Black Hat: Oracle database vulnerabilities exposed again

Visitors to the Black Hat security conference in Las Vegas have seen renown expert David Litchfield score again against Oracle’s database by demonstrating an exploit that would allow him to take control as an administrator.

Share

Visitors to the Black Hat security conference in Las Vegas have seen renown expert David Litchfield score again against Oracle’s database by demonstrating an exploit that would allow him to take control as an administrator.

Litchfield, chief security architect at Accuvant Labs, demoed what he called the PWNORACLE exploit against the Oracle 11g database, earning applause from his audience, some of whom also photographed the exploit code he projected on-screen.  In 2010 at a Black Hat event, Litchfield showed how to subvert security in the 11g database by exploiting zero-day vulnerabilities.

This weeks Litchfield demo was part of a larger presentation about Oracle database flaws pertaining to indexes.

Litchfield said he has already reported the vulnerability he discovered to Oracle and thought they would have fixed it by now.

Litchfield -- whose arm was bandaged due to a mild shark bite from a great white shark sustained while photographing underwater from a protective cage emphasized during his talk that Oracle has shown marked improvement in holding down vulnerabilities found in its database versions over the past two years.

Still, the recent push from Anonymous to break into databases means that security managers need to understand how hackers break in, Litchfield said.

Find your next job with computerworld UK jobs