Oracle8i

[pfinn999 () netscape net]

Hi All

I was made aware of your thraed on Oracle8i by a colleague and he suggested asi have years of oracle experience seeing 
if i can add to it. I concur that there is very littel about oracle security out there on the net. I am aware of the 
listener and suid hacks. I have been tasked by my company with writing a series of papers on oracle security mainly, 
but basic architecture as well and un-documented features.

I have a paper 50% written and some scripts on exploiting the default users and their passwords. Finding out the 
permissions ( roles ) granted and seesing if anything of superuser use has been granted when it shouldnt have been. 
Finding who is a dbs ( this is the goal ) if you can easilly get a dba then i have a script that allows you to su to 
any other user incluing SYS and SYSTEM. i also show scripts to analise the database layout, find the version before you 
get in, find what databases are installed, try ps, on unix, search directories for scripts accessing oracle with 
embedded passwords ( its amazing how many times you see the applications owners password in a script or a dba's). I 
have scripts to see who owns what objects and their permissions. From this you can usually understand who is the schema 
owner and what the database does. People forget that the most sensative information for a business is probably in a 
non-descript table and accessable by many easy to get users !
with no real status. I cover some scripts to check what permissions you have and what they mean, if any SYS or SYSTEM 
objects have access granted to any other users. 

I also mention world readable files and external users.

There is an un-documented package dbms_parse_as_user that allows you to run PL/SQL as another user. I also cover 
auditing to see if you are being watched and scripts to show who is logged in and what they are executing. I also 
mention the trigger hack to steal data from an applications tables even when you dont have select permissions on the 
table. 

I have material on how data is stored in oracle and how to hack redo-log files, export files, data files and trace 
files and how to use events you are not supposed to. There is also an un-documented tool oradebug ( need to be logged 
on as oracle ) that allows you to see into ther shared pool. There is also a hidden PL/SQL debugger interface that 
Oracle have sold to a couple of third party companies, but its in the kernel PL/SQL engine.

I have also been investigating the protocol used in the oracle two task functionallity and find that although the 
communication is through shared pipes its clear text. I hope to find a way in through this.

I am keen to exploit my oracle knowledge and explore security exploits as much as possible. I would also very much like 
to assist in your beta testing as i have a test server with an number of oracle versions on it. 

hope i havent gone on too much.

cheers

Pete Finnigan
Pentest Limited
Manchester 
UK
__________________________________________________________________
Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/