Since several new Oracle exploits were published this week, I thought it would be a good time to provide some background on exploits.
A topic of conversation whenever discussing Oracle security vulnerabilities is the complexity of exploiting such vulnerabilities. Most Oracle professionals only have a cursory understanding of buffer overflows, SQL injection, cross site scripting (XSS), privilege escalation, etc., thus believe it is difficult to exploit many of the security bugs fixed in Oracle Critical Patch Updates. Most Oracle vulnerabilities are very difficult to exploit solely based on the information delivered by Oracle. Significant research, deep knowledge of the Oracle product, dissection of patches, and time are required to develop a new exploit. Although, after developing a few exploits, the process becomes much easier and an experienced professional may be able to develop a fully functional exploit in a matter of hours.
However, all is not lost for the newbie, novice attacker. Fortunately for those looking to reap ill-gotten fortunes from security-lax corporations, security researches routinely publish detailed exploit code for at least a handful of the security bugs fixed each quarter. Any Oracle developer could easily execute almost all these published exploits. With even limited knowledge of SQL and Oracle, possibly an accounts payables clerk who did a little homework could exploit some of these vulnerabilities. (For those of you who think the accounts payable clerk example is far fetched should read the Secret Service's Banking and Financial Sector "Insider Threat Study".)
The published exploit code is not on some obscure web site, rather it is frequently published on a number of reputable web sites and popular mailing lists. Simple Google searches will have numerous hits on phrases like 'oracle exploits'. A recent trend has been to even incorporate evasion techniques into the exploit code, just in case an organization has deployed a database intrusion prevention system.
Two well organized sites with many published exploits are -
- Red Database Security
Both these sites are worth a visit to understand how simple it is to use many of these published exploits and how important it is to properly protect databases, application servers, and applications.