-DC2010.pdf
Cheers,
David Litchfield
--
E-MAIL DISCLAIMER
The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any
e
in their April 2009 Critical Patch Update and maps to the currently
unspecified vulnerability at
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0988
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
--
E-MAIL DISCLAIMER
The information contained in this email an
(http://www.databasesecurity.com/dbsec/cursor-injection.pdf) which was
written 3 days after.
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
--
E-MAIL DISCLAIMER
The information contained in this email and any subsequent
correspondence is private, is solely for the intended
DBMS_ASSERT can be used to prevent PL/SQL injection. In certain cases it can
be bypassed. This is documented in a paper I wrote in July 2008 but am only
publishing now:
http://www.databasesecurity.com/oracle/Bypassing-DBMS_ASSERT.pdf
Cheers,
David Litchfield
NGSSoftware Ltd
http
NGSSoftware Insight Security Research Advisory
Name: Trigger abuse of MDSYS.SDO_TOPO_DROP_FTBL
Systems Affected: Oracle 10g R1 and R2 (10.1.0.5 and 10.2.0.2)
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ dav...@ngssoftware.com ]
Reported: 23rd July 2008
Date of
e subject of the paper "Oracle Forensics Part 7:
Using the Oracle System Change Number in Forensic Examinations". Both the
tool (which compiles on Linux, Mac OS X and Windows) and the paper are
available from http://www.databasesecurity.com/.
Cheers,
David Litchfield
NGSSoftware Ltd
http://ww
Hi Ferruh,
> This is a short whitepaper about a new way to exploit Blind SQL
> Injections.
I just had a read of your paper. You open with: "If the injection point is
completely blind then the only way to extract data is using time based
attacks like WAITFOR DELAY, BENCHMARK etc." This is not t
Hey Alexandr,
I see I'm invited to award Brett his pwnie for his SQL flaw if he wins. I'd
be more than happy to - after all one bug over 3 years means someone did a
really good job ;)
Cheers,
David
--
E-MAIL DISCLAIMER
The information contained in this email and any subsequent
correspondence is p
At the end of April 2008 I published a paper about a new class of flaw in
Oracle entitled "Lateral SQL Injection".
The paper can be found here:
http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf
Essentially the paper details a way in which the attacker can manipulate the
environment
NGSSoftware Insight Security Research Advisory
Name: PLSQL Injection in Oracle Application Server
Systems Affected: Oracle Application Server 9.0.4.3, 10.1.2.2, 10.1.4.1
Severity: Critical
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ [EMAIL PROTECTED] ]
Reported: 9th October 2007
Hey all,
I've just released some research that demonstrates a new class of
vulnerability in Oracle and how it can be exploited by an attacker. You can
grab the paper from here:
http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf
Cheers,
David Litchfield
NGSSoftware Ltd
s/0030.htm - since I reported
this to Oracle on the 3rd of November they've updated their security
checklist document:
http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_
db_database_20071108.pdf
Cheers,
David Litchfield
--
E-MAIL DISCLAIMER
The information co
(resend with title...)
NGSSoftware Insight Security Research Advisory
Name: SQL Injection Flaw in Oracle Workspace Manager
Systems Affected: Oracle 10g release 1 and 2, Oracle 9i
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ [EMAIL PROTECTED] ]
Reported: 22nd
Hey all,
For anyone that's interested I've just posted another paper entitled "Oracle
Forensics Part 6: Examining Undo Segments, Flashback and the Oracle Recycle
Bin". You can get this and other papers on Oracle forensics from
http://www.databasesecurity.com/oracle-forensi
of the ideas I discussed
at Blackhat.
Cheers,
David Litchfield
--
E-MAIL DISCLAIMER
The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended re
Hey all,
For anyone that wants a copy, I've just posted the fourth paper in the
Oracle Forensics series I'm writing to http://www.databasesecurity.com/.
This paper covers what an incident responder should do during a Live
Response on a compromised Oracle server.
Cheers,
David Litchf
Hey all,
I've just posted an analysis of the Oracle April 2007 Critical Patch Update
to
http://www.ngssoftware.com/research/papers/NGSSoftware-OracleCPUAPR2007.pdf
(URL may line wrap)
Cheers,
David Litchfield
--
E-MAIL DISCLAIMER
The information contained in this email and any subse
gainst the
Authentication Mechanism
You can grab them here: http://www.databasesecurity.com/
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
--
E-MAIL DISCLAIMER
The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(
the paper from
http://www.databasesecurity.com/ - it's called "Cursor Injection - A New
Method for Exploiting PL/SQL Injection and Potential Defences".
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
+44(0)208 401 0070
--
E-MAIL DISCLAIMER
The information co
Hey all,
For anyone that's interested I've just put out two papers (chapters really);
one on Indirect Privilege Escalation in Oracle and the other on Defeating
Virtual Private Databases in Oracle. You can grab them here.
http://www.databasesecurity.com/dbsec/ohh-indirect-privilege-escalation.pdf
Hey all,
I've just written a paper detailing a fairly common PL/SQL programming error
related to cursors that leads to a new class of vulnerability in Oracle. You
can get a copy of the paper from http://www.databasesecurity.com/ .
