Whitepaper: Oracle Forensics Part 5 - Finding Evidence of Data Theft in the Absence of Auditing.
05f964f5538507637f62883278dca0fbb358534be66e7a889e548211d48bc52c
Dissection of an Oracle Attack in the Absence of Auditing. Presentation slides from Black Hat 2007 as presented by David Litchfield.
ea0db6b1c967296d75373f0bddcdec3b52590bea40c28dd773a626143ccc0a39
Whitepaper: Oracle Forensics Part 4 - What an incident responder should do during a Live Response on a compromised Oracle server.
83f0aeb9dd27cf69a8be8e6c4848a9202b04c6d3075694610204fed13acc7d0b
Database Security Brief: The Oracle Critical Patch Update for April 2007.
a465cc3fe3cd6f9d61436789abaa6d3353a89cf58084fac1c54a1b580479ea9a
Whitepaper: Oracle Forensics Part 3 - Isolating Evidence of Attacks Against the Authentication Mechanism.
81e72d8d4ad573a25cd1dc2081223589365436cda2fb6120efd95ace839bbc35
Whitepaper: Oracle Forensics Part 2 - Locating Dropped Objects.
4ae3a18f31870f0d43997f9547068790fed32a9e928f6fd5fdfada63b49fbb91
Whitepaper: Oracle Forensics Part 1 - Dissecting the Redo Logs.
b03a861dde27c162bf5629855f2f67c101139bb2deae2410b0349885f1615935
Whitepaper entitled "Cursor Injection - A New Method for Exploiting PL/SQL Injection and Potential Defences".
5e052565e3661c687c0142cb2a857a3b5d8400a27ec65832792185de33fbad3d
Defeating Virtual Private Databases, a chapter from the Oracle Hacker's Handbook.
7cf148e1ab70f4357ff232e00ce6a5f24bef89a12e5de8bc87246be02511702f
Indirect Privilege Escalation, a chapter from the Oracle Hacker's Handbook.
7f8124fe32864ca4771a493debdf86f128eba3b844b6479d4bfc1da1fee9ff8a
Whitepaper detailing a potential PL/SQL programming error related to cursors that leads to a new class of vulnerability in Oracle.
8c5057fe16f9b2f304f5725b4b6a9f9f6342e138793b7fb488b2611b317c234a
Whitepaper entitled "Which is more secure? Oracle vs. Microsoft". This article looks at the number of security flaws in Oracle and Microsoft database offerings.
76b1dff89265c886e4fb95a2da210b637f0ae4d28b78e4ee37976c44012de162
NGSSoftware Insight Security Research Advisory - Informix Dynamic Server is a database developed by IBM. During a security assessment of Informix multiple file creation/write/read issues were discovered. The LOTOFILE function and rlt_tracefile_set functions can be used to create and write to files. The SET DEBUG FILE can also be used to create and write to files. All versions are affected.
2affd37ddf15299e22b23ffbd647cb2a6e868929770043427f279f0f699124e2
NGSSoftware Insight Security Research Advisory - Informix Dynamic Server is a database developed by IBM. During a security assessment of Informix it was discovered that any user can create a database and thus gain DBA privileges. On Informix public has the connect privilege; thus anyone with a login may connect. Public can also issue the create database command. When the database is created, the user that created the database is made a DBA of that database. A DBA can execute code as the informix user and trivially gain root privileges. Versions affected include 9.40.xC6 and earlier and 10.00.xC2, C1.
2e55245ad26b576afca508a68372cfda7bb86b7546b1285a8099dff4c166de4f
NGSSoftware Insight Security Research Advisory - Informix Dynamic Server is a database developed by IBM. During a security assessment of Informix it was discovered that an overflow could be triggered in a shared library with the SQLIDEBUG environment variable. This can be triggered to gain root privileges by accessing one of the setuid root binaries such as onmode. Versions affected include 9.40.xC6 and earlier and 10.00.xC2, C1.
