Spoofing users and programs and presenting at OWASP
This is not a new subject; spoofing client details that is; it is accepted that all values except the database username can be spoofed. Some are much harder to spoof than others such as the client IP Address but most are easy. There are at least three easy routes to do the spoofing; either do as Pawel has done and create a Java interface and use the java provided calls simply to set these values. Some values are also settable via the thick client by doing the spoofing in an OCI program; Slavik had a good post 12 days ago titled "Oracle client â€" changing the program name in the session" that discussed how to change the client program name reported in V$SESSION (X$KSUSE) in an OCI program. Slavik included the C source code for two programs to demonstrate this by manipulating LD_PRELOAD. It is also possible to manipulate the client session values using a proxy that allows to edit values as they pass on their way to the server. This is possible to write simply in Perl; I wrote three years ago about RenĂ© Nyffenegger's code in a blog post here titled "exploit code released for the DB18 AUTH_ALTER_SESSION bug - how to make any user a DBA" which of course was showing how to exploit the DB18 bug. http://www.adp-gmbh.ch/blog/2006/01/24.php - (broken link) RenĂ© showed a simple Perl proxy that just as easily could be used for spoofing client values. My own solution to the DB18 bug exploit which was much simpler to do was to edit the Oracle client lib directly in a hex editor and modify the embedded code to do the same; of course this route is also possible for spoofing.
Finally on the subject of spoofing Steve Kost also wrote a nice paper some three or so years ago titled "Spoofing Oracle Database Session Information" which discusses this problem in detail and is still worth a read.
I have added the ORAganism blog feed to my Oracle blogs aggregator.
Finally I am also speaking tomorrow evening in Leeds (North of England) at the first OWASP Leeds chapter meeting. The agenda is here although Jason asked me to swap time slots with Justin so the agenda is slightly wrong only in terms of timing. Myself and Justin Clarke (SQLBrute) are both speaking. If you are in the area, please come along.