Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

How not to create user authentication

I saw a post on the LogicaCMG blog - Blogging about Oracle a few days ago and made a note to talk about it here. This post is titled - (broken link) How to create a nice big security leak… and is interesting to me for two reasons. The first is that the guys decided to try and break their own applications to test their own security. This is great, everyone should start to think about doing these sorts of tests (with permission of course). This shows that people are realising that application and database security is as inmportant as the old bastions of security such as firewalls, virus protection...

The second reason I was interested was because of the problem which these guys found. The code was written to be functional, i..e to perform a function without thinking about how it could be abused. Anyone who writes applications nowadays especially applications connected to the Intranet or Internet and even more especially if they use databases needs to think security first. Why if they use databases? - well because there is now a trend to steal data from databases, whereas the old security issues seemed to center around the fact that some spotty kid in their bedroom would dial up and hack your servers, the world has moved on, data is big business now.

Oracle's Ellison to take stage at next RSA confab

Oracle's Ellison to take stage at next RSA confab - By Joris Evers

Slightly different version:

"The high-profile RSA Conference has proven to be a worthwhile podium for Microsoft's security message, and now Oracle is following suit.

Oracle Chief Executive Officer Larry Ellison is slated to address the RSA Conference 2007 in February, Sandra Toms LaPedis, general manager of the conference, told CNET The Redwood Shores, Calif.-based business software maker is paying $220,000 to be one of nine "platinum sponsors" of the San Francisco event, she said."

Oracle's Ellison to strut his stuff at RSA 2007

Oracle's Ellison to strut his stuff at RSA 2007 - Banging the security drum, Gates style... - By Joris Evers

"The high-profile RSA Conference has proven to be a worthwhile podium for Microsoft's security message, and now Oracle is following suit.

Oracle chief executive Larry Ellison is slated to address the RSA Conference 2007 in February, according to Sandra Toms LaPedis, general manager of the conference. The business software maker is paying $220,000 to be one of nine "platinum sponsors" of the San Francisco event, she said."

This is a very interesting development. Joris interviewed me by email yesterday about this, should be interesting to see what Larry has to say.

New additional syndication feeds for this blog

I have had an RSS 1.0 feed for this site almost since I started this blog. I have just added a new RSS 2.0 feed and an Atom 0.3 feed in addition to the original feed. I use Greymatter software for this blog but it doesnt support feed generation natively. A mod exists called gm-rss that is open source perl. I have modified this feed code myself to add the two new feeds. gm-rss is now available from my site. I have talked about the mod in a little more detail in a post titled "Greymatter now supports RSS 1.0, RSS 2.0 and Atom 0.3 feed generation"

If you prefer RSS 2.0 or Atom then please use the new feeds.

Nice post on the Logica blog about LDAP user info

I just saw a nice post on the Logica CMG blog about using the LDAP user information. The post is titled - (broken link) Using the LDAP for user information. on Linux is out - (broken link) Oracle for Linux on x86 is out. Thanks to Laurent for the info.

Spotlight on Oracle security

Spotlight on Oracle security - By Elisa Gabbert,

"Keeping your company's data and systems secure is a must for any Oracle DBA. Beyond patching known security flaws, there is a great deal you can do to protect your Oracle DBMS and applications from security breaches, both from inside and outside your organization. All this month, examined security issues and how they impact Oracle products and users. This special report compiles news, analysis, white papers and expert advice on this topic, including breaking articles and content from our archives, to help you conquer your daily security challenges. We've also updated our popular learning guide on Oracle security -- browse through it for even more tips and advice on passwords, encryption and more."

This is a good compilation of links to recent news and papers on Oracle security.

