A hidden hacker has recently released a dangerous piece of code aimed at exploiting a recent security vulnerability.
 |
Larry Ellison, Chairman of Oracle Corporation |
The verified dangerous code has now been disseminated through the Full-disclosure mailing list with the subject line “Trick or treat Larry.” It is clear that this email targets Larry Ellison, the CEO of Oracle Corporation.
Security experts have taken parts of this dangerous code for testing purposes and have confirmed that it can indeed breach Oracle databases using default usernames and passwords.
Alexander Kornbrust, one of the co-founders and the CEO of Red-Database-Security, believes that the release of this dangerous code serves as a wake-up call, warning that the code could be modified to cause even more severe consequences. “This version of the code is not dangerous, but anyone could use this framework and modify it to cause greater damage.”
Kornbrust, a well-known expert in Oracle database security research, has conducted his own analysis of the code and confirmed that it utilizes default usernames and passwords to intrude while the administrator may be left helpless. This code uses UTL_TCP to send control commands to each IP address within the network range if the IP feature of the database system is enabled. If a database is found, the code will issue a command to create a personal database link and attempt to connect using the default username and password. However, according to Kornbrust, this dangerous code is still not “complete” and lacks the ability to replicate itself.
“From my experience, most customers still use default passwords. New users only change passwords in a few databases. Yet, at least 60% of users have not changed their default passwords.”
“If someone were to combine a Windows worm with a worm targeting Oracle, the consequences could be unpredictable. The Windows worm could spread quickly and facilitate the Oracle worm to cause damage.”
Kornbrust recommends that users or administrators of Oracle databases take the following actions:
– Change default passwords in all application databases (test/development/education/production).
– Remove the privilege of “CREATE DATABASE LINK” in the CONNECT role (from Oracle 10g Rel.1 and above).
– Remove public access privileges in the utl_tcp package.
– Remove public access privileges in utl_inaddr.
– Protect TNS with a password. In Oracle 10g, always disable operating system authentication and instead use a password.
– Change the default TNS port from port 1521 to another port.
