Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Esteban Martínez Fayó releases his security advisories for CPU 12 April"] [Next entry: "Frank has a good review of a secure coding book"]

More insights to CPU 12 April and public exploit code



Alex has just emailed me to say that he has updated his paper "Comments on Oracle Critical Patch Update April 2005" to include clarifications of the patch pre-requisites. He has also added links to Application Security Inc's advisories and also more importantly he has included three examples of exploits from Esteban Mart�nez Fay� site.

These include an exploit to grant DBA to SCOTT by PL/SQL Injecting DBMS_METADATA. This can be found at http://www.argeniss.com/research/OraDBMS_METADATAExploit.txt. Also another exploit to grant DBA to SCOTT via the DBMS_CDC_SUBSCRIBE also by PL/SQL Injecting the package. This can be found at http://www.argeniss.com/research/OraDBMS_CDC_SUBSCRIBEExploit.txt and finally sample Denial of Service attacks via Intermedia which can be found at http://www.argeniss.com/research/OraIntermediaExploit.txt.

If you had not planned to apply this patch set quickly, you had better do so now!