Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Two Vulnerabilities Reported by SpiderLabs Fixed in Oracle Critical Patch Update July 2015

In July, Oracle released a Critical Patch Update for multiple products including Oracle Database and MySQL, which included, among others, patches for two serious vulnerabilities discovered by Trustwave SpiderLabs. Below, I will examine the technical details of these vulnerabilities.

Oracle Database 12c account probing (CVE-2015-4755)

The first vulnerability affects the latest Oracle Database version which is 12.1.0.2 and allows unauthenticated users to probe user accounts. That is anyone with a network connection to the database can confirm whether a given user exists in the database. This is made possible by differing server responses to login attempts for existing and non-existing user accounts. This is the network capture of a login attempt via sqlplus for a legitimate user:

36 31 38 00 00 00 00 0D-00 00 00 0D 41 55 54 48   618.........AUTH
5F 56 46 52 5F 44 41 54-41 20 00 00 00 20 43 46 _VFR_DATA.....CF
32 46 39 44 34 46 32 35-30 32 41 31 35 44 39 36 2F9D4F2502A15D96
42 37 36 39 35 34 43 38-35 44 43 43 30 33 15 48 B76954C85DCC03.H

As you can see the token length is 16 bytes (32 characters).

Now let's append a character to the username and retry authentication:

30 37 45 00 00 00 00 0D-00 00 00 0D 41 55 54 48   07E.........AUTH
5F 56 46 52 5F 44 41 54-41 14 00 00 00 14 42 45 _VFR_DATA.....BE
32 30 34 39 42 32 36 31-31 33 37 41 30 42 36 41 2049B261137A0B6A
39 31 25 1B 00 00 14 00-00 00 14 41 55 54 48 5F 91%........AUTH_

For a non-existent account, the length of the AUTH_VFR_DATA token is shorter – only 10 bytes (20 characters). That response tells us whether an account exists on the system or not.

Note that sqlplus should be version 12.1.0.2 or newer in order to support the latest authentication protocol version.

MySQL CREATE TABLE ... PARTITION overflow (CVE-2015-2617)

This vulnerability allows attackers to run arbitrary code on some platforms because it is a classic stack-based buffer overflow. It can also be used to cause a denial of service.

Any authenticated user with CREATE TABLE privileges can exploit this vulnerability. This happens because there is no length check on one of the parameters to add_keyword_path function and the parameter is later copied to a stack-allocated buffer.

Here is proof-of-concept code:

CREATE TABLE test.t1 (id INTEGER) PARTITION BY HASH(id) PARTITIONS 1 (PARTITION p1 DATA DIRECTORY = '<600 character string>');

Affected MySQL versions are 5.6.24 and earlier. Here is a quote from the release notes:

Partitioning: When creating a partitioned table, partition-level DATA DIRECTORY or INDEX DIRECTORY option values that contained an excessive number of characters were handled incorrectly. (Bug #20809045)

You will find the related commit in MySQL Server code here: https://github.com/mysql/mysql-server/commit/85d0ef869796ac370ee18b547682c923d16ef022

As we can see Oracle added a length validation step to exit when the path length is more or equal to 512 bytes and replaced the strcpy call with strncpy.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More