Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "A new Oracle exploit revealed on the bugtraq list"] [Next entry: "BlackHat Last week"]

An interesting thread on Alex's DBMS_ASSERT paper

There is an interesting thread on bugtraq about Alex's DBMS_ASSERT bypass paper where David Litchfield has suggested that its not a generic bypass at all. Alex has countered in the thread titled "Re: Bypassing Oracle
" and given details of 36 bugs reported to Oracle using this technique including bug numbers.

For me I dont thing the semantics of whether its a generic bypass off DBMS_ASSERT or not matter. The fact is its possible to bypass DBMS_ASSERT, Alex has found over 36 examples of exploits using this technique in (you need access to a PL/SQL unwrapper to be able to locate these bugs easily in the 10gR2 PL/SQL built in packages reported to Oracle. It is a bypass technique and it works and previously fixed bugs can be exploited still.