The Hactivity conference in Hungary took place last weekend and Laszlo Toth emailed me to let me know that he has posted his slides from the conference to his website. Laszlo did a nice talk covering descrypting OEM.Grid control passwords by extracting the keys from the emkey.ora file; this means that the newer method to encrypt passwords in OEM is broken and like the old method of simply calling the decrypt function its now possible to decrypt OEM passwords. The OEM repository should be protected in terms of architecture and security to prevent access to the encrypted data. This is of course an issue as blocking all access is not possible. This is an inherent issue of encryption in the database; that its virtually impossible to secure the keys used.
Laszlo also looked at the TDE wallet and master key and remote job scheduling and decrypting the scheduler credentials. This is an interesting area of weak encryption and shows Oracle allegiance to DES. Also Laszlo showed how to "hook" the encryption functions in the Oracle kernel on Linux and Windows to capture calls to the functions and to log the parameters. Very nice paper Laszlo.
Laszlo's paper is called "Oracle Post Exploitation Techniques" and he has also posted a flash demo for the injection part of the paper and promises more to come.
I also checked out Laszlo's friends site Marcell Major and he has also released the slides from his talk. Marcell's talk is titled "Writing your own password cracker" and is an excellent talk of how to go about reverse engineering password algorithms so that password crackers can be created to test the strength of users passwords. Marcell talks about the Apache Derby algorithm, the Sybase SHA-256 and SYB-PROP algorithms. Marcell has published details of the Sybase SHA-256 algorithm and a sybase password cracker based on Laszlo's woraauthbf. he promises to also release the SYB-PROP cracker soon.
Very nice paper Marcell!