Oracle are now claiming to have Unbreakable Linux. See http://www.oracle.com/index.html and http://www.oracle.com/corporate/press/2006_oct/Oracle-Linux-Program.html
They say Redhat customers will be able to get all their patches and support from Oracle.
Oracle can't get their own patches right and out on time - what on earth are they thinking?
Didn't they learn from their last Unbreakable campaign?
david on 10.26.06 @ 03:06 AM CST [link]
Today I finished the manuscript for the Oracle Hacker's Handbook. It's a follow on from the Oracle section in the Database Hacker's Handbook, and I cover a number of new areas including Defeating Virtual Private Databases, PLSQL Race Conditions and Indirect Privilege Escalation to DBA. I cover attacking the Oracle Application Server PL/SQL Gateway and methods of bypassing database enforced access control. I skim over the stuff covered in the Database Hacker's Hanbook because I don't want people to feel that they only needed half the book because the rest was covered elsewhere. I enjoyed writing it - I hope you guys enjoy reading it.
david on 10.05.06 @ 07:40 PM CST [link]
I found a story today about an intrusion into Ohio University's Oracle database server. Part of the story discusses the problem of default/unchanged passwords and, given the context, might be the vector for the break in. Whether this is the case or not in this particular compromise unchanged/default passwords are a real problem. It makes me wonder whether I and other Oracle security researchers are aiming too high. What I mean by this is that, if most people can't or don't solve their password problems, then what care do they have about (slightly more) complex issues such as plsql injection or buffer overflows? The old adage comes to mind... "You can lead a horse to water..."
david on 05.16.06 @ 08:43 AM CST [link]
Recently, I've been looking at the Common Criteria and wondering how Oracle 8.1.7 could've been rated at EAL4 given that there's a pre-authentication buffer overflow when a long username is supplied. Successful exploitation of this overflow defeats every security mechanism tested during the evaluation. It's not just the username overflow, though. What about all the PL/SQL injection flaws that allow a PUBLIC user to get SYS privs? A castle is no castle if the walls are made of sponge.
I know I'm not the first to complain about the CC but this has to be one its most spectacular failures.
Given what we know now there's no way, in my opinion, that it should've been passed. If there's not already, then there should be a path to revocation of accreditation.
david on 05.11.06 @ 05:44 PM CST [link]
