How Oracle controls access to security vulnerabilities

November 25th, 2009

Shaomin Wang from Oracle has posted an interesting blog entry „How Oracle controls access to security vulnerabilities„. There are 3 different access types: Default Access, Global Access and Hierarchical Access.

Depending from the role inside of Oracle (e.g. Global Product Security staff, normal employees or their managers) people have the right to view an individual security bug or all security bugs.

This is a big improvement comparing to the time when I was an Oracle employee several years ago. At that time everybody inside of Oracle had access to security bug information.

The only problem nowadays are security bugs which are not marked as security bugs because Oracle support employees are not aware of the security impact of a normal bug. These bugs are often accessible via MyOracleSupport even for Oracle customers.

Posted in Allgemein | No Comments »

Metasploit 3.3 is out

November 17th, 2009

Metasploit 3.3, the leading exploit framework is out. Here an extract from the Metasploit blog:

Oracle exploit support has been implemented through a tag-team effort between MC and Chris Gates, with assistance from Alexander Kornbrust. Oracle modules have been developed for exploiting TNS protocol stack and Web-based Oracle services, as well as post-authentication database-level privilege escalation flaws.

Version 3.3. (release notes) is the largest known ruby application (375,000 lines of code) and comes with some new Oracle features

  • Support for the Oracle InstantClient Ruby driver as an exploit mixin
  • Extensive support for exploitation and post-exploitation tasks against Oracle databases

Have fun using Metasploit.

Posted in Allgemein, Exploit, Oracle Security, Tools | No Comments »

Security Workshop „Database Activity Monitoring Systems“ in London

November 17th, 2009

In 3 weeks Paul Wright will give an 1 day workshop for SANS (Sat. 5. Dec. in London) about Database Activity Monitoring Systems (DAMS).  Paul will use the free Hedgehog Standard Edition in the class to demonstrate solutions for common problems like user monitoring, defending against public zero days, …

Here is the table of content:

1. Defend against public and zero day attacks via free custom written IDS rules
2. Gain  Compliance
3. User activity monitoring
4. Application monitoring
5. Sensitive data access monitoring
6. Diagnostics prior to changes such as CPU installation.

A case study about using DAMS from Paul Wright is available in the UKOUG Scene magazine (Issue 39).

You should not miss the chance to join this workshop because it can help your company/organization to secure their databases …

Posted in Allgemein, Trainings | No Comments »

New russian Oracle exploit tool „Oracle Security Tools“ (updated)

November 13th, 2009

During my research on Russian websites I found a new security tool called „Oracle Security Tools„. This tool offers different methods to exploit Oracle databases.

Oracle Security Tools

Here is a list of features

  • The privileges escalation of the Oracle users;
  • The verification of system accounts concerning the existence of a default password;
  • Account compliance test of login=password
  • The execution of the PL/SQL code;
  • The privileges escalation in the OS Windows 2000/XP/2003 (add a local user as root and holder of remote connection powers);
  • The infiltration into the OS and the execution of DOS-commands, holding the administrative rights.
  • Viewing the users‘ connections to the database and their activity;
  • Analyse the external TNS listener.log;

After checking the executable on virustotal I run the program on one of my test VMwares. After switching the russian interface to the english interface I not able to run the tool. I always got the error message:

It seems to be a problem with my vmware system and the mulitple Oracle Homes. After switching to another computer the program was working without problems.

Posted in Exploit, Tools | 1 Comment »

Oracle Database Vault is now certified with SAP

November 8th, 2009

I just read that SAP is now certified with Oracle Database Vault. This is an important step to increase the security of SAP systems. Well done Oracle. Let’s see if SAP customers will use this functionality.

The Oracle whitepaper „Best Practices Installing and Configuring Oracle Database Vault in an SAP Environment“ decribes the step-by-step installation of database vault in SAP.

The following screenshot from the document (July-2009) contains an information disclosure bug for the Oracle SID (reported by me, fixed by Oracle with CPU July 2007). It seems that the installation of the security component was done with unpatched security software 😉

Posted in Allgemein | No Comments »

« Older Entries
Newer Entries »