Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Google hacking and Oracle database security audits"] [Next entry: "New version of Fuzzor available"]

Details of a 10g PL/SQL Unwrapper available



I just saw via my Oracle blogs aggregator that Anton Scheffer has released a nice blog post showing how he has cracked the 10g PL/SQL wrap mechanism or rather how he has found out the one missing bit of information (the substitution table). The 9i and lower wrap mechanism was shown by myself at BlackHat in 2006, i also hinted briefly at the 10g mechanism. My paper can be found on my Oracle security white papers page. David then detailed much more of the 10g wrap mechanism in his book the Oracle hackers hand book. He showed the mechanism/algorithm used but stopped at revealing the substitution table in his book.

Anton has done some research into finding the substitution table but not via reversing the binary but via a simpler method of comparing the clear text (from known PL/SQL) to the compressed text. This is then used to create a complete table that allows unwrapping of PL/SQL for 10g. He has also included some Java code to allow unwrapping of PLB files. This is some nice research. His post is called "Unwrapping 10G wrapped PL/SQL". Also of note is a paper mentioned in his post by three Israeli's http://webcourse.cs.technion.ac.il/236349/Spring2009/ho/WCFiles/final_report.pdf - (broken link) Automatic detection of vulnerabilities in wrapped packages in Oracle