Call: +44 (0)7759 277220 Call
Forum

Welcome, Guest. Please Login.
Dec 10th, 2024, 4:58am
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   Who wrote the P-O-C Worm?
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Who wrote the P-O-C Worm?  (Read 4630 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Who wrote the P-O-C Worm?
« on: Nov 25th, 2005, 11:18am »
Quote | Modify

Hi,
 
Do we know how wrote the proof-of-concept worm?
The chance the author posted code in the past is high (IMHO). And chances are high those code/questions are stored in Google. And beacuse I'm very curious about who is the author of the worm (just curiosity)  I'm looking at the code to see if I find any clue about the author. I started looking for spellingerrors in the comment, eg. adress instead of address, to see if I can find similar errors in Google. People tend to make the same spellingerrors. I did not find any errors (more comments next time pleaseSmiley . Next I looked at the variables to see if I can discover the author's language. People tend to use their own language to name variables. No luck. Then I looked at the variables. People tend to use the same variablenames in their programs. I looked in Google if I could find hits with the same variablenames. Variablenames like ret_val, i1, i2, i4, etc. No luck. It seems that the author took care not to reveal his/her identity. He/she used unique variablenames.  
The most promising search is: ret_val "exit when"
I'll keep searchingSmiley
 
Ivan
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Who wrote the P-O-C Worm?
« Reply #1 on: Nov 28th, 2005, 2:53am »
Quote | Modify

The most surprising bit for me was the use of the older style DBMS_SQL rather than EXECUTE IMMEDIATE (avaiable in 8i onwards).  
EXECUTE IMMEDIATE is a lot simpler. DBMS_SQL has two advantages though. Firstly, and the main one for general applications, is that the same cursor can be re-opened which saves on a parse. Secondly, DBMS_SQL can be invoked over a DB link (ie a session on database A can use DBMS_SQL on database B, given a database link with the right grants) to run anonymous PL/SQL on the remote database.
It makes me wonder if the reason EXECUTE IMMEIDATE wasn't used is that this was based on another Oracle hack which required that functionality (eg to act as some DoS CPU hog).
 
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board
  • PFCLScan PFCLScan

    Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

  • PFCL Obfuscate PFCLObfuscate

    PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

  • PFCLCode PFCLCode

    PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

  • PFCLForensics PFCLForensics

    PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

  • Products We resell PFCLReselling

    PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

  • PFCLATK PFCLATK

    PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

  • PFCLCookie PFCLCookie

    PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

  • PFCL Training PFCLTraining

    PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

  • PFCL Services PFCLServices

    Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

  • PFCLConsulting PFCLConsulting

    Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

  • PFCLCustom PFCLCustom

    All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

  • PFCLCloud PFCLCloud

    Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

  • PFCLUserRights PFCLUserRights

    PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

  • PFCLSTK PFCLSTK

    PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

  • PFCLSFTK PFCLSFTK

    PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

  • PFCLSEO PFCLSEO

    PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues