Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "2 new exploits for Oracle"] [Next entry: "Argeniss have released a simple Oracle root kit"]

Bunker has released a 0-day Oracle exploit



I saw today via Alex, Milw0rm and Bugtraq that Andrea "bunker" Purificato has released a new exploit in DBMS_AQ.ENQUEUE for 10gR1, version 10.1.0.3.0. The [0-day] Remote Oracle DBMS_AQ.ENQUEUE exploit (10g) is written in Perl and the example uses a payload of granting ALL PRIVILEGES and DBA to the supplied Oracle user account. I am a bit confused at the 0-day title as the post also includes a reference to the patch for the Jan CPU 2007 - CVE-2007-0268.

There has been 2 Comments posted on this article


April 2nd, 2007 at 09:48 pm

bunker says:

crazy Sorry for mistake. I meant "first public exploit" with word "0day"... hehe



April 3rd, 2007 at 06:02 pm

Pete says:

I guessed that was what you meant, thanks for the update.