Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "New paper: Cursor injection - attacking Oracle with just CREATE SESSION"] [Next entry: "Oracle exploits available"]

New and Improved Oracle Exploits Coming at Black Hat

"New and Improved Oracle Exploits Coming at Black Hat" - by Lisa Vaas,

"Oracle's slated to be the whipping boy in two Oracle-specific Black Hat briefings and will be among the clump of databases faulted in one general database communication protocol weakness briefing. Expect at least one zero-day exploit and an entirely new class of attack technique, all with Oracle in their crosshairs.

Oracle's up for being a whipping-boy at Black Hat 2007 Washington, Feb. 28-March 1, with two briefings dedicated to Oracle security and/or insecurity."

Sorry I got Lisa's request for comment late on BH and also Davids paper but this is because our son has not been well for the last week and a half - he is getting better now. Lisa commented that I thought David's hack was cool but the detail of why was not reflected well in my post. The bit I thought was cool was the fact that you can pre-compile any valid cursor as any user who has only CREATE SESSION and then inject this precompiled cursor into a vulnerable PL/SQL package/function, i.e. taking advantage of cursor snarfing / injection / dangling issues. This makes previously minor SQL Injection bugs found much more useful to a hacker.

I have not seen the presentations from Cesar and David but as far as I know Cesar was talking about using simple free tools such as sysinternals process explorer to find bugs in software such as Oracle and I beleive he was highlighting the NULL DACL issue discussed in David's new book and also in the Oracle-L list previously - I am not sure if this was the intended 0-day or not, if it was then its not totally 0-day.