[dbsec] On Oracle worms
- From: "David Litchfield" <davidl@xxxxxxxxxxxxxxx>
- To: <dbsec@xxxxxxxxxxxxx>
- Date: Thu, 17 Nov 2005 17:25:17 -0000
A few weeks ago someone posted [
http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038290.html
] half a worm to the full-disclosure mailing list. The idea of an Oracle
worm has always been bubbling under the surface but has routinely been
dispatched with a "there's no point in writing an Oracle worm because
they're all protected by firewalls" attitude. What is clear is that not
every Oracle server is protected by a firewall - there are plenty out there
that are exposed. In a few weeks, when the research has been completed I'll
post the results on this - just how many Oracle servers are out there,
exposed to all and sundry. Besides this, I'm surprised that no-one has yet
pointed out that the extproc flaw [
http://www.nextgenss.com/advisories/oraplsextproc.txt ] is an ideal vector
for a worm. The worm could call extproc remotely, launch libc or msvcrt.dll,
call the system function and tftp down a copy and so on. Touch wood this
won't become a self-fulfilling prophecy. This is one of the strongest
arguments to ensure you're patched against the extproc flaw or for even
better protection disable external procedures altogether if your apps don't
need them.
Cheers,
David
( Posted to http://www.databasesecurity.com/oracle-commentary.htm )
Other related posts:
- » [dbsec] On Oracle worms