Pete Finnigan's Oracle Security Weblog

Alex has this evening added 5 new security advisories to his website for the bugs that he has found that have been fixed in the latest January 2006 Critical Patch Update (CPU). These include two bugs in the latest new encryption technology in 10gR2, Transparemt Database Encryption where the wallet password is stored un-encrypted in the SGA. This is reminscant of how i found clear text passwords in the SGA, described in a post titled "Oracle 8 - revealing clear text passwords from the SGA" posted almost five years ago. Alex's advisories are as follows:

"Event 10053 logs TDE wallet password in cleartext" - This advisory gives a detailed example of how setting event 10053 can be used to reveal the wallet password. This event is normally used to reveal how the Cost Based Optimizer evaluated the execution path for a query. Wolfgang Breitling famously describes how this works in his well known paper "A Look Under the Hood of CBO The 10053 Event"

"Transparent Data Encryption stores key unencrypted in the SGA" - This advisory goes through a detailed example of how the dumpsga utility can be used to dump a clear text wallet password from the SGA.

"Read parts of any XML-file via customize parameter in Oracle Reports" - This advisory shows how the customize parameter of Oracle reports can be used to read the contents of any XML file on the server.

"Read parts of any file via desformat in Oracle Reports" - This advisory shows how the DESFORMAT parameter can be used without Oracle Reports to read parts of any file.

"Overwrite any file via desname in Oracle Reports" - This advisory shows how the DESNAME parameter can be used to overwrite any file using Oracle Reports. Alex also details comprehensive workaounds for this issue.