Oracle DBS_SCHEDULER Vulnerability

Jared M Breland Jared.Breland at ipaper.com
Wed Nov 10 10:56:10 EST 2004 

There is a ton of detail and sample code available at this site.  Perhaps
this could be used to fine-tune the plugin?

http://www.appsecinc.com/resources/alerts/oracle/2004-0001/

--
Jared

nessus-bounces at list.nessus.org wrote on 11/05/2004 11:44:59 AM:

> We have had the same issue, from what I can see from looking at the 
plug-
> in source, it is only looking at the versioning information ? no actual 
> exploit is tried. I think this is because Oracle has kept the details of 

> the exploit secret, only releasing to the public that there is the 
> possibility of an exploit. From what I could see on the web, the guy who 

> discovered the problem gave the Proof of Exploit to Oracle? and no one 
> else. He refuses to make the code public. Good for Oracle, bad for us 
> security people who need to verify if the patch actually worked. 
> Disclosure is a tough issue, isn?t it?
> 
> If anyone has any information about how to better test for the presence 
of
> this Oracle vulnerability, please let the list know.
> 
> Jeremy J. Hyland 
> Information Assurance
> Code 19
> NAVSEA Warfare Center Keyport 
> 
> From: OBrien, Edward [mailto:Ed.OBrien at pseg.com] 
> Sent: Friday, November 05, 2004 7:54 AM
> To: 'nessus at list.nessus.org'
> Subject: Oracle DBS_SCHEDULER Vulnerability
> 
> Plugin: 14641
> 
> We followed the instructions from Oracle to fix this problem, but our 
> scans keep picking it up.  Can anyone explain the logic that Nessus is 
> using to determine if this vulnerability exists?  Is it just check a 
banner?
> 
> Thanks,
> Ed O'Brien
> 
> The information contained in this e-mail, including any attachment(s), 
is 
> intended solely for use by the named addressee(s). If you are not the 
> intended recipient, or a person designated as responsible for delivering 

> such messages to the intended recipient, you are not authorized to 
> disclose, copy, distribute or retain this message, in whole or in part, 
> without written authorization from PSEG. This e-mail may contain 
> proprietary, confidential or privileged information. If you have 
received 
> this message in error, please notify the sender immediately. This notice 

> is included in all e-mail messages leaving PSEG. Thank you for your 
cooperation. 
> _______________________________________________
> Nessus mailing list
> Nessus at list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.nessus.org/pipermail/nessus/attachments/20041110/c004908a/attachment.html

More information about the Nessus mailing list