Paul Wright

New Year, New Computer with New Nvidia graphics card which enables me to report that Vista 64-bit and Nvidia GeForce 9800 GT work fine with CUDA and BarsWF More graphics cards on the way.. For AMD/ATI users there is CAL which is a similar paralell processing GPU technology. Elcomsoft are using CUDA technology to speed up it’s password [...]

The Computer Chaos Convention has spawned an example of how MD5 collisions can be used to create a rogue CA cert that has the same MD5 as a valid CA cert. The example is interesting but only affects CA Certs that rely on the MD5 checksumming algorithm for the digital signature. This is the minority [...]

Initially a DLP implementation can be labour intensive especially if it requires the categorisation of data into appropriate sensitivity levels. Most security measures have a corresponding cost. This was borne out in Tom Kyte’s presentation on Encryption at UKOUG this year where the encryption routines were measured to show the performance hit of encrypting data [...]

Recovered from UKOUG now, As Alex mentions on his blog GSAuditor has been updated to include 11g passwords and it is very fast. Pete Finnigan’s PL based password cracker can be conveniently run from PL/SQL on the DB in question and is easily modified to take it’s passwords from SYS.USER_HISTORY$ …but bear in mind that the [...]

That was quick..good to know that folks are reading the blog. Christian wrote an email to me specifying the following. Consider this example, which gives access to the root directory: SQL> exec create_directory.createdirectory('rootdir as''/''--','/u01/thisismypath'); It results in the creation of the root directory “/” but without granting the privileges to the user so not a home run but the [...]

The code and slides for my talk was first made available at UKOUG’s web site http://conference.ukoug.org/default.asp?p=842&dlgact=shwprs&prs_prsid=3130&day_dayid=13 I have edited the content into Word . Below is the CREATE_DIRECTORY package I have written which means that users do not need to be granted CREATE ANY DIRECTORY in future. Updates to the package will be made to this URL. --CREATES A [...]

Whilst preparing for UKOUG and talking to another well known Oracle Security expert I had some thoughts about the implications of the CREATE ANY DIRECTORY issue . Firstly the Oracle utilities could be overwritten with a new binary - LSNRCTL, SQL*PLUS, IMP, EXP and the debugger for instance. It is possible to execute OS binaries [...]

David Litchfield has written a new paper on Oracle Forensics which describes the usage of a new tool authored by David called Cadfile as a pun on Cadfael. The aim of both tools is to analyse the datafile without having to load it up into the Oracle Server software. The idea would be to first make [...]

Hello Oracle folks, Just read on Alex’s blog about a couple of Database vault faults. http://blog.red-database-security.com/2008/11/21/oracle-database-vault-privilege-escalation-exploit-published/ However the number of vulnerabilities in Oracle is not the main controlling factor to threat level. Note that the UK govt have suffered from an average of one data breach per week for the last year. The increased drive capacity, network speed [...]

An Oracle DB user which has been granted CREATE ANY DIRECTORY can use that system privilege to grant themselves the SYSDBA system privilege by creating a DIRECTORY pointing to the password file location on the OS and then overwriting it with a previously prepared known binary password file using UTL_FILE.PUT_RAW from within the DB. This paper [...]

Last week we talked about how it has been possible to escalate from DBA to SYSDBA within Oracle and the implication of this due to the higher privileges that SYSDBAs have such as access to the strongest crypto in the DB. Sven has added that “Fine-Grained Access for Network callouts” in 11g can only be [...]

I mentioned a while ago about this SYSDBA privilege escalation http://www.pythian.com/blogs/388/exploiting-sysdba-invoker-rights-using-trigger-on-database. There have been some subsequent comments made that SYSDBA is effectively the same as DBA and so what is the difference i.e. DBA to SYSDBA privilege escalation is not a concern. That got me thinking about the differences between DBA and SYSDBA as they are [...]