Security experts will be releasing a tool that can be used to break
into Oracle databases during their presentation at the Black Hat and
Defcon hacker conferences next week in Las Vegas.
Chris Gates and Mario Ceballos will present Oracle Pentesting
Methodology and give out "all the tools to break the 'unbreakable'
Oracle as Metasploit auxiliary modules," according to the summary of
their presentation on the Defcon Web site.
Gates is a member of the Metasploit project, an open-source platform
used for developing, testing and using exploit code and sharing
information related to finding vulnerabilities.
"Over the years there have been tons of Oracle exploits, SQL Injection
vulnerabilities, and post exploitation tricks and tools that had no
order, methodology, or standardization, mainly just random .sql files.
Additionally, none of the publicly available Pentest Frameworks have
the ability to leverage built-in package SQL Injection vulnerabilities
for privilege escalation, data extraction, or getting operating system
access," the presentation summary says.
"We've created your version and SID enumeration modules, account
bruteforcing modules, ported all the public (and not so public) Oracle
SQL Injection vulnerabilities into SQLI modules (with IDS evasion
examples for 10g/11g), modules for OS interaction, and modules for
automating some of our post exploitation tasks," the summary says.
An Oracle spokespeople said the company had no comment.