From Nick.Wagner@quest.com Fri, 15 Feb 2002 09:56:24 -0800
From: Nick Wagner <Nick.Wagner@quest.com>
Date: Fri, 15 Feb 2002 09:56:24 -0800
Subject: RE: another security issue with Oracle 9.x
Message-ID: <F001.004113A0.20020215095328@fatcity.com>
MIME-Version: 1.0
Content-Type: text/plain
Title: another security issue with Oracle 9.x



There 
is also the 
<SPAN 
class=369145317-15022002> 
<SPAN 
class=369145317-15022002>sqlplus "/ as sysdba" 
<SPAN 
class=369145317-15022002> 
breach 
as well...   make sure you have your password files set up.  

<FONT face=Tahoma 
size=2>-----Original Message-----From: Jacques Kilchoer 
Sent: Thursday, February 14, 2002 3:58 PMTo: Multiple 
recipients of list ORACLE-LSubject: another security issue with 
Oracle 9.x
I hate to seem overly "alarmist", but in addition to the SNMP 
security issue mentioned already, I have read of this problem discovered by Next 
Generation Security Software Ltd. in Sutton, England:
<A href="http://www.nextgenss.com/advisories/oraplsextproc.txt" 
target=_blank>http://www.nextgenss.com/advisories/oraplsextproc.txt 

<<<A large part of Oracle database functionality is 
provided by PL/SQL packages. PL/SQL, or Procedural  Language/ Structured 
Query Language, extends SQL and allows an "executable" package be created that 
exports procedures and functions. PL/SQL packages can be extended to call 
functions exported by operating system libraries or Dynamic Link Libraries. It 
is possible to create a (PL/SQL) library and PL/SQL package that calls any 
function in any library on the file system. An attack would probably call 
system() and pass the name of a program to be executed. It is apparent that to 
do this a user must be able to connect to the Oracle database server and login 
with an account that has the CREATE LIBRARY permission before an attack becomes 
successful. However, NGSSoftware Insight Security Research has discovered a way 
to fool the Oracle database server into loading arbitrary libraries and 
executing arbitrary functions without ever having to 
authenticate.>>
(more details at the link)