Cheers,
David Litchfield
NGSSoftware Ltd
+44(0) 208 401 0070
rity.com/oracle/OracleOct2006-CPU-Analysis.pdf,
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
+44(0) 208 401 0070
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted a
has just got a
lot harder. I've not done a thorough analysis yet but, all going well, this
is a fantastic way for Microsoft to go and builds on the work done with
NX/DEP and stack cookies/canaries.
Cheers,
David Litchfield
[1]
http://msdn.microsoft.com/windowsvista/downloads/products/getth
ontent/Wiki.jsp?page=Welcome)
Also there's a project of US DHS/NIST and probably others
called SAMATE Software Assurance Metrics and Tool Evaluation
http://samate.nist.gov/index.php/Main_Page
which might be of interest.
Adam
On Fri, May 12, 2006 at 02:59:17AM +0100, David Litchfield wrote:
|
s that it is a standard. A such efforts should be
entirely reproducible. Have 3 or more people follow that standard and
compare results at the end. If there's a discrepancy someone's not following
the standard. The other aspect of course that it's trivial to write and
verify to
that are attempting to achieve the same
thing. If anyone is currently working on this stuff or would like to get
involved in thrashing out some ideas then please mail me - I'd love to hear
from you.
Cheers,
David Litchfield
http://www.databasesecurity.com/
http://www.ngssoftware.com/
___
experience
is anything to go by the only missing ingredient is proof of concept code
released by a well meaning security researcher!
Cheers,
David Litchfield
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Oracle to fix them but, from now on, I'll leave
the proselytizing to others. Oracle have moved sufficiently forward enough,
and with enough momentum (now), that I believe they've passed the point of
no return and can do nothing but eventually end up where we all want them to
be.
Cheers,
y 2006 critical patch update was re-issued seven times, the October
2005 CPU three times and the July 2005 CPU was re-issued nine times. The
story is the same for earlier CPUs.
Mary, Mary, quite contrary to what you'd have us believe about Oracle's
security track record, it's
this package
will help mitigate the risk.
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
+44(0)208 401 0070
** Oracle's response to 13/04/2004 report **
Thanks David. This will also be investigated. This will be reference number
2004S141E.
Andrew
Oracle Securit
NGSSoftware has discovered multiple critical and high risk vulnerabilities
in Oracle's Database Server. Versions affected include
Oracle Database 10g Release 2, versions 10.2.0.1, 10.2.0.2
Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5
Oracle9i Database Release 2, versions 9.2.0.6, 9
Advisory - -Thu Mar 16 14:27:08 EST 2006- - Buffer Overflow in Microsoft Excel
1. BACKGROUND
There has had been no background.
2. WORKAROUND
This vulnerability has no workarounds.
3. CVE INFORM
denied.htm?attempted-attack
# Thanks, Mike Pomraning!
For those that haven't been able to adopt the workaround because it would
break their specific application, then the modified workaround should work
in your situation.
Cheers,
David Litchfield
___
ly if the web users request starts
with "banking" and reject everything else. This is an entirely much more
secure and robust solution than the "black list" approach.
Will we ever be given this as a solution? Who knows. As it seems providing a
decent security solution is beyond
attack
I don't think leaving their customers vulnerable for another 3 months (or
perhaps even longer) until the next CPU is reasonable especially when this
bug is so easy to fix and easy to workaround. Again, I urge all Oracle
customers to get on the 'phone to Oracle and demand the re
p.pdf
Cheers,
David Litchfield
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
I've just put up a Database Security Brief; the first of many to come.
http://www.databasesecurity.com/dbsec-briefs.htm
It's called a brief because there's enough meat to make it interesting but
not enough to make it a paper ;)
This brief, Snagging Security Tokens to Elevate Privileges, details
Hi Roman,
Is there any recommended tool which helps to get databases tables,
entries, structure, etc, given a particular SQL injection bug in one
application? I mean, it should *automatically* try different sentences
to figure out the names of the columns and in general, other useful info
from th
Hi Eliah,
David Litchfield wrote:
Hey all,
I've just put up a paper on a curious flaw that appears when running a
My intent is not to MS-bash here, but perhaps Microsoft is to blame
for not educating people about this issue. (If they had, your paper
would be superfluous.)
Usual
the Unintended Consequences of Simple File
Sharing". It doubles-up as my entry for the "Longest Title" award.
Cheers,
David Litchfield
http://www.databasesecurity.com/
http://www.ngssoftware.com/
___
Full-Disclosure - We believe in it.
Cha
Will the real n3td3v please stand up, please stand up?
... couldn't resist... sorry
David
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
already done so.
Cheers,
David Litchfield
http://www.databasesecurity.com/
http://www.ngssoftware.com/
More commentary on this available here
http://www.databasesecurity.com/oracle-commentary.htm
___
Full-Disclosure - We believe in it.
Charter: http://li
Buffer Overflow in MySQL User Defined Functions
Risk level: LOW
Credits: This vulnerability was discovered and researched by Reid
Borsuk of Application Security Inc.
How can this even be marked as low risk? If you're loading a library into
mysql's address space then you're already executing "ar
43 matches
Mail list logo
