Archive for the ‘Oracle Security’ Category

« Older Entries
Newer Entries »

Man-in-the-Middle attacks at upcoming Black Hat Europe

Montag, April 12th, 2010

Wendel Guglielmetti Henrique  and Steve Ocepek will demonstrate at the upcoming Black Hat Europe 2010 in Barcelona (14-15 April) how to steal credentials by downgrading authentication mechanisms as well as overtaking existing user sessions. They will also show their thicknet tool which will be available after the conference.

This sounds similar to Laszlo work on downgrading JDBC. But I had already a chance to review their presentation so I know it is different.

More information after their presentation.

Posted in Oracle Security, SQL Injection, Tools | No Comments »

Oracle CPU April 2010 – Prerelease

Freitag, April 9th, 2010

Yesterday Oracle released the CPU April 2010 Pre-Release. These patches will fix 47 security vulnerabilites. The database patch itself will contain 7 new security vulnerability fixes. None of these vulnerabilities are remote exploitable without authentication.

The highest CVSS base score for the Oracle database is 7.5.

The following components are affected:

• Change Data Capture
• Core RDBMS
• JavaVM
• Oracle XDB
• RDBMS Security
• XML DB

Oracle will fix one of my findings in the April 2010 CPU.

At the DOAG Expertenseminar „Oracle Hardening & Patching / Auditing & Co.“ in Berlin (26.04.2010 – 27.04.2010) I will talk about this CPU as well. If you are interested you can attend this 2 day seminar.

Posted in Oracle Security | No Comments »

Joxean Koret released his presentation „Hackproofing Oracle Financials 11i / R12“

Dienstag, April 6th, 2010

Joxean Koreat has released his presentation „Hackproofing Oracle Financials 11i / R12“ from RootedCON 2010. Joxean shows some nice ways to own old and new Oracle Financials installations.

Thanks to Sid for the link via twitter.

Posted in Oracle Security | No Comments »

Oracle Java Forensics

Mittwoch, März 31st, 2010

Paul released a new article about Oracle Java Forensics. He describes how to find traces of Java attacks (e.g. via dbms_jvm_exp_perms) in the Oracle database.

I’ve got some nice ideas from Paul’s article.

Well done.

Posted in 11g, Forensics, Oracle Security | No Comments »

László Tóth published his Hacktivity presentation & a tool called pytnsproxy

Mittwoch, März 24th, 2010

Today Laszlo sent me an email that he published the English version of his Hacktivity 2009 talk „Oracle authentication“ on his webpage. Laszlo was so nice to give me an English private session last year at the Hacktivity in Budapest.

His presentation contains the following topics:

I like the part where Laszlo shows how to hijack an Oracle session.

This presentation is a must for everyone interested in the Oracle authentication process.

Well done Laszlo.

Posted in 11g, Allgemein, Oracle Security, Tools | 1 Comment »

« Older Entries
Newer Entries »