Slavik Markovich

Paul Wright has written an excellent paper on an interesting way to attack Oracle using external tables. It just goes to show that any permission can be abused in the right circumstances. I’m still amazed that UTL_FILE is still granted to PUBLIC by default. Anyways, great work, Paul!

Oracle has released the October CPU with 38 announced security fixes (and more under the covers). 16 database vulnerabilities out of which a mind blowing 6 may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Also, 3 of those will allow you to [...]

I’m doing a lot of presentations where I mention SQL injection and even show detailed examples of both injecting applications and injecting stored program units within the database. What I’d like to do in this post is describe SQL injection types, give concrete examples for a web applications and Oracle and talk a bit about blind [...]

Another guest post by Roy Fox, Sentrigo’s Head of Security Research. Here is a list of things worth considering when using regular expressions. Some of the tips are Hedgehog related. Use predefined character sets You should usually prefer using predefined character sets, such as \d, to explicit ones, such as [0-9]. Some character sets provide locale and Unicode [...]

Dennis Yurichev just dropped me a note about his new web front end for his FPGA-based password cracker. Looks very interesting as now you can write some interesting PL/SQL code to crack passwords directly from the database using this available web interface. Right now, it appears that most users are the usual suspects testing it [...]

I always wondered how Oracle Client knows to send my program name to the server process to be stored in x$ksuse (v$session). I had my assumptions but finally I had a chance to verify them as a fellow developer asked me this question. I’ve created a simple ocitest C program to connect to Oracle and select [...]

OK, it looks like this was a test site but nevertheless it makes you wonder. Leaving web application vulnerable to SQL injection and entire databases out there without protection is a sure way to get yourself hacked. It doesn’t even matter if the site was a test site (I hope it was) but we’ve seen many [...]

A member of Sentrigos’ security and research team, Assaf Nativ, found an interesting security issue in all versions of MS SQL Server. Turns out that SQL Server saves in memory in clear text user credentials (passwords) of users logging in using SQL Server native authentication. Users using Windows authentication are not affected. Although Microsoft recommends [...]

Looks like Yahoo! Local was vulnerable to SQL injection. It turns out that Yahoo! Local was using MySQL 5 and was not securely configured (allowing load_file). Again, this proves that it’s enough to have a single SQL injection vulnerability to open the gate for a complete takeover. Following the resent news that the Heartland breach initially started [...]

A guest post by Roy Fox, Sentrigo’s Head of Security Research. Thanks Roy! Introduction Black boxes are rarely entirely black. Many have side effects in addition to their functional effects, and virtually all consume external resources of one kind or another. When these effects or consumption are detectable, and when they reveal information on the internal workings, [...]

Well, this was bound to happen at one point or another. Chris Gates is going to present at BlackHat some of the work he and others were doing as part of the Metasploit framework. The Metasploit framework now contains some auxiliary modules for doing nasty things to Oracle. The modules includes detection, version finding, sid enumeration, [...]

I found the following vulnerability very interesting. Not the fact that it bypasses SELinux / AppArmor, etc. which is interesting in itself but the fact that according to the description, the compiler removed an “if” block it thought was redundant and thus introduced the vulnerability. So, the developer actually wrote perfectly secure code but in the [...]

Wow, that’s a big one! Not so much as in the number of security bugs fixed but from the severity point of view. Oracle fixed 30 vulnerabilities which is a bit less than the previous CPUs. Most of the problems are in the core database product and centered around the network components. The advanced queueing usual [...]