Archive for the ‘Oracle Security’ Category

New fast Oracle DES password cracker OPS_SSE2

Donnerstag, April 15th, 2010

Dennis Yurichev has released a new password cracker (brute-force) called ops_sse2 for Oracle DES passwords.  This password cracker is the fastest brute force cracker for Oracle DES passwords and approx. 3 times faster than woraauthbf from Laszlo Toth.

Here a quick comparision on my Quad2Core (2.4 GHz):


Password length (8 character) (only characters) can be cracked  in approx 3 hours. For numbers and characters it takes approx. 2.5 days for a single password.

Impressive work…

Oracle 11g R2 client trojan warning from Antivir

Mittwoch, April 14th, 2010

I just came across a forum entry on OTN „Possible trojan with 11gR2 Windows 32-bit client on OTN?„. It seems that some virus scanners are reporting a potential trojan in the 32bit client of Oracle 11R2.

According the Eric Maurice from the Oracle security team it is a false positive of the Avira Antivir scanner engine.

It is good to know that also large software vendors are running in this problem of false positives. This can be really bad for the reputation of a software vendor.

Python Source for PLSQL Unwrapper posted

Dienstag, April 13th, 2010

Niels Teusink has posted a Python script to unwrap PL/SQL code (10g+ only). This python script can unwrap code on the command line.

More details are available in the blog entry of Niels.

This is a better solution than the online unwrapper.

Oracle CPU April 2010 is out

Dienstag, April 13th, 2010

Oracle just released the Oracle CPU (and PSU) for April 2010. As mentioned in a previous blog post this CPU contains 7 new security vulnerabilities.  7 new security vulnerability fixes. None of these vulnerabilities are remote exploitable without authentication.

The highest CVSS base score for the Oracle database is 7.5 (Oracle Fusion Middleware). It seems that the Java 0day from David Litchfield is also fixed. But I have to download the Oracle patches to verify that all bugs are fixed.

The following components are affected:

• Change Data Capture
• Core RDBMS
• JavaVM
• Oracle XDB
• RDBMS Security
• Audit

DOAG Expertenseminar

This time all Oracle vulnerabilities are coming from the usual suspects:
Okan Basegmez of DORASEC Consulting; Esteban Martinez Fayo of Application Security, Inc.; Joxean Koret; Alexander Kornbrust of Red Database Security; David Litchfield formerly of NGS Software; Oleg P. of HSC Security Portal; and Alexandr Polyakov of Digital Security.

Oracle has fixed a problem (CVE-2010-0854) I reported in January 2009. It is possible to bypass Oracle Auditing using explain plan. Within the next few days I will release an advisory for this problem.

Improve Oracle TDE with Intel AES-NI

Dienstag, April 13th, 2010

I found an interesting whitepaper „Securing the Enterprise with Intel AES-NI“ from Intel.

This white paper explains how the new AES-NI instructions in Intel Xeon 5600 series can improve the AES encryption/decryption. When I read the first time about this feature I was impressed.

OpenSSL (AES part) is up to 7 times faster with this new instruction set.

Intel did also some tests with Oracle 11g and Transparent Data Encryption (TDE) in AES-256 CBC mode. The usage of the optimized Intel Integrated Performance Primitives (IPP) shows an 89 percent reduction (3.33 GHz Xeon X5680 vs 2.8 Intel Xeon X5560) against a previous processor.

This is a huge advantage and if you use TDE you should think about using such a new processor.