Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed

Archive for Uncategorized

SYS Security

Hello Folks, A few people have told me that they thought only SYS could select db link passwords. Truth is any user with SELECT_CATALOG_ROLE can select the passwords from ku$_dblink_view as well. SQL> select name, userid, utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)), 4353, (substr(passwordx,3,16)))) password from ku$_dblink_view; NAME ——————————————————————————– USERID —————————— PASSWORD ——————————————————————————– TEST_LINK.ENTERPRISE.INTERNAL.UK DBLINK_ACCOUNT mongo If missing execute on [...]

Database Link Security

Hello Oracle Security folks, Good news and bad news – which would you like first? Ok.. so the bad news is that these user/role/privileges can select and decrypt DBLink passwords on 11.2, as the key to decrypt the ciphertext is included in the password itself. •SYS •SYSDBA •DBA •SYS WITHOUT SYSDBA •SYSASM •EXP_FULL_DATABASE •DATAPUMP_EXP_FULL_DATABASE •DATAPUMP_IMP_FULL_DATABASE [...]

sys_throttler and Distributed Database Forensics

Attack, Defense and Forensic Response in a Distributed Database Estate. Paul Michael Wright OCP Written August 23rd 2012 -This article demonstrates the main security weakness in Oracle Databases, in that Failed SYS logons are not delayed and SYS is immune to password profiles which together represent significant risk. -It will then demonstrate a solution [...]

SYS Throttler Update

Hi Oracle Security folks, Been a busy couple of years but have survived to tell the tale. So summarising the last two years in terms of memorable research the following springs to mind.. David’s create index privileged escalation vulnerability. Joxean’s impressive TNS Poision research demonstrating how an attacker can proxy DBA commands by inserting their [...]

Special Event

Hi, Due to work commitments I am not keeping this blog up to date as you will have noticed – so the best way for you to keep up to date is to visit both Pete and Alex’s blogs, or attend events such as that organised by the UKOUG.. Keep safe, Cheers, Paul.

Turning off SYS auditing from the DB without that fact being recorded

Hello World, Thanks to the many folks that attended the Sentrigo Webinar a few hours ago. Marketing had a few problems with the GoToWebinar software which were solved by excellent team work, Dunkirk Spirit and a sense of humour ~ but did result in my being unable to show this demo of how CREATE ANY [...]

Sentrigo Webinar on Tuesday 8th June at 6pm London Time

First EU timed webinar on “securely recording the use of privilege in Oracle databases” went well. There will be a second later webinar timed for the US on Tuesday at this URL. June 8, 10:00am PT/01:00pm ET The content will include the following: -Shortcomings of Oracle’s builtin audit trail. -The generic differences between DAMS [...]

Exadata day ~ ISSD prep and Sentrigo Webinar

Just came back from the Oracle Exadata day where there were some well honed presentation skills on offer. The general message seemed to be that Exadata V2 is bigger and better hardware with faster flash memory, but for general purposes can be regarded as being as a bigger 11g/OEL box. It is certainly more secure [...]


The dust has settled after Infosec and so what remains must by definition be memorable. In my case, I remember discussing the etymology of the word Oracle with a charming marketing exec. Yes, even before the Greeks, Alexander consulted Amun’s Oracle at Siwa and it must have been good advice as he went onto to [...]

JAVA$POLICY$ Past Exploitation Check

Hello Oracle Security interested folks, Firstly thanks to Oracle for referencing my Oracle Wallet article on as well as the interesting comments from our readers. This blog has become quite popular so thank you for your support. I have some excellent news as my company has been selected as a Channel Partner for Sentrigo [...]