Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "SmartDB Upgrades Oracle Migration Tool"] [Next entry: "A free script to find hidden users in your database"]

Alex has added an Oracle exploits page to his site

I got an email from Alex the other day to let me know that he has added an Oracle exploits page to his site. The page is Oracle Exploits / Exploit and seems to be changing regularly. When i took a look a couple of days ago the page had less content than now. So it is a good idea to bookmark it and keep coming back for a look in case new details have been added. Alex starts the page with a brief overview of the products that have exploits available for them and then goes on to say:

"This is not illegal or dangerous. If your database or application server is hardened, all the exploits mentioned here are WITHOUT any effect."

This is good advice, just because Alex has links to these exploits does not mean that they would not be available if he did not have links. The problem is that exploit code is available either easy to find or harder for a lot of Oracle exploits. This means that if you do not patch then you are potentially in trouble.

Alex also adds:

"This page does not contain 0day exploits.

All exploit code on this website is already out there, e.g. in newsgroups, on websites (like bugtraq). Hacker and script kiddies are using such code every day."

And interestingly Alex says he will release a paper about how to search Metalink for exploit code examples. This should be worth seeing!

The page then has links to Listener Exploits, Oracle 8i Exploits, Oracle 9i Exploits, Oracle 10g Exploits and Oracle Application Server Exploits.

Each of these links takes you to a page that lists links to exploit code for various bugs. For instance the 10g exploits link has the following listed:

OS command injection in DBMS_SCHEDULER - [Become DBA]

SQL Injection vulnerability in DBMS_METADATA - [Become DBA]

SQL Injection vulnerability in DBMS_CDC_SUBSCRIBE / DBMS_CDC_ISUBSCRIBE - [Become DBA]
Denial of service vulnerability in Oracle Intermedia [Denial of Service]

This page finishes with some links to other sites that do contain Oracle exploit code. This page should be worth keeping an eye on. If you keep patch sets up to date you should not have an issue with these Oracle exploit codes.