[Previous entry: "Esteban Martínez Fayó releases his security advisories for CPU 12 April"] [Next entry: "Frank has a good review of a secure coding book"]
More insights to CPU 12 April and public exploit code
April 19th, 2005 by Pete
Post to del.icio.us
Post to Furl
Alex has just emailed me to say that he has updated his paper "Comments on Oracle Critical Patch Update April 2005" to include clarifications of the patch pre-requisites. He has also added links to Application Security Inc's advisories and also more importantly he has included three examples of exploits from Esteban Mart�nez Fay� site.
These include an exploit to grant DBA to SCOTT by PL/SQL Injecting DBMS_METADATA. This can be found at http://www.argeniss.com/research/OraDBMS_METADATAExploit.txt. Also another exploit to grant DBA to SCOTT via the DBMS_CDC_SUBSCRIBE also by PL/SQL Injecting the package. This can be found at http://www.argeniss.com/research/OraDBMS_CDC_SUBSCRIBEExploit.txt and finally sample Denial of Service attacks via Intermedia which can be found at http://www.argeniss.com/research/OraIntermediaExploit.txt.
If you had not planned to apply this patch set quickly, you had better do so now!
