Hi All I was made aware of your thraed on Oracle8i by a colleague and he suggested asi have years of oracle experience seeing if i can add to it. I concur that there is very littel about oracle security out there on the net. I am aware of the listener and suid hacks. I have been tasked by my company with writing a series of papers on oracle security mainly, but basic architecture as well and un-documented features. I have a paper 50% written and some scripts on exploiting the default users and their passwords. Finding out the permissions ( roles ) granted and seesing if anything of superuser use has been granted when it shouldnt have been. Finding who is a dbs ( this is the goal ) if you can easilly get a dba then i have a script that allows you to su to any other user incluing SYS and SYSTEM. i also show scripts to analise the database layout, find the version before you get in, find what databases are installed, try ps, on unix, search directories for scripts accessing oracle with embedded passwords ( its amazing how many times you see the applications owners password in a script or a dba's). I have scripts to see who owns what objects and their permissions. From this you can usually understand who is the schema owner and what the database does. People forget that the most sensative information for a business is probably in a non-descript table and accessable by many easy to get users ! with no real status. I cover some scripts to check what permissions you have and what they mean, if any SYS or SYSTEM objects have access granted to any other users. I also mention world readable files and external users. There is an un-documented package dbms_parse_as_user that allows you to run PL/SQL as another user. I also cover auditing to see if you are being watched and scripts to show who is logged in and what they are executing. I also mention the trigger hack to steal data from an applications tables even when you dont have select permissions on the table. I have material on how data is stored in oracle and how to hack redo-log files, export files, data files and trace files and how to use events you are not supposed to. There is also an un-documented tool oradebug ( need to be logged on as oracle ) that allows you to see into ther shared pool. There is also a hidden PL/SQL debugger interface that Oracle have sold to a couple of third party companies, but its in the kernel PL/SQL engine. I have also been investigating the protocol used in the oracle two task functionallity and find that although the communication is through shared pipes its clear text. I hope to find a way in through this. I am keen to exploit my oracle knowledge and explore security exploits as much as possible. I would also very much like to assist in your beta testing as i have a test server with an number of oracle versions on it. hope i havent gone on too much. cheers Pete Finnigan Pentest Limited Manchester UK __________________________________________________________________ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 10:32:51 PDT