All in the name of security
By Elinor Mills
Published: 24 July 2009 14:23 GMT
During their presentation at the Black Hat and Defcon hacker conferences next week in Las Vegas, security experts will release a tool that can be used to break into Oracle databases.
Chris Gates and Mario Ceballos will present Oracle pen-testing methodology and give out "all the tools to break the 'unbreakable' Oracle as Metasploit auxiliary modules", according to a summary of their presentation on the Defcon website.
The tools are designed to help companies determine whether their systems are vulnerable, Gates told silicon.com sister site CNET News.com. "There wasn't a good set of [free] tools for auditing Oracle databases," he said.
Gates said he did not contact Oracle about his presentation because none of the exploits or exploitation methods are new and information about ways to mitigate the attacks has been public for some time.
"If administrators haven't applied the patches, then the databases were/are vulnerable," he said when asked if the release of his tool will expose companies running Oracle databases to attack. "Plenty of other tools exist to do exactly what we are releasing. These tools just help streamline the penetration testing process."
Gates is a member of the Metasploit project, an open source platform used for developing, testing, and using exploit code and sharing information related to finding vulnerabilities.
"Over the years there have been tons of Oracle exploits, SQL injection vulnerabilities, and post exploitation tricks and tools that had no order, methodology, or standardisation, mainly just random .sql files. Additionally, none of the publicly available Pentest Frameworks have the ability to leverage built-in package SQL Injection vulnerabilities for privilege escalation, data extraction, or getting operating system access," the presentation summary says.
"We've created your version and SID enumeration modules, account brute-forcing modules, ported all the public (and not so public) Oracle SQL Injection vulnerabilities into SQLI modules (with IDS evasion examples for 10g/11g), modules for OS interaction, and modules for automating some of our post exploitation tasks," the summary says.
An Oracle spokesperson said the company had no comment.
Original article: Researchers to offer tool for breaking into Oracle databases from CNET News.com
Role Summary/Purpose Data tool Learn how to use the GE Support Central Work flow tool Define; re build an existing SC tool for use in harmonising / ...
Use of a variety of network security testing tools and exploits to identify vulnerabilities and recommend corrective action ? Presentation skills ? ...
Analyst Programmer Role Summary: To work within the Salesnet team to deliver new functionality and modifications to software solutions driven by ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Tim Ferguson Exclusive: Former MySQL boss Marten Mickos talks open source Why Microsoft could become one of the "biggest friends of open source" and why Oracle getting its hands on MySQL could be "one of the biggest open source coups ever"...
Naked CIO Naked CIO: Cloud computing more expensive than we thought? Smart IT leaders will examine the impact of how they pay for tech