. Oracle started releasing their own advisories in the year 2000, but these were released on an ad-hoc basis and often months after a flaw was announced publicly .
The graph shown in Figure I-1 shows the number of bugs reported in the "early" years. As you can see, the number of bugs grew exponentially, and indeed this is the only reason why 2003 and beyond are not shown on this graph-the numbers went through the roof, so to speak. Most of these bugs relate to buffer overflows in the RDBMS or the Application Server. One of the key weaknesses in Oracle, PL/SQL injection, didn't come to light until 2003, when on the fifth of November Oracle released Alert 61-an advisory that dealt with a number of injection flaws discovered by the author. This began a spate in the discovery of PL/SQL injection flaws, and even today most of the issues being fixed by Oracle are injection problems. As you'll see later in the book, flaws in PL/SQL are the Achilles' heel for the RDBMS, and when exploited allow an attacker to gain full control of the database server.
Figure I-1:
The number of bugs grew steadily between 1999 and 2002.
The " Unbreakable " Marketing Campaign
With the release of Oracle 9i, Oracle began a new marketing campaign in December 2001. They announced that their product was "unbreakable" and that no one could "break it" or "break in." To many in the security industry this was one of those Kennedy moments: Everyone can remember what they were doing when they first heard what Oracle announced. I certainly remember what I, and no doubt many others, did after-which was to download this "unbreakable" software and see just how tough it actually was. Within days of the announcement, my brother Mark and I had sent Oracle a bunch of reports detailing a great number of ways in which the server could be both broken and broken in to. After Oracle fixed these flaws I presented a paper on the issues at the Blackhat Security Briefings in the February of 2002. Oracle was thoroughly broken.
Today, Oracle will tell you that the campaign spoke of their commitment to security, and was not to be taken as a statement about their product's security. Hmmm.
|
Oracle Hacker's Handbook. Hacking and Defending Oracle Authors: Litchfield D. Published year: 2004 Pages: 6-8/101 |
|