Mr. Know-IT-All's Oracle Security Challenge

Mr. Know-IT-All's Oracle Security Challenge - Thanks to Mark Brunelli for passing this link to me:

"Mr. Know-IT-All is back. This time he wants to find out how much you really know about Oracle database security. So, if you've got the guts, take his new Oracle Security Quiz and be sure to let us know know how well you did. And if you have ideas for future quizzes, we'd like to hear them too." is out for Windows, MVS and HP/UX

I just came across this post - (broken link) Oracle is out for Windows, HP/UX, and MVS. Nice news, wonder if there are any silent security bug fixes??

Oracle root kits part 2

Alex talked at BlackHat and Defcon on the subject of Oracle root kits this year. I was thyerre for BlackHat of course as I spoke there myself on the subject of "unwrapping PL/SQL". Alex's presentation was excellent and went down well with the audience. He started with an overview of what root kits including OS root kits are and also then gave a quick refresher on Oracle root kits part 1. This included how database services / functions and views map to the equivelent OS based features / functions and so on. Then Alex showed how to implement simple root kits and back doors.

Then Alex started on Oracle root kits part2. This was really interesting and covered such things as modifying the Oracle binaries to hide a hacker user in the database. he went on to discuss native compilation and pinned packages.

Alex's presentation slides are titled "Oracle root kits 2.0"

MatriXay a new way to penetration test web apps and databases

I had the great pleasure to meet Frank Fan in Las Vegas when I was speaking at the BlackHat conference. Frank was there to talk about his new application MatriXay which can be used to pentest web applications and databases. I have seen the application before and was interested to see a newer version. I got a good look at it before Franks talk and also went along to hear Frank speak. His presentation included a flash movie of the application used in anger. This is a great application and Frank was good enough to let me have a copy to review, I am looking forwards to having a proper look at it and running it through its paces. Franks presentation is called " - (broken link) Improved penetration testing of Web Apps and databases with MatriXay and is well worth a look. This is the best web app scanner I have seen.

Oracle expert warns of weakness in PL/SQL

Oracle expert warns of weakness in PL/SQL - By Bill Brenner

"The protective wrapping around the programming language used to write procedures and commands in the Oracle Corp. database isn't as ironclad as some might expect. In fact, one expert claims it can be unraveled to access sensitive data.

That warning comes from Pete Finnigan, an author and keeper of a blog on the subject of Oracle security."

Databases at war

Databases at war - Millions of databases are just sitting out there, waiting for the next strike - By John E. Dunn

"Databases shouldn’t by rights have security holes in them at all, but years after they were first discovered to be an issue, they are still very much with us.

These holes open up in a number of ways, principally related to gaining privileges to execute or spoof (inject) scripts in the dominant query form SQL, or attempting to compromise or damage the operating system or other applications running on, or in conjunction with, the database."

Oracle Announces General Availability of Oracle(R) Identity Management 10g Release 3

Oracle Announces General Availability of Oracle(R) Identity Management 10g Release 3

"New Capabilities, Integrated Offering and Support for Heterogeneous Environments Drive More Value for Enterprise IT Infrastructure and Streamline Compliance Requirements

REDWOOD SHORES, Calif., Aug. 16 /PRNewswire-FirstCall/ -- Oracle (Nasdaq: ORCL - News) today announced the immediate availability of Oracle® Identity Management 10g Release 3. Complete with a robust, comprehensive set of access control, identity administration, provisioning and directory services capabilities, this latest release enables organizations to manage the end-to-end lifecycle of user identities across heterogeneous enterprise resources within and beyond their organizational boundaries, while helping to streamline sustainable compliance policies and controls."

