[Previous entry: "SQL Injection video"] [Next entry: "An interesting thread on Alex's DBMS_ASSERT paper"]
A new Oracle exploit revealed on the bugtraq list
July 28th, 2006 by Pete
Post to del.icio.us
Post to Furl
I saw a post on the bugtraq mailing list that details an exploit to cause an ORA-600 using an ALTER SESSION SET EVENTS command. The hack is detailed in a post titled "Oracle 10g R2 and, probably, all previous versions". The poster shows an ALTER SESSION SET EVENTS command with a very long event string that causes an ORA-600. He says that this is not a crash and indeed its not really an exploit but he hints that its possible to create an integer overflow with other "combinations". I guess he means that a different length string will cause an overflow? - There is a reply to the post where a poster found that he could not replicate the bug but that is because the original poster replies on having the ALTER SESSION privilege.
