Pete Finnigan's Oracle Security Weblog

"New and Improved Oracle Exploits Coming at Black Hat" - by Lisa Vaas,

"Oracle's slated to be the whipping boy in two Oracle-specific Black Hat briefings and will be among the clump of databases faulted in one general database communication protocol weakness briefing. Expect at least one zero-day exploit and an entirely new class of attack technique, all with Oracle in their crosshairs.

Oracle's up for being a whipping-boy at Black Hat 2007 Washington, Feb. 28-March 1, with two briefings dedicated to Oracle security and/or insecurity."

Sorry I got Lisa's request for comment late on BH and also Davids paper but this is because our son has not been well for the last week and a half - he is getting better now. Lisa commented that I thought David's hack was cool but the detail of why was not reflected well in my post. The bit I thought was cool was the fact that you can pre-compile any valid cursor as any user who has only CREATE SESSION and then inject this precompiled cursor into a vulnerable PL/SQL package/function, i.e. taking advantage of cursor snarfing / injection / dangling issues. This makes previously minor SQL Injection bugs found much more useful to a hacker.

I have not seen the presentations from Cesar and David but as far as I know Cesar was talking about using simple free tools such as sysinternals process explorer to find bugs in software such as Oracle and I beleive he was highlighting the NULL DACL issue discussed in David's new book and also in the Oracle-L list previously - I am not sure if this was the intended 0-day or not, if it was then its not totally 0-day.