Oracle’s E-Business suite has come under scrutiny after a researcher discovered what appeared to be a backdoor in certain versions of the software that could lead to a fully compromised database server.
While conducting a security assessment for a client, David Litchfield found that every user had mistakenly been granted the ability to create an index in the DUAL table, a "dummy" table on which administrative functions can be executed.
"There is no legitimate reason to create an index on DUAL. None whatsoever," he said. "If you wanted to leave a very subtle backdoor it does make perfect sense, however."
Litchfield and his company thought a hacker might have inserted the apparent backdoor into their systems, but on investigation discovered that Oracle was responsible for the security hole.
Stranger still, the software vendor found no record of why the flaw existed or what purpose it served.
"I looked through the bug and there is no indication of when or why the grants were originally added," a spokesman from Oracle told Litchfield in an email.
"Development is going with the assumption that it was not necessary and removing the added grants. However, it is hard to tell for certain. As you can imagine, this requires a lot of additional testing to ensure it does not break existing functionality." The Oracle spokesperson concluded.
Litchfield said that he was "flabbergasted" at the story, and hoped it was merely an error.
"I’ll leave the conspiracy theories for others," he added.
