Name: PLSQL Injection in Oracle Application Server
Systems Affected: Oracle Application Server 9.0.4.3, 10.1.2.2, 10.1.4.1
Severity: Critical
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 9th October 2007
Date of Public Advisory: 15th July 2008
Advisory number: #NISR15072008
CVE: CVE-2008-2589

Overview
********
Oracle has just released a fix for a flaw that, when exploited, allows an
unauthenticated attacker on the Internet to gain full control of a backend
Oracle database server via the front end web server.

Details
*******
Oracle Application Server installs a number of PLSQL packages in the backend
database server. One of these is the WWV_RENDER_REPORT package and it is
vulnerable to PLSQL injection. This package uses definer rights execution
and therefore executes with the privileges of the owner, in this case the
highly privileged PORTAL user.

Specifically, the SHOW procedure takes as its 2nd argument the name of a
function to execute and this is embedded with a dynamically executed
anonymous block of PLSQL without first being sanitized. Because it is a
block of anonymous PLSQL, an attacker can exploit this flaw to run any SQL
statement, for example, create new users, grant dba privileges, delete or
modify data. This is achieved by wrapping the statement(s) within an
“execute immediate” statement and specifiying the autonomous_transaction
pragma.

Fix Information
***************
Oracle was alerted to this flaw on the 9th October 2007. A patch has now
been made available:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html

NGSSQuirreL for Oracle, an advanced vulnerability assessment scanner
designed specifically for Oracle, can be used to accurately determine
whether your servers are vulnerable to these flaws. More information about
NGSSQuirreL for Oracle can be found here:

http://www.ngssoftware.com/products/database-security/ngs-squirrel-oracle.php

About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London, St.
Andrews (UK), Brisbane, and Perth (Australia) and Seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.

http://www.ngssoftware.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076

“Here is some more detailed information on the use of country-by-country data sets in firewall configurations, where it may be appropriate, and methods by which one may use the sets to create traffic reports. While the methods listed and tools available are created specifically for ISA, the concept can be applied to any product that supports the necessary data elements”

Read the full article at Security Focus.

South-East Winners Secure Worldwide Software

Sutton-based Next Generation Security Software Ltd (NGS) has been named as South-East England regional winners of the 2008 International Trade Awards.

The International Trade Awards, sponsored by HSBC, recognise companies of all sizes which have excelled in creating new international business, in exporting, importing or investment.

NGS started trading in 2001, drawing on the experience and expertise of their founder-directors in both national and international security services and IT. The company has focused on providing vulnerability scanners and consulting services to the world’s largest corporations, banks and governments with an online internet presence.

It has built a global reputation for excellence within the security industry with cutting edge research, reference works and white papers, software vulnerability advisories and presentations at international conferences.

NGS now earns nearly 80 per cent of its revenues outside the UK, and turnover has grown by a massive 4,000 per cent since 2001. Its award winning total security package includes security application testing, network penetration testing, code review and training services.

Its client base reads like a directory of the industry majors – ranging from software vendors such as Microsoft to major government and corporate entities. In the competitive field of security consultancy NGS were recently selected by CESG as one of only three security companies in the UK to evaluate new Government systems before going live under the Tailored Assurance Scheme.

With 63 per cent of its business emanating from the US and sales and marketing operations now based in the US, Australia and Thailand, NGS has established a truly 24/7 global consulting presence. NGS has won a number of awards in recent years, including the Queen’s Award for Enterprise in 2007 for success in international trade.

Its Typhon III vulnerability scanner was tested against some of the world’s leading brands in a competitive analysis by SC magazine. Typhon III provides fast and accurate identification of current and historical security vulnerabilities and offers secure quality protection against current threats including: worms, rootkits, phishing and SQL Injection. It also confers protection against emerging risks such as pharming and confidential data theft. SC magazine rated it a ‘Best Buy’ globally.

In 2008 to date, NGS Software has been judged ‘Best Security Company’ in the prestigious industry-wide SC Awards Europe; Managing director David Litchfield was pronounced ‘Entrepreneur of the Year’ at the South London Business Awards, and the company was named as one of the Red Herring 100 Europe top 100 entreneurial companies.

For the judges of the 2008 international Trade Awards, Ian Campbell, Consultant editor of organsiers International Trade Today magazine said: ‘We were very impressed by the huge global footprint established by the six founding directors of NGS in the fiercely competitive world of internet technology. Communications and information technology are fundamental to the way business is going to develop in the 21st century. We all know, from personal disasters stemming from computer viruses to media stories of government and banking failures to protect our data, that this burgeoning industry is creating its own breed of criminals. Companies like NGS offer the industry the tools and the know-how to fight back and protect the rest of us.

Their presence in the global market-place, and especially their penetration of the largely US-dominated industry, is a tribute to their research and development skills, their persistence and their truly professional approach to international trade.’

The Head of Trade and Supply Chain at HSBC, Stuart Nivison said “From a very strong list of applicants, Next Generation Security Software Ltd stood out as the very clear winners. The pace of overseas growth whilst competing against some of the major players in the market is truly outstanding. Above all it was the clear commitment, vision and passion for the founding management team which clinched our decision.”

NGS Managing Director Dave Litchfield said: ‘NGS were extremely proud to be announced as the South-East England regional winners of the 2008 International Trade Awards which recognised the efforts of all NGS personnel.

‘The award ceremony hosted by HSBC at their offices at Canary Wharf was a great occasion. We were made to feel very welcome and we shared good wine, good food and good company.

‘The speeches made by Stuart and Ian left us quite humbled as between them they put into perspective the achievements of our company and the impact we have made in the global security space.

We look forward to meeting again next year in the UK Finals.’

HSBC Bank is a wholly-owned subsidiary of HSBC Holdings plc which is headquartered in the UK. Registered Office: 8 Canada Square, London E14 5HQ, United Kingdom. Incorporated in England with limited liability. Registered number 14259. Regulated by the Financial Services Authority. We only advise on our own life assurance, pensions and unit trusts.

Notes:

The HSBC Group serves over 128 million customers worldwide from around 10,000 offices in 83 countries and territories in Europe, the Asia-Pacific region, the Americas, the Middle East and Africa. HSBC is marketed worldwide as ‘the world’s local bank’.

The International Trade Awards 2008 are organised by International Trade Today magazine, Orion House, 14 Barn Hill, Stamford, Lincs PE9 2AE, Tel: 0208 144 8920, E: info@internationaltrade.co.uk. Full details of the awards programme can be found at www.internationaltradeawards.co.uk. International Trade Today magazine is celebrating its 71st anniversary this year, having published its first issue as Export magazine in November 1937.

Read the full article at PC World (Aus).

 Read the full article at WashingtonPost.com

“South London businesses were in the spotlight as winners were announced at the glamorous South London Business Awards ceremony at Crystal Palace Football Club, Selhurst Park, on Monday 19 May.”

===========
Description
===========
Wade Alcorn and John Heasman of NGSSoftware have discovered a stack
overflow vulnerability in Castle Rock Computing SNMPc Network Manager.
SNMPc Network Manger is a distributed network management system that
allows monitoring of the network infrastructure. It employs a
distributed polling agent architecture which uses SNMP TRAPs to provide
a solution capable of monitoring networks with up to ten thousand
devices. An SNMP TRAP initiated by a network element is sent to the
SNMPc Network Manager to allow monitoring of the infrastructure.

=================
Technical Details
=================
The vulnerability can be exploited when an overly long community string
is sent in the SNMP TRAP packet. The packets format will be valid ASN.1,
including the length of the community string. An attacker can craft a
single UDP packet that can lead to the execution of arbitrary code in
the context of LocalSystem.

===============
Fix Information
===============
NGSSoftware wish to note that Castle Rock Computing were extremely
pro-active in addressing this issue.

The latest version (SNMPc 7.1.1) can be downloaded from the Castle Rock
Computing website: http://www.castlerock.com/.

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070

John’s presentation is entitled “Office 2.0: Software as a Service, Security on the Sidelines?” Click here to read the abstract.

About OWASP

“The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security “visible,” so that people and organizations can make informed decisions about application security risks. Everyone is free to participate in OWASP and all of our materials are available under an open source license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work.”

Read the full article at SC Magazine.

NGSSoftware’s Press Release.

NGSSoftware’s world leading Security Assessment Consulting Services were recognised at the European Awards ceremony which was held on the 22nd April 2008 in London.

See here for a full list of the winners.

About the SC Awards Europe

The SC Awards Europe are widely considered the most prestigious awards programme in the information security industry and stand out as a true benchmark of achievement. Now in their thirteenth year, the Awards have a long-standing tradition of promoting excellence.

For further detail, visit www.scmagazine.com/uk/awards.