Update: Oracle released a patch for this vulnerability. For details, please see my latest post here.
Last Thursday, at the 2012 Black Hat Conference in Las Vegas, David Litchfield released the details of yet another unpatched Oracle vulnerability. Litchfield’s presentation was an examination of Oracle index security and provided explanations and demonstrations of various index security issues fixed in recent critical patch updates. Included were CVE-2010-0902, CVE-2011-3512 and CVE-2012-0552. He also exposed a new O-day vulnerability and provided a full demo.
So, what is this new vulnerability all about? It’s a privilege escalation vulnerability that gives an attacker SYSDBA privileges. In order to perform the exploit, one needs to have CREATE TABLE and CREATE PROCEDURE privileges as well as EXECUTE privileges on DBMS_STATS package. Also, Oracle Text needs to be available. In a properly configured system, most users should not have above privileges, but application developers and some others typically do have these privileges. In addition, many common software packages don’t implement proper separation of duties and grant the app account excessive privileges which can be used to exploit this vulnerability.
Who is vulnerable?
Oracle has so far not announced a patch for this vulnerability. However our testing has revealed that the July 2012 CPU includes fixes for Oracle 11gR2 on at least some of the more common operating systems, but not for other releases of Oracle. The DBMS_STATS package has been around since Oracle 8i, Oracle Text since Oracle 9i. We believe that all versions of Oracle Database from 9i to 11gR2 are vulnerable, with the exception of some 11gR2 systems with the July 2012 CPU applied. Currently Oracle will only release patches for 10gR2 and newer, as such a wide range of older systems will most likely never receive a patch for this vulnerability.
How to protect a system
What can be done in order to protect a system from this vulnerability? The first step is, to check if Oracle Text and DBMS_STATS are installed on the system. If one of them is not, then the system is not vulnerable. By default, both these packages are installed.
The next step is to assess which users on the system have the permissions necessary to exploit the vulnerability. To do this, you must identify all users that have CREATE TABLE, CREATE PROCEDURE and EXECUTE privileges on DBMS_STATS and CTXSYS.CTX_DDL. A good user rights management system will identify these users.
Once the users are identified, remove these privileges from any user that does not require them. For all users that do require these privileges, make sure to audit and/or monitor all calls to CREATE INDEX with an INDEXTYPE of CTXSYS.CONTEXT and calls to DBMS_STATS.GATHER_TABLE_STATS. Any indexes for column that include ‘|| or ||’ in the column name are a red flag, and indicate a possible attack.