SYS Throttler Update
Hi Oracle Security folks,
Been a busy couple of years but have survived to tell the tale.
So summarising the last two years in terms of memorable research the following springs to mind..
David’s create index privileged escalation vulnerability.
Joxean’s impressive TNS Poision research demonstrating how an attacker can proxy DBA commands by inserting their own instance in the signal path.
Lazlo’s oradebug research here and
Esteban’s very interesting crypto issue http://marcel.vandewaters.nl/oracle/security/cryptographic-flaws-in-oracle-database-authentication-protocol. The latter is still live with Oracle PSU out on October 16th and nmap already updated to enable a user’s password hash to be derived from the packet from a failed logon.
….Talking of nmap I was surprised to see that Hakin9 magazine had been the victim of a spoof nmap paper as reported at the Register here. The reason I was surprised was because the spoof really was incredibly high on the BS scale, and anyone reading it should have realised it was a mickey-take…(SCIGEN has been around for at least 7 years now) … Oh and the other reason I was surprised is because I had also been approached by Hakin9 and my newest article is now on the front cover of the brand new issue – lol!….hmmm…how best to react to this one??…well there are some very prestigious names on the spoof…but I can only speak for myself and I have to say that I received remuneration for my new article and the content was beta tested by Hakin9, so the new article is good. I think my reasonable experience with Hakin9 may be due to an improvement reaction necessitated by the recent foul-up. Definitely a good idea for folks to exercise the humour muscles on this one methinks…and it seems that the spoof has resulted in an improvement to publication standards..so I guess we should say thanks.
In a nutshell my new article is about the continued lack of throttling for failed connections as sys, which combines with the lack of profiles for sys to cause a large risk. The paper shows how to mitigate this problem by adding a throttling trigger(thanks Joe), and by centralising DB audit trail to enable Distributed Database Forensics to be done efficiently by one analyst.
I have also fed back to Hakin9 that the code snippets are sometimes formatted a bit awkwardly in the magazine, but the fact that Hakin9 kindly allow Author’s to self-publish their work as well, means that I can provide the original here with easier to read formatting.
So next steps — check out Pete Finnigan’s UKOUG SIG presentation at http://www.ukoug.org/events/ukoug-database-server-sig-meeting6/ and also my own presentation at UKOUG’s Annual Conference in December, which I am excited about as I get a chance to publish my two years worth of work in one go.
As this is “Three Tier Oracle Security”, I will be blogging about Java Security issues in future as well –especially with reference to Adam Gowdiak’s work at http://www.security-explorations.com/en/research.html.
Keep safe and secure,