ADMINISTRATORS WORK TO PATCH ORACLE8 HOLE
By Charles Babcock
Oracle is saying little about one of the most significant Oracle database security flaws uncovered in several generations. The bug affects versions of Oracle8 and Oracle8i running under Unix, which is usually the configuration of Oracle in high-end corporate systems; it grants any intruder who discovers the hole almost unlimited access to any information in the databases.
Oracle quietly has posted a patch. But the company (http://www.oracle.com) so far has made no public announcement of the exposure and has posted no notice on the open portions of its Web site. The only parties notified by their vendor are those who pay for annual maintenance contracts, a condition for viewing the MetaLinks support site where Oracle has responded to the discovery of the hole.
"Oracle is not talking about it. It's being a lot quieter than it has to be about this patch," said Jared Still, Oracle database administrator at Regence Blue Cross, Blue Shield in Portland, Ore. Still discovered the hole when a notice about it was posted April 29 to an Oracle user mailing list that he maintains. He had the problem fixed before an e-mail notice arrived from Oracle's support organization, MetaLinks, informing him "about a week later" of a patch.
The hole was discovered in late April by John Ritchie, a systems software analyst at the Oregon University System at Corvallis, Ore., and Webmaster at telnet://www.ous.edu. Once on a Unix server, an intruder can find an application associated with Oracle Intelligent Agent, a feature added to Oracle8 to allow re-mote administration. The application, oratclsh, gives a hacker the power of the Tcl scripting language to run commands on the Unix server.
Anyone finding oratclsh "is exactly three commands away from full root access," said Dan Sugalski, a systems administrator at the Oregon University System. The "root" account is reserved for the master system administrator of a Unix server. With root privileges, a hacker can establish a hidden ac-count, leaving a back door open for return to the system. The hacker can disable system safeguards, capture passwords and acquire access to system files and user accounts, Su-galski said.
Sugalski said he posted a notice to Still's volunteer user site at http://www.telelists.com/cgi-bin/lyris.pl?enter=oracle saying: "Huge security hole in Oracle 8.0.5 with Intelligent Agent installed."
"If an enterprising hacker recognizes the Tcl application, you're toast. He can totally disable your system," said Paul Diehl, database administrator at Sumaria Systems, a contractor for the F-16 System Program Office at Wright-Patterson Air Force Base. "Or he may remain a 'silent partner,'" hidden in the background and collecting information as the system runs. Diehl said the danger from the hole is reduced by the fact that the hacker first must find a way into the Unix system; Sumaria's is protected by a firewall.
Diehl said he learned how to disable the application by reading an archive of Bugtraq, a mailing list whose security discussions are archived at several places on the Web.
Oracle notified paying support customers of a fix on May 7. The company posted a frequently asked questions statement on its MetaLinks support site soon after, stating that the hole affected Oracle 8.0.3, 8.0.4, 8.0.5 and 8.1.5, all running under Unix.
Many Oracle users, however, are self-maintained and are not paying annual maintenance contracts, said Jim Balderston, an analyst at Zona Research. With the flaw's airing on Bugtraq, many hackers will have noticed it, but word has not necessarily gotten to the harried corporate database administrators.
Oracle did not respond to repeated requests for comment.