8955388d97ae74ef45c6d22c01de4a4e9547b265d516e7f9401fb036eba2275d
NGSSoftware Insight Security Research Advisory - Informix Dynamic Server is a database developed by IBM. During a security assessment of Informix multiple arbitrary command execution flaws were found. It is possible to inject arbitrary operating system commands into the SET DEBUG FILE SQL statement and the start_onpload and dbexp procedures. Any commands injected into SET DEBUG FILE will execute with the privileges of the informix user; any command injected into dbexp or start_onpload will execute with the privileges of the logged on user. All versions are affected.
b5d5e8096254163518ebf4ac4de8efc16ebf88b9ec376fb817120eeb7e23c608
NGSSoftware Insight Security Research Advisory - Informix Dynamic Server is a database developed by IBM. During a security assessment of Informix multiple password exposure flaws were discovered. When a user logs on to an Informix server their cleartext password can be found in a shared memory section. On Windows "everyone" can open the section and read the contents and thus gain access to the passwords for every logged on user. On both Linux and Windows, in the event of a crash the share memory is dumped in a log file which is world readable. All versions are affected.
23a0c353bdfb30b80077409ec6689836532d2a232cb2f65d11d7db404804d932
NGSSoftware Insight Security Research Advisory - Informix Dynamic Server is a database developed by IBM. During a security assessment of Informix multiple buffer overflow vulnerabilities were discovered that could be exploited via SQL or the protocol. All versions are affected.
0a99d3578e49c0e3c76bcb6cfb33a822c4e9a7ee029cbfec611087fff35ff68d
NGSSoftware Insight Security Research Advisory - Informix Dynamic Server is a database developed by IBM. An attacker can force to the database server to load an arbitrary library and thus execute arbitrary code. The ifx_load_internal SQL function can be used to load an arbitrary library into the address space of the database server process. By placing code in the DllMain() function on Windows or _init() on Linux an attacker can have this code execute automatically when the library is loaded. In conjunction with exploiting other flaws it is possible to remotely create a library over SQL, dump this to the server disk and then load it. All versions are affected.
cc47bb6ff9a3cd8a1becdf64a6684bcdcfeba23e757986e96fe1cef4419ee8f4
NGSSoftware Insight Security Research Advisory - Informix Dynamic Server is a database developed by IBM. When IBM released a patch for the overly long username buffer overflow (CVE-2006-3853) it was discovered that the patch introduced a new buffer overflow vulnerability. Versions affected include 9.40.xC7 and xC8, 10.00.xC3 and xC4.
a524b566bd4e626035409bb6612c2602c95367a1df9a5480ca3957f611ef5203
NGSSoftware Insight Security Research Advisory - When an Informix server logs on a user it copies the username to a 260 byte stack based buffer without first verifying its length. An attacker can exploit this by overflowing this buffer to overwrite the saved return address on the stack and thus redirect the process' path of execution to a location of their choosing. Versions 9.40.xC6 and below are affected. Versions 10.00.xC2 and below are affected.
2a9e85aa496c5f0ce698a7b9dce1377ad7751df65f00e4921b3dea642392da04
Informix: Discovery, Attack, and Defense.
30d3c198f1a5407dc57ce22ec3acc687151a9106b822a114825a198deff50d61
There's a critical flaw in the Oracle PLSQL Gateway, a component of iAS, OAS and the Oracle HTTP Server, that allows attackers to bypass the PLSQLExclusion list and gain access to "excluded" packages and procedures. This can be exploited by an attacker to gain full DBA control of the backend database server through the web server.
1065f3171e688a6943367c17316c3c189200259c4f1a0d62c3094f4eff89ca02
Whitepaper entitled 'An Introduction To Heap Overflows On AIX 5.3L'.
7fe6d39248e544c8e5b6ebe39fa4a017668634c3582f64b4ab78f3a53fbf39b8
"Snagging Security Tokens to Elevate Privileges" is a brief that details how a database server running as a low privileged user on Windows can still provide an attacker with the ability to gain elevated privileges on the network and suggests a change in security policy to mitigate the risk. As a side note, this affects all network servers that offer OS based authentication - not just database servers.
ddf0367b0ae123b501921160d18f52c089a3c85c8d21251937bf98c7eee6c567