//flex table opened by JP
PDA

Click to See Complete Forum and Search --> : Database Security - My boss will not listen

kcarrera
07-18-2001, 10:14 AM
I have been trying to get my boss to apply a vendor patch to our database, but he says it may crash the server. I showed him this vulnerability
http://www.pgp.com/research/covert/advisories/050.asp#vulnerablesystems

but he says it is not a real threat. Is there anyone here that knows how to execute this exploit. Or does any one have the actual source code? I want to show him that we are vulnerable

Thanks for any help offered,

Kenneth
qball
07-19-2001, 11:54 AM
The TNS Listener daemon runs with "LocalSystem" privileges under Windows NT/2000, and with the privileges of the 'oracle' user under Unix. Exploitation of this vulnerability will lead to the remote attacker obtaining these respective privileges.


Basically this is stating one can make requests through the Oracle Listener. With local system privileges in 2k, this could be dangerous as now your Oracle client has a way in to your server. You basically want the oracle client to have DB access only and have oracle maintain that client's security.

Well, if your running 2k, that's not a good thing. For UNIX, configure the 'oracle' user to not have system access.

Now for the situation with your boss. If he thinks the patch will crash the system, ask him what will happen if a client removes the oracle listener through the above vulnerability. Plus you have an Oracle liscence and the patch should be supported by Oracle, so applying should be just DB maintenance. Secondly, you have brought this issue to his attention, if he chooses to ignore and you get hacked (it only takes one, people!), tell him to fix it.

Network and DB security are major issues. If one chooses to ignore and bad things happen, you look pretty stupid.
Cygnus-X1
07-20-2001, 08:59 PM
As I have seen before in my dealings with some "network admins" they seem to enjoy complacency in an ever changing field!
qball
07-22-2001, 03:31 PM
Easier to do nothing, than to do your job. Stop being successful, you're making us look bad....
kcarrera
10-22-2001, 02:32 PM
I still can not seem to find the actual exploit code. I want to be able to test this on my db. I want to make sure it is a real threat before I change something.

Thanks for any help offered.