David Litchfield's Weblog

Home
Archives

May 2006
SMTWTFS
 123456
78910111213
14151617181920
21222324252627
28293031   

Valid XHTML 1.0!

Powered By Greymatter

Tuesday, May 16th

Shooting to high?


I found a story today about an intrusion into Ohio University's Oracle database server. Part of the story discusses the problem of default/unchanged passwords and, given the context, might be the vector for the break in. Whether this is the case or not in this particular compromise unchanged/default passwords are a real problem. It makes me wonder whether I and other Oracle security researchers are aiming too high. What I mean by this is that, if most people can't or don't solve their password problems, then what care do they have about (slightly more) complex issues such as plsql injection or buffer overflows? The old adage comes to mind... "You can lead a horse to water..."

david on 05.16.06 @ 08:43 AM CST [link]

Thursday, May 11th

Oracle and the Common Criteria


Recently, I've been looking at the Common Criteria and wondering how Oracle 8.1.7 could've been rated at EAL4 given that there's a pre-authentication buffer overflow when a long username is supplied. Successful exploitation of this overflow defeats every security mechanism tested during the evaluation. It's not just the username overflow, though. What about all the PL/SQL injection flaws that allow a PUBLIC user to get SYS privs? A castle is no castle if the walls are made of sponge.

I know I'm not the first to complain about the CC but this has to be one its most spectacular failures.

Given what we know now there's no way, in my opinion, that it should've been passed. If there's not already, then there should be a path to revocation of accreditation.


david on 05.11.06 @ 05:44 PM CST [link]


Blogging


So this is a blog...
david on 05.11.06 @ 04:18 PM CST [link]