Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Data Breach Survey Results"] [Next entry: "Would You Like A Job in Database Security?"]

Hacking Oracle over the web and exploiting Database Vault

The BlackHat USA event in Caesars Palace Las vegas was on at the end of July and now the papers have been put up on the BlackHat site. I saw that Sumit Siddharth had posted his slides a couple of days ago to his site in a post titled BlackHat 2010 and made a note but i didnt time until this evening to blog about it. Sid has posted the slides and some videos to this blog post. The slides are on slide share but dont play properly in IE you need Firefox!

I went over to the Blackhat site and found the link to his paper and also checked what else is there. The only other Oracle paper I could see is Estebans; more on that in a minute.

Sid's paper is titled "Hacking Oracle from the web: Exploiting SQL Injection from web applications". This is a nice summary paper of SQL Injection against Oracle covering data extraction, privilege escalation and OS Code execution and a little on PL/SQL Injection.

Estebans paper is called "Hacking and protecting Oracle database vault" and is a really nice summary of some of the ways to exploit DV and of course to protect against those issues. Some are well known such as unlinking, os bypass and some less known such as masqurading as MACSYS. As usual from Esteban its a good paper. The slides from his talk are also available as are the scripts he made available.