I have been teaching security classes about Oracle Security for many years and they are very popular and I teach many classes per year around the world; mostly in the UK and EEC but I also venture to the Middle....[Read More]
Posted by Pete On 24/05/16 At 12:43 PM
Yesterday I gave my yearly presentation “Best of Oracle Security 2015” at the DOAG 2015 conference in Nürnberg. In this presentation I showed different Oracle exploits I found/modified released in 2015 in various sources.
One of the most interesting Oracle bugs in 2015 was CVE-2014-6577 (found by Trustwave, affecting 188.8.131.52, 184.108.40.206, 220.127.116.11, 12.1.02, fixed in April 2015 CPU). This bug can be used as helper (more...)
Hi Oracle Security Folks, The July Oracle Security Alert is out. My part is smaller than last quarter as just an In-Depth Credit, but Mr David Litchfield makes a triumphal return with some excellent new research. http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html There is a CVSS 9 and a remote unauthenticated issue in this patch so worth installing this one. [...]
Yesterday, Oracle released a new critical patch update (CPU Jul 2014) for July 2014. This CPU contains fixes for 5 database vulnerabilities. The most critical one, CVE-2013-3751, has a base score of 9.0 and affects Oracle 12.1 only. The same issue was already fixed for Oracle 11.2 in July 2013 (CPU Jul 2013).
After a short research on the web (google and twitter, less than 5 minutes) I found an (more...)
Hi Oracle Security Folks, Thanks to Oracle for fixing a batch of research I sent over in August 2013 regarding ADVISOR, DIRECTORIES, GAOP(GRANT ANY OBJECT PRIVILEGE) and also a critical privilege escalation which gains 8.5 in the CPU which I am not going to publish here as I want to give folks time to patch. [...]
Sid is doing his popular course, The Art of Exploiting Injection Flaws, at this year’s Black Hat. You can find more details here. Definitely highly recommended.
Hello Oracle Security Readers, If we combine the following factors together then we can identify an escalation route from Index on SYSTEM to SYSDBA which does not require SELECT privileges on the indexed table: 1. SYSTEM passes it’s DBA role through it’s procedures. 2. Oracle indexes allow execution from read via functions i.e. INDEX can [...]
I just uploaded my DOAG 2013 presentation “Best of Oracle Security 2013“.
This presentation shows how to bypass Oracle Data Redaction, become DBA using CREATE ANY INDEX, Hide information from Oracle Auding using VPD and more…
SQL> select * from scott.credit_card where 1=ordsys.ord_dicom.getmappingxpath((card_id),user,user);
At Derbycon 3.0, László Tóth and Ferenc Spala gave a a new presentation “What’s common in Oracle and Samsung? They tried to think differently… ” (Video). The main focus of the presentation was the Samsung encryption and a new framework called sandy but there was also a small (more...)
2 days ago I gave a presentation “Oracle 12c from the attackers perspective” at the DOAG SIG Security. I learned some interesting things, especially that a fix for the Oracle oradebug “disable auditing” problem is available since 9 months.
Oradebug allows to run OS commands and to enable/disable Oracle SYSDBA (more...)
This looks like an interesting feature of Oracle 12c. I’m still not sure about the security implications but it does say interesting things about pure network monitoring security tools. Now, more than ever, what you see on the network can be something completely different than what runs on the database. So, you can see a […]