Call: +44 (0)7759 277220 Call
Forum

Welcome, Guest. Please Login.
Nov 22nd, 2024, 11:28am
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   Argeniss and 0day Oracle exploits
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Argeniss and 0day Oracle exploits  (Read 2778 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Argeniss and 0day Oracle exploits
« on: Nov 21st, 2006, 4:55pm »
Quote | Modify

Hi,
 
Take a look at:
 
http://www.argeniss.com/woodb.html
 
regards,
 
Ivan
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Argeniss and 0day Oracle exploits
« Reply #1 on: Nov 22nd, 2006, 8:31am »
Quote | Modify

Hi Ivan,
 
I also saw it yesterday and blogged about it. I don't agree with it, what does everyone else think?
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Argeniss and 0day Oracle exploits
« Reply #2 on: Nov 22nd, 2006, 1:40pm »
Quote | Modify

Someone on Slashdot brought attention to this part of Argeniss' message:
 
Why not the Month of Oracle Database Bugs?
We could do the Year of Oracle Database Bugs but we think a week is enough to show how flawed Oracle software is, also we don't want to give away all our 0daysSmiley, anyways if you want to contribute send your Oracle 0days so this can be extended for another week or more.

 
That is stupid. Give all the info you got and hold nothing back.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Argeniss and 0day Oracle exploits
« Reply #3 on: Nov 23rd, 2006, 9:26am »
Quote | Modify

Hi Marcel-Jan,
 
Thats the point, they don't want to give them away because they also sell 0-days. is it simply an advertising stunt to sell 0-days?
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Argeniss and 0day Oracle exploits
« Reply #4 on: Nov 23rd, 2006, 10:10am »
Quote | Modify

>>   I also saw it yesterday and blogged about it.  
 
 
Hi Pete
 
You say in your piece on the Argensiss stunt|event that you have been told that Oracle are getting on top of the security bug situation.  So what do you think of David Litchfield's comparison of security Oracle and MS SQL Server? ( www.databasesecurity.com/dbsec/comparison.pdf )  In particular, what to you think of his concluision that Microsoft have made a much better job of integrating secuity into the software development lifecycle?
 
Cheers, APC
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Argeniss and 0day Oracle exploits
« Reply #5 on: Nov 23rd, 2006, 10:52am »
Quote | Modify

Hi APC,
 
I read David's paper a couple of days ago and planned to blog about it. I also saw Alex's comments on the FD list. I agree with what Alex says in that the comparision whilst on the face of it is true, Microsoft have done a better job of security I also see that the reasons for Oracle's worse job is that the playing field is not level in this comparison. MS have less features in the database for one. Most of the Oracle bugs in the database are SQL Injection in packages that run as the definer. If Oracle didn't just fix each bug as its found and instead fixed the underlying issues:
 
o - remove the need for definer rights packages as much as possible
o - remove as much dynamic SQL and PL/SQL as possible
o - for whats left avoid concatenations where part of the string is passed in and unchecked. USe binds, use dbms_assert
o - install a limited set of functionallity by default not everything possible
 
Oracle are working on these issues and are getting better so whilst David might be able to find a security bug in 5 minutes now it should become harder in the lastest code stream soon.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Argeniss and 0day Oracle exploits
« Reply #6 on: Nov 28th, 2006, 11:42am »
Quote | Modify

David Litchfield's document has also been an item on Slashdot (http://developers.slashdot.org/article.pl?sid=06/11/27/1843226). I was interested to read responses of the Slashdot community. Some say the comparison of simply the number of bugs is flawed. Others point out that Oracle is a more complex product than SQL Server. I wonder if that is really true. But doesn't that mean that Oracle should put even more effort in solving the bugs?
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Argeniss and 0day Oracle exploits
« Reply #7 on: Nov 28th, 2006, 5:31pm »
Quote | Modify

Hi all,
 
Cesar from Argeniss updated his WoODB webpage:
 
[...]
We are sad to announce that due to many problems the Week of Oracle Database Bugs gets suspended.
 
We would like to ask for apologizes to people who supported this and were really excited with the idea, also we would like to thank the people who contributed with Oracle vulnerabilities.
[...]
 (see http://www.argeniss.com/woodb.html)
 
Regards
 Alexander
 
--
Red-Database-Security GmbH
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Argeniss and 0day Oracle exploits
« Reply #8 on: Nov 28th, 2006, 5:46pm »
Quote | Modify

With regards to the Oracle vs SQL Server comparision and those that say it's not fair - is it fair to compare IIS with Apache? I think most would say yes but the situation is exactly the same as the RDBMS comparision. One is more featured than the other. But features equals attack surface which is why MS learnt their lesson for IIS 6 - features are not enabled by default. Oh - and how many flaws have been patched in IIS6 since 2003? Just 2 - 1 remote code execution (ouch) and 1 DoS. Besides, when you get down to it SQL Server 2005 is as featured as Oracle.
Cheers,
David
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Oracle default Wallet
« Reply #9 on: Apr 3rd, 2007, 5:59pm »
Quote | Modify

People, how come i change the Oracle wallet default (ewallet.p12) without Infraestructure, in order to generate other with the same encoding(Des3, base64). I already did it, with orapki, but when i try to connect throug the firefox, it tell me, that the server and the firefox, don`t have the same codification.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board
  • PFCLScan PFCLScan

    Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

  • PFCL Obfuscate PFCLObfuscate

    PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

  • PFCLCode PFCLCode

    PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

  • PFCLForensics PFCLForensics

    PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

  • Products We resell PFCLReselling

    PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

  • PFCLATK PFCLATK

    PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

  • PFCLCookie PFCLCookie

    PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

  • PFCL Training PFCLTraining

    PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

  • PFCL Services PFCLServices

    Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

  • PFCLConsulting PFCLConsulting

    Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

  • PFCLCustom PFCLCustom

    All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

  • PFCLCloud PFCLCloud

    Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

  • PFCLUserRights PFCLUserRights

    PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

  • PFCLSTK PFCLSTK

    PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

  • PFCLSFTK PFCLSFTK

    PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

  • PFCLSEO PFCLSEO

    PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues