exploit the possibilities

Oracle Database Java VM 20 Weaknesses

Oracle Database Java VM 20 Weaknesses
Posted Jun 16, 2014
Authored by Adam Gowdiak | Site security-explorations.com

Security Explorations discovered multiple security issues in the implementation of a Java VM embedded in Oracle Database software. Among a total of 20 weaknesses discovered, there are issues that allow to create a specific Java security bypass condition or that facilitate the execution of arbitrary Java code on Oracle Database server without proper privileges.

tags | advisory, java, arbitrary
MD5 | 9ee0076d6a57058b84b2ffc0fab7e8a5

Oracle Database Java VM 20 Weaknesses

Change Mirror Download

Hello All,

Security Explorations discovered multiple security issues in the
implementation
of a Java VM embedded in Oracle Database software [1].

Discovered security issues violate many "Secure Coding Guidelines for the
Java Programming Language" [2]. Most of them demonstrate a well known
problem
related to Java SE security. Among a total of 20 weaknesses discovered,
there
are issues that allow to create a specific Java security bypass condition
or that facilitate the execution of arbitrary Java code on Oracle Database
server without proper privileges.

We developed reliable Proof of Concept codes for all of the issues found.
This includes 8 exploit codes implementing 3 different privilege elevation
techniques for gaining administrator role in a target database environment.

A malicious user with a bare minimum privilege required to connect and login
to Oracle Database (with "CREATE SESSION" privilege only) can successfully
compromise the security of the software that according to Oracle CEO "hasn't
been broken into for a couple of decades by anybody" and that is "so secure,
there are people that complain" [3].

The following versions of Oracle Database software were verified to be
vulnerable to all 20 identified weaknesses:
- Oracle Database 11g Release 2 (11.2.0.1.0) for Microsoft Windows x64
- Oracle Database 11g Release 2 (11.2.0.4.5) Patch Bundle 18590877 for
Microsoft Windows x64
- Oracle Database 12c Release 1 (12.1.0.1.0) for Microsoft Windows x64
- Oracle Database 12c Release 1 (12.1.0.1.9) Bundle Patch 18724015 for
Microsoft Windows x64

Our vulnerability report containing brief technical details of all
identified
issues and exploitation techniques along with corresponding Proof of Concept
codes were sent to Oracle today.

It's been almost 2 years since Java Reflection API issues were brought
to the
public attention. Regardless of that, simple instances of these issues
are still
present in Oracle products other than Java SE.

This is probably a good moment to remind what we said almost a year ago
at the
time of wrapping up our Java SE security research [4]:

"If Oracle had any Software Security Assurance procedures adopted for
Java SE,
most of simple Reflection API flaws along with a known, 10+ years old attack
should have been eliminated prior to Java SE 7 release. This didn't happen,
thus it is reasonable to assume that Oracle's security policies and
procedures
are either not worth much or their implementation is far from perfect. That
thought alone should catch attention of Oracle customers not necessarily
relying on Java SE, but rather on other Oracle products, which were
likely the
subject to the very same, questionable Software Security Assurance policies
and procedures as Java SE 7".

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] Oracle Database
http://www.oracle.com/database
[2] Secure Coding Guidelines for the Java Programming Language, Version 4.0
http://www.oracle.com/technetwork/java/seccodeguide-139067.html
[3] Oracle's Ellison downplays threat of NSA database snooping

http://www.reuters.com/article/2014/01/30/us-oracle-nsa-idUSBREA0T05U20140130
[4] [SE-2012-01] New Reflection API affected by a known 10+ years old attack
http://seclists.org/fulldisclosure/2013/Jul/172
Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    18 Files
  • 22
    Oct 22nd
    16 Files
  • 23
    Oct 23rd
    2 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close