Stephen Kost has a new Oracle security blog

I made a note a couple of weeks ago that Steve kost has started an Oracle security blog. Its got a few posts already. Steve specialises in Oracle Applications (also known as E-Business Suite) security. He has a few good posts already:

11i: How to Check for Correct APPLSYSPUB Privileges in 11i


Google Source Code Bug Finder

Un-patched Oracle Database Bugs - E-Business Suite Impact

and the most recent two posts that mention Black Hat and my PL/SQL unwrapping paper:

Bad Oracle Security Press Coming Soon - (broken link) Unwrapping PL/SQL

keep an eye out on Steves blog it should be worth reading. I have also added it to my Oracle blogs aggregator

Blinded By The Glare Of Facial Piercings At Black Hat (Or, The One That Got Away)

Blinded By The Glare Of Facial Piercings At Black Hat (Or, The One That Got Away) - By Larry Greenemeier

"In case you're wondering where I was when Scholz was at the podium during Black Hat, I was attending Pete Finnegan's "How to Unwrap Oracle PL/SQL" session because I'd been told by an attendee at the show that several Oracle lawyers would be in attendance to make sure Finnegan didn't step out of line. I thought their blue pinstriped suits would stand out amongst the rainbow of hair colors, the glare of the facial piercings, and the black ink of the tattoos. No such luck."

Defcon 2006: Oracle not so "unbreakable"

Defcon 2006: Oracle not so "unbreakable"

"Las Vegas (NV) - Your company's cleaning staff could be illegally moonlighting as your Oracle database administrator. Alexander Kornbrust, founder and CEO of Red Database Security, says hackers could easily exploit vulnerabilities in Oracle database and gain administrator access. Speaking at the Defcon security convention in Las Vegas, he also explained that administrator passwords are often stored and easily retrieved on company computers.

Kornbrust talked to a packed audience for his Oracle 2.0 rootkits session, but despite the ominous sounding title, he told TG Daily that his purpose was not to show a complete rootkit. "I just want to show how easy it is to gain administrator privileges," said Kornbrust. He believes there are 40 to 50 vulnerabilities, ranging from minor to critical, in Oracle 10G."

High bidders with low motives

High bidders with low motives - Patrick Gray

"THE 21st-century hacker has three options upon discovery of a vulnerability in popular software: sell it to a security company; give details of the bug to the company that makes the software; or sell it to the criminal underground.

Legitimate security companies are bidding against criminal syndicates to buy the hackers' handiwork, experts say. Security specialist iDefense actively markets its links to independent bug hunters, offering top-dollar to hackers for information it can pass to its vulnerable customers."

How to Unwrap PL/SQL BlackHat las vegas 2006 presentation slides are available

The slides from my presentation at the BlackHat 2006 briefings in Las Vegas last week are now available. The slides describe how the Oracle PL/SQL wrap mechanism works and how a PL/SQL unwrapper can be created to retrieve wrapped PL/SQL source code. The presentation is titled "How to Unwrap Oracle PL/SQL". I have also added a link in the presentations section of my Oracle security white papers page.

Tom has an interesting post on Security via obscurity

I spotted a nice post on Tom's blog today that was posted a couple of days ago. Toms post is titled - (broken link) Security via obscurity... and it talks about an email sent to Tom about his AskTom site displaying schema details when it errors. Tom points out that his site is not vulnerable to SQL Injection as he uses binds for all dynamic SQL and does not concatenate. This is an interesting post around SQL injection issues and security in general, particlularly the issues around defence in depth and security through obscurity.

BlackHat Last week

I have just returned from the Blackhat briefings in Las Vegas that happened August 2nd and August 3rd. I spoke there about Unwrapping PL/SQL on Wednesday morning. This was a great conference, some great presentations and some great people there. I had a great time speaking and listening. The trip was very tiring for me though, roughly 5100 miles in each direction and an 8 hour time zone switch all over 4 days. This is why I have not had not posted here for more than a week. I was not really enamoured with the thought of connecting to the Internet via wireless in a town full of security experts and hackers! - The DefCon confernece was also on last week.

I have just found a nice preview article by Bill Brenner (Who I had the great pleasure to meet in person in Las Vegas - we have spoken only via email previously) that gives a good intro to the presentations. I will write here tomorrow about mine, Alex's and some of the others I went to listen to. Bill's article is "Black Hat preview: Spotlight on Vista, new exploits"