Pete Finnigan's Oracle Security Forum


    
      
        Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Argeniss and 0day Oracle exploits
        
(Message started by: Pete Finnigan on Nov 21^st, 2006, 4:55pm)

Title: Argeniss and 0day Oracle exploits
Post by Pete Finnigan on Nov 21^st, 2006, 4:55pm

Hi,

Take a look at:

http://www.argeniss.com/woodb.html

regards,

Ivan

Title: Re: Argeniss and 0day Oracle exploits
Post by Pete Finnigan on Nov 22^nd, 2006, 8:31am

Hi Ivan,

I also saw it yesterday and blogged about it. I don't agree with it, what does everyone else think?

cheers

Pete

Title: Re: Argeniss and 0day Oracle exploits
Post by Pete Finnigan on Nov 22^nd, 2006, 1:40pm

Someone on Slashdot brought attention to this part of Argeniss' message:

Why not the Month of Oracle Database Bugs?
We could do the Year of Oracle Database Bugs but we think a week is enough to show how flawed Oracle software is, also we don't want to give away all our 0days:), anyways if you want to contribute send your Oracle 0days so this can be extended for another week or more.

That is stupid. Give all the info you got and hold nothing back.

Title: Re: Argeniss and 0day Oracle exploits
Post by Pete Finnigan on Nov 23^rd, 2006, 9:26am

Hi Marcel-Jan,

Thats the point, they don't want to give them away because they also sell 0-days. is it simply an advertising stunt to sell 0-days?

cheers

Pete

Title: Re: Argeniss and 0day Oracle exploits
Post by Pete Finnigan on Nov 23^rd, 2006, 10:10am

>> I also saw it yesterday and blogged about it.

Hi Pete

You say in your piece on the Argensiss stunt|event that you have been told that Oracle are getting on top of the security bug situation. So what do you think of David Litchfield's comparison of security Oracle and MS SQL Server? ( www.databasesecurity.com/dbsec/comparison.pdf ) In particular, what to you think of his concluision that Microsoft have made a much better job of integrating secuity into the software development lifecycle?

Cheers, APC

Title: Re: Argeniss and 0day Oracle exploits
Post by Pete Finnigan on Nov 23^rd, 2006, 10:52am

Hi APC,

I read David's paper a couple of days ago and planned to blog about it. I also saw Alex's comments on the FD list. I agree with what Alex says in that the comparision whilst on the face of it is true, Microsoft have done a better job of security I also see that the reasons for Oracle's worse job is that the playing field is not level in this comparison. MS have less features in the database for one. Most of the Oracle bugs in the database are SQL Injection in packages that run as the definer. If Oracle didn't just fix each bug as its found and instead fixed the underlying issues:

o - remove the need for definer rights packages as much as possible
o - remove as much dynamic SQL and PL/SQL as possible
o - for whats left avoid concatenations where part of the string is passed in and unchecked. USe binds, use dbms_assert
o - install a limited set of functionallity by default not everything possible

Oracle are working on these issues and are getting better so whilst David might be able to find a security bug in 5 minutes now it should become harder in the lastest code stream soon.

cheers

Pete

Title: Re: Argeniss and 0day Oracle exploits
Post by Pete Finnigan on Nov 28^th, 2006, 11:42am

David Litchfield's document has also been an item on Slashdot (http://developers.slashdot.org/article.pl?sid=06/11/27/1843226). I was interested to read responses of the Slashdot community. Some say the comparison of simply the number of bugs is flawed. Others point out that Oracle is a more complex product than SQL Server. I wonder if that is really true. But doesn't that mean that Oracle should put even more effort in solving the bugs?

Title: Re: Argeniss and 0day Oracle exploits
Post by Pete Finnigan on Nov 28^th, 2006, 5:31pm

Hi all,

Cesar from Argeniss updated his WoODB webpage:

[...]
We are sad to announce that due to many problems the Week of Oracle Database Bugs gets suspended.

We would like to ask for apologizes to people who supported this and were really excited with the idea, also we would like to thank the people who contributed with Oracle vulnerabilities.
[...]
(see http://www.argeniss.com/woodb.html)

Regards
Alexander

--
Red-Database-Security GmbH

Title: Re: Argeniss and 0day Oracle exploits
Post by Pete Finnigan on Nov 28^th, 2006, 5:46pm

With regards to the Oracle vs SQL Server comparision and those that say it's not fair - is it fair to compare IIS with Apache? I think most would say yes but the situation is exactly the same as the RDBMS comparision. One is more featured than the other. But features equals attack surface which is why MS learnt their lesson for IIS 6 - features are not enabled by default. Oh - and how many flaws have been patched in IIS6 since 2003? Just 2 - 1 remote code execution (ouch) and 1 DoS. Besides, when you get down to it SQL Server 2005 is as featured as Oracle.
Cheers,
David

Title: Oracle default Wallet
Post by Pete Finnigan on Apr 3^rd, 2007, 5:59pm

People, how come i change the Oracle wallet default (ewallet.p12) without Infraestructure, in order to generate other with the same encoding(Des3, base64). I already did it, with orapki, but when i try to connect throug the firefox, it tell me, that the server and the firefox, don`t have the same codification.