Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Two Vulnerabilities Reported by SpiderLabs Fixed in Oracle Critical Patch Update July 2015

In July, Oracle released a Critical Patch Update for multiple products including Oracle Database and MySQL, which included, among others, patches for two serious vulnerabilities discovered by Trustwave SpiderLabs. Below, I will examine the technical details of these vulnerabilities.

Oracle Database 12c account probing (CVE-2015-4755)

The first vulnerability affects the latest Oracle Database version which is 12.1.0.2 and allows unauthenticated users to probe user accounts. That is anyone with a network connection to the database can confirm whether a given user exists in the database. This is made possible by differing server responses to login attempts for existing and non-existing user accounts. This is the network capture of a login attempt via sqlplus for a legitimate user:

36 31 38 00 00 00 00 0D-00 00 00 0D 41 55 54 48   618.........AUTH
5F 56 46 52 5F 44 41 54-41 20 00 00 00 20 43 46 _VFR_DATA.....CF
32 46 39 44 34 46 32 35-30 32 41 31 35 44 39 36 2F9D4F2502A15D96
42 37 36 39 35 34 43 38-35 44 43 43 30 33 15 48 B76954C85DCC03.H

As you can see the token length is 16 bytes (32 characters).

Now let's append a character to the username and retry authentication:

30 37 45 00 00 00 00 0D-00 00 00 0D 41 55 54 48   07E.........AUTH
5F 56 46 52 5F 44 41 54-41 14 00 00 00 14 42 45 _VFR_DATA.....BE
32 30 34 39 42 32 36 31-31 33 37 41 30 42 36 41 2049B261137A0B6A
39 31 25 1B 00 00 14 00-00 00 14 41 55 54 48 5F 91%........AUTH_

For a non-existent account, the length of the AUTH_VFR_DATA token is shorter – only 10 bytes (20 characters). That response tells us whether an account exists on the system or not.

Note that sqlplus should be version 12.1.0.2 or newer in order to support the latest authentication protocol version.

MySQL CREATE TABLE ... PARTITION overflow (CVE-2015-2617)

This vulnerability allows attackers to run arbitrary code on some platforms because it is a classic stack-based buffer overflow. It can also be used to cause a denial of service.

Any authenticated user with CREATE TABLE privileges can exploit this vulnerability. This happens because there is no length check on one of the parameters to add_keyword_path function and the parameter is later copied to a stack-allocated buffer.

Here is proof-of-concept code:

CREATE TABLE test.t1 (id INTEGER) PARTITION BY HASH(id) PARTITIONS 1 (PARTITION p1 DATA DIRECTORY = '<600 character string>');

Affected MySQL versions are 5.6.24 and earlier. Here is a quote from the release notes:

Partitioning: When creating a partitioned table, partition-level DATA DIRECTORY or INDEX DIRECTORY option values that contained an excessive number of characters were handled incorrectly. (Bug #20809045)

You will find the related commit in MySQL Server code here: https://github.com/mysql/mysql-server/commit/85d0ef869796ac370ee18b547682c923d16ef022

As we can see Oracle added a length validation step to exit when the path length is more or equal to 512 bytes and replaced the strcpy call with strncpy.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo