Musings on Database Security

Oracle Jul2009 CPU

Slavik — Tue, 14 Jul 2009 22:49:35 +0000

Wow, that’s a big one! Not so much as in the number of security bugs fixed but from the severity point of view. Oracle fixed 30 vulnerabilities which is a bit less than the previous CPUs. Most of the problems are in the core database product and centered around the network components. The advanced queueing usual [...]

Accessing Oracle from Python

Slavik — Sat, 04 Jul 2009 01:01:04 +0000

It’s been a while since I’ve updated my blog. I feel guilty Lately, I’ve been using a lot of Python to do my Oracle research and I needed a way to do simple selects across multiple versions and platforms from the same IDLE shell. On top of that, I need to connect as SYSDBA. [...]

Getting OS access using Oracle Database unprivileged user

Slavik — Wed, 22 Apr 2009 17:57:00 +0000

Recently, I read a very interesting paper by Alexandr Polyakov talking about how an unprivileged user can get OS access to the database machine by stealing NTLM challenge-response authentication strings. I really liked the way it was written and the fact that it uses automated metasploit plug-ins that will try to evade detection by using obfuscation [...]

Sentrigo integrates with Repscan to provide vulnerability assessment

Slavik — Thu, 16 Apr 2009 21:23:09 +0000

Anybody using Oracle databases, and anyone who is concerned about vulnerability assessment should be familiar with Repscan - the best scanner for Oracle databases, developed by Alexander Kornbrust’s Red-Database-Security. The scanner, built upon Alex’s extensive experience in doing thousands of pen tests and database reviews, has some very unique features and tests. At Sentrigo, I always [...]

Displaying internal errors to the customer

Slavik — Thu, 09 Apr 2009 18:52:01 +0000

I recently had a discussion with our development team about displaying stack traces to the customer. Looking at this from a support point of view, no doubt that if a customer can tell support exactly what the problem is, it will shorten the investigation and will allow support to pinpoint the issue faster. On the other [...]

Updated FuzzOr

Slavik — Wed, 04 Feb 2009 14:23:47 +0000

I’ve recently updated FuzzOr to include the following: Better functionality when working with types (objects, tables, PL/SQL records, etc.) A feature to generate automatic Hedgehog security rules from the scanning results. For example, if you find a vulnerability, but you are unable to fix it (ie, you don’t own the code, the code is wrapped or you [...]