Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Argeniss are now selling Oracle rootkits!"] [Next entry: "How to hack SYS password without logging into the database"]

Oracle 0-day exploit to be released - Blackhat Washington DC database security presentations



I have just seen that the washington DC Blackhat conference 2007 has been released. I have spotted a number of database security presentations. The first is Amichai Shulman who will talk about Danger From Below: The Untold Tale of Database Communication Protocol Vulnerabilities. He will talk about database communication protocols and he mentions in his brief that manufacturers build in backwards compatibility and how it fuels the fire for security vulnerabilities. So I can guess that he will concentrate on how to make the client and server of a later database talk in an earlier protocol version that is easier to exploit or where even earlier version bugs are available. I have been aware of this issue in Oracle for a couple of years and I know that other researchers have working code for this.

David Litchfield will talk about Advanced Oracle Attack Techinques but as is usual with David he never releases details of his talks before hand. I would guess that this talk will explore some of the advanced exploit techniques covered in the recently published Oracle Hackers Handbook. Indirect attacks via triggers, timing based attacks or multi-stage / multi-component attacks.

Cesar Cerrudo will reveal at least one Oracle 0-day vulnerability and exploit code at Black Hat 2007 Washington DC. His presentation is called Practical 10 Minute Security Audit: The Oracle Case. He will demonstrate how to audit software to see if it can be trusted using free tools and point and clikc techniques. He will show how to locate a dozen or so local 0-day vulnerabilities and will demonstrate how vulnerabilities can be easily located in dissassembled code and he will demonstrate and explain a 0-Day exploit.

Me, I would like to be there but we have our second baby due at around the time of this conference so I will have more important things to do than get excited about Oracle security!