Re: Litchfield on October patch
- From: Ray Stell <stellr@xxxxxxxxxx>
- To: Thomas.Mercadante@xxxxxxxxxxxxxxxxx
- Date: Thu, 20 Oct 2005 11:16:48 -0400
So, the October surprise is that the holes are really closed, cool!
Litchfield described earlier:
"Some of Oracle's "fixes" simply attempt to stop the example exploits I sent
them for reprodcution purposes. In other words the actual flaw was not
addressed and with a slight modification to the exploit it works again. This
shows a slapdash approach with no real consideration for fixing the actual
problem itself."
http://en.wikipedia.org/wiki/October_Surprise
On Thu, Oct 20, 2005 at 10:54:12AM -0400, oracle-l-bounce@xxxxxxxxxxxxx wrote:
> Exactly. DBCA is a beast that should be put to sleep. It cruds the
> database up with stuff that you don't need, and that Oracle wants to
> charge you for. We never use it.
>
> -----Original Message-----
> From: oracle-l-bounce@xxxxxxxxxxxxx
> [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Jesse, Rich
> Sent: Thursday, October 20, 2005 10:49 AM
> To: bdbafh@xxxxxxxxx; stellr@xxxxxxxxxx
> Cc: oracle-l
> Subject: RE: Litchfield on October patch
>
> Better yet, just don't use the dbca.
>
> Rich
>
> "E-vil. Like the fru-its of the dev-il, E-vil."
> -- Charley Mackenzie, So I Married An Axe Murderer
>
> -----Original Message-----
> From: oracle-l-bounce@xxxxxxxxxxxxx
> [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Paul Drake
> Sent: Wednesday, October 19, 2005 6:09 PM
> To: stellr@xxxxxxxxxx
> Cc: oracle-l
> Subject: Re: Litchfield on October patch
>
>
> On 10/19/05, Ray Stell <stellr@xxxxxxxxxx> wrote:
> > from bugtraq:
> >
> > Having downloaded and given the Oracle October patch a cursory
> examination,
> > some of the flaws Oracle told me were being fixed, remain exploitable.
> Once
> > again the patch is not sufficient. I will conduct a full investigation
> of
> > the patch over the coming few days and post some recommendations once
> > complete. Incidently, it's good to see that the NGS Disclosure policy
> of not
> > publicly releasing details of the flaws "fixed" seems to work as a
> useful
> > fail safe mechanism.
> >
> > More to follow...
> > Cheers,
> > David Litchfield
> > NGSSoftware Ltd
> > http://www.ngssoftware.com/
> > ======================================================================
> > Ray Stell stellr@xxxxxx (540) 231-4109 Tempus fugit 28^D
> > --
> > //www.freelists.org/webpage/oracle-l
>
> This one will knock out vulnerabilities DB [17-25]:
> Steps for Manual De-installation of Oracle Spatial
> http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_d
> atabase_id=NOT&p_id=179472.1
>
> Basically, the schema mdsys is created by default in a dbca db, even
> if the spatial option is not being installed. In theory, the
> following:
>
> SQL> drop user spatial cascade;
>
> should do the trick.
> The referenced doc was for 9i and not apparently updated for 10g.
>
> As always, test on a destructo box first.
>
> Paul
> --
> //www.freelists.org/webpage/oracle-l
> --
> //www.freelists.org/webpage/oracle-l
> --
> //www.freelists.org/webpage/oracle-l
--
======================================================================
Ray Stell stellr@xxxxxx (540) 231-4109 Tempus fugit 28^D
--
//www.freelists.org/webpage/oracle-l
Other related posts:
