[Previous entry: "A new Oracle exploit revealed on the bugtraq list"] [Next entry: "BlackHat Last week"]
An interesting thread on Alex's DBMS_ASSERT paper
July 28th, 2006 by Pete
Post to del.icio.us
Post to Furl
There is an interesting thread on bugtraq about Alex's DBMS_ASSERT bypass paper where David Litchfield has suggested that its not a generic bypass at all. Alex has countered in the thread titled "Re: Bypassing Oracle
dbms_assert" and given details of 36 bugs reported to Oracle using this technique including bug numbers.
For me I dont thing the semantics of whether its a generic bypass off DBMS_ASSERT or not matter. The fact is its possible to bypass DBMS_ASSERT, Alex has found over 36 examples of exploits using this technique in 10.2.0.1 (you need access to a PL/SQL unwrapper to be able to locate these bugs easily in the 10gR2 PL/SQL built in packages reported to Oracle. It is a bypass technique and it works and previously fixed bugs can be exploited still.
