Litchfield exposes one last Oracle security bug before walking away from his database battles
Virginaia: In 2001, Larry Ellison brashly proclaimed in a keynote speech at the computing conference Comdex that his database software was “unbreakable.”
“You have this ideal vision of doing something for the greater good,” said David Litchfield, managing director of Next Generation Security Software Ltd. of London, who acknowledged that a small bit of his code might have been used in the attack. “I will probably no longer publish such code.” David Litchfield via The Washington Post
David Litchfield has devoted the last nine years to making the Oracle chief executive regret that marketing stunt. At the Black Hat security conference Tuesday afternoon, Litchfield unveiled a new bug in Oracle’s 11G database software, a critical, unpatched vulnerability that would allow a hacker to take control of an Oracle database and access or modify information at any security level.
“Anything that God can do on that database, you can do” Litchfield
The problem lies in the PLSQL Gateway, a component of the Oracle Internet Application Server, the Oracle Application Server and the Oracle HTTP Server, he said in an e-mail to the BugTraq mailing list ::::
Litchfield is co-founder of U.K.-based Next Generation Security Software and one of Oracle’s most vocal critics. The attack that Litchfield laid out for Black Hat’s audience of hackers and cybersecurity researchers exploits a combination of flaws in Oracle’s software. Two sections of code within the company’s database application, one that allows data to be moved between servers and another that allows management of Oracle’s implementation of java are left open to any user, rather than only to privileged administrators. Those vulnerable subroutines each have their own simple flaws that allow the user to gain complete access to the database’s contents.
“The flaw can be exploited by an attacker to gain full administrator-level control of a database server through a Web server” said Litchfield
He provides a workaround in the mail so Oracle users can protect themselves against attacks. The flaw was reported to Oracle on Oct. 26. Litchfield said he “had hoped that Oracle would provide a fix or a workaround on its recent patch release day, they failed to do so,”
Oracle did not respond to our request for comment.
The current bug is far from the first that 34-year-old Litchfield has outed on Oracle’s behalf. As a cybersecurity researcher and penetration tester, Litchfield has exposed more than a thousand database software security flaws, mostly in Oracle’s code. Oracle product security has never been adequate. CEO Larry Ellison’s promises that their database product was ‘unbreakable’ and CSO Mary Ann Davidson’s repeated claims that security is a core facet of their software lifecycle have simply never been lived up to.
Security researchers such as Litchfield continue to find critical remote vulnerabilities in the bulk of Oracles product.
David Litchfield is the world’s leading computer security vulnerability researcher and one of the five founding members of NGSSoftware (established during September 2001). His previous roles have included working as a Security Consultant for Diligence Information Security, a U.K. Penetration Test Team Leader for Arca Systems Inc, a Director & Research Scientist for Cerberus Information Security, and a Director of Security Architecture & Research Scientist at @Stake Ltd.
David Litchfield has been certified as a CHECK Team Leader by the CESG, the Gold standard for penetration testing in the U.K. With his vast experience of network & application penetration testing, David is a permanent presenter to Black Hat & regularly presents to the CESG. David has discovered & published over 100 major security vulnerabilities in many different products, including most notably Apache, Microsoft Internet Information Server, Oracle and Microsoft SQL Server. In every case where David has found vulnerabilities, he has worked closely with the affected vendors developing solutions.
In addition to discovering these vulnerabilities, David is also the co-author of Special Ops (Foundstone) where he contributed chapters dealing with security in Oracle. He is also the lead author of SQL Security (Osbourne-McGrawhill). In addition, David has written & published more than 15 security white papers on wide range of security issues (including buffer overflow exploits, protection & SQL related vulnerabilities).
David is quoted in many magazines, newspapers and on-line security publications on a regular basis as a leading authority on computer security and vulnerability research.
David Litchfield (born 1975) is a renowned security expert from the United Kingdom, who focuses on the discovery and publication of computer security vulnerabilities with a special focus on database server software. Information Security Magazine voted him as “The World’s Best Bug Hunter” for 2003.
Litchfield has found hundreds of vulnerabilities in many popular products, among which the most outstanding discoveries were in products by Microsoft, Oracle and IBM. At the Blackhat Security Briefings in July 2002 he presented some exploit code to demonstrate a buffer overflow vulnerability he had discovered in Microsoft’s SQL Server 2000. 6 months later, on the 25th of January 2003, persons unknown were to use this code as the template for the SQL Slammer Worm.
After several years in vulnerability research, Litchfield made a move into Oracle forensics and has documented how to perform a forensic analysis of a compromised database server in a series of white papers – Oracle Forensics Parts 1 to 6. He is in the process of researching and developing an open source tool called the Forensic Examiner’s Database Scalpel (F.E.D.S).
Litchfield founded a company named Cerberus Information Security which was acquired by @stake in July 2000. A year and a half later he founded Next Generation Security Software with five colleagues from @stake. He is the author of various software packages, and also of many technical documents on security issues. He is the author of the Oracle Hacker’s Handbook and is a co-author of the Database Hacker’s Handbook, the Shellcoder’s Handbook and SQL Server Security. He was also a contributing author for Special Ops.