back to article Oracle E-Business suite wide open to database attack

Clear some time in you diary and drink an extra coffee, sysadmins: a top hacker has warned that Oracle will tomorrow patch a horror bug that needs urgent attention. Datacom TSS hacker David Litchfield told The Reg he has reported to Oracle that versions of its E-Business suite contain a "major" misconfiguration flaw that …

  1. Anonymous Coward
    Anonymous Coward

    Fortunately

    No une uses it for anything serious?

    1. Anonymous Coward
      Anonymous Coward

      Re: Fortunately

      If it runs on Oracle's DB then it already has more holes than a sieve. Perhaps they should upgrade to SQL server?

  2. Gentle Ben

    No DML or DDL possible in functions called by function-based indexes.

    Functions called in function-based indexes cannot be used to perform any DML or DDL so although the function called by a function-based index on DUAL runs under SYS, it is very restricted in what it is allowed to do. The article suggests that you can use this method to run any old function under the SYS user. You can't.

    1. dwlitchfield

      Re: No DML or DDL possible in functions called by function-based indexes.

      You *can* execute DML and DDL. First create a function and specify pragma autonomous transaction... Place your execute immediate 'grant dba to public' in the function then call the function. I've been doing this for years and I know what I'm talking about :)

      Cheers,

      David Litchfield

    2. dwlitchfield

      Re: No DML or DDL possible in functions called by function-based indexes.

      If you want more technical details on how to exploit function based indexes to execute arbitrary SQL just watch this talk. HTH! https://www.youtube.com/watch?v=z0ccYgcBSGg#t=710

  3. Otto is a bear.

    Conspiracy?

    DUAL has been around since I can remember (V4), and probably before, it's use was, and probably still is deeply embedded in virtually every Oracle application both overtly and covertly. Originally there wasn't much you could do with DUAL, apart from SELECT 1 FROM DUAL, the whole point being that it's a table with one empty row, was very useful when doing procedural stuff in early versions of Oracle Forms and SQL*PLUS, before the advent of PL/SQL. (I seem to remember some PL/SQL actually compiled to SELECT FROM DUAL) You did not insert into it, update it or delete from it, unless you wanted to crash your application, it was something every developer knew, not to touch.

    I suspect that, in these enlightened days, no one actually uses it, and that it remains only for compatibility, quietly forgotten about, and not maintained by anyone.

    1. dwlitchfield

      Re: Conspiracy?

      DUAL is used internally by many objects. On my Oracle 12c server for example, there are 242 objects that depend on DUAL. HTH!

  4. JcR

    au contraire, I'm afraid.

    Just checked v$sql and found 165 SYS.DUAL references...

    1. Matt Symes

      Does anybody have the CVE reference for this specific vulnerability? It isn't referred to in the article and it's not trivially obvious (to me at least) from the patch list referenced in the article.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like