New and Improved Oracle Exploits Coming at Black Hat

By Lisa Vaas  |  Posted 2007-02-26 Print this article Print

Updated: Oracle's slated to be the whipping boy in two Oracle-specific Black Hat briefings and will be among the clump of databases faulted in one general database communication protocol weakness briefing. Expec

Oracles up for being a whipping-boy at Black Hat 2007 Washington, Feb. 28-March 1, with two briefings dedicated to Oracle security and/or insecurity. Cesar Cerrudo, founder of information security service firm Argeniss, is expected to release at least one zero-day vulnerability and exploit code for an Oracle product during his presentation, called "Practical 10-Minute Security Audit: The Oracle Case."

On a related subject, although not focusing on Oracle, Amichai Shulman, co-founder and chief technology officer of data security and compliance vendor Imperva, will deliver a briefing entitled "Danger from Below: The Untold Tale of Database Communication Protocol Vulnerabilities."

But the worst news for Oracle will likely be David Litchfields presentation, "Advanced Oracle Attack Techniques."

Litchfield, an expert on database security, has discovered a new exploit technique using cursor injection that lets just about any Oracle user adopt the privileges of a database administrator, from which point he or she can then execute arbitrary SQL. The method doesnt rely on any vulnerability, Litchfield said in an e-mail exchange, and it works on all versions of Oracle.

Litchfield, who is co-founder and managing director at NGSS (Next Generation Security Software), in Surrey, England, said he had planned to talk about a method of exploiting PL/SQL injection flaws with low-level privileges, but had backed off due to the ethics of responsible disclosure-namely, that the exploit relied on two unpatched holes.


Litchfield and Oracle have bumped heads over security often over the years. At Black Hat 2006, Litchfield went public with a technical description of a flaw, including a blow-by-blow demonstration of the ease in which an attack could occur. Oracle lashed back, accusing him of endangering its customers for selfish, irresponsible reasons.

Read more here about the controversy surrounding Litchfields announcement of an Oracle flaw at Black Hat 2006.

Litchfield went public in November 2006 with a research paper that warns that