The code and slides for my talk was first made available at UKOUG’s web site
http://conference.ukoug.org/default.asp?p=842&dlgact=shwprs&prs_prsid=3130&day_dayid=13
I have edited the content into Word .
Below is the CREATE_DIRECTORY package I have written which means that users do not need to be granted CREATE ANY DIRECTORY in future. Updates to the package will be made to this URL.
–CREATES A [...]
Whilst preparing for UKOUG and talking to another well known Oracle Security expert I had some thoughts about the implications of the CREATE ANY DIRECTORY issue .
Firstly the Oracle utilities could be overwritten with a new binary – LSNRCTL, SQL*PLUS, IMP, EXP and the debugger for instance. It is possible to execute OS binaries [...]
David Litchfield has written a new paper on Oracle Forensics which describes the usage of a new tool authored by David called Cadfile as a pun on Cadfael.
The aim of both tools is to analyse the datafile without having to load it up into the Oracle Server software. The idea would be to first make [...]
Hello Oracle folks,
Just read on Alex’s blog about a couple of Database vault faults.
http://blog.red-database-security.com/2008/11/21/oracle-database-vault-privilege-escalation-exploit-published/
However the number of vulnerabilities in Oracle is not the main controlling factor to threat level. Note that the UK govt have suffered from an average of one data breach per week for the last year. The increased drive capacity, network speed [...]
