Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

Archive for March, 2010

Java Forensics In Oracle

Java Forensics In Oracle ~ Part 1 As discussed in last week’s post there is a serious threat in all patched Oracle databases due to vulnerabilities in the Java privilege model as originally published by David. Last week I added the example of recreating the password file with a new SYS password in order to [...]

CREATE SESSION to SYSDBA via Java and orapwd

Hi All, The recent Java Security research from David, formerly of NGSSoftware, could be summarised simply in that DBMS_JVM_EXP_PERMS can be used to grant Java privileges in the Oracle DB which can then be leveraged via DBMS_JAVA or DBMS_JAVA_TEST packages to gain DBA, therefore one should revoke public execute from those packages and grant to [...]

Oracle and Google Nexus

Hi All, Nice paper from Pete on Sentrigo Hedgehog usage which also references the Java vulnerability work by David. I noticed that David’s 11g presentation is up at YouTube http://www.youtube.com/watch?v=IZq3D2pvyNE ~ I have already seen the vulnerability being adapted to provide other CREATE SESSION to DBA escalations not yet published… this research is opening the [...]

sec_return_server_release_banner Secure by Default?

Hello World, Congratulations to Sentrigo for being nominated again in the SC Awards in the US for Hedgehog. http://www.scmagazineus.com/scawards2010-finalists/section/1309/ Just came across an ex-colleague from Pentest Ltd named Simon Fletcher who has started a blog on Oracle Security. http://blog.fifteentwentyone.co.uk/2010/02/sql92security.html Nice post and good luck with the new blog. Oracle config issues like these are interesting [...]

E-Business Suite Security and DBMS_LDAP.INIT

Hi Folks, Vulnerability in E-Business Suite R12 requires non-default diagnostics mode so Low risk. http://www.securityfocus.com/archive/1/509460 Having said that it is worth keeping an eye on Internet facing Oracle applications, though there is not a huge amount on this from O’Reilly and Apress. Google books has a relevant book free of charge named “Security, Audit and [...]