Black hat zero day oracle hack

In a demo of Oracle 11g Enterprise Edition, he showed how to execute commands that led to the user granting himself system privileges to have "complete control over the database.

Until Oracle remedies the zero-day flaws he exposed, Litchfield advised Oracle 11g administrators to revoke public execute access to certain Java-based functions. He said he expects Oracle to soon release patches for the problems he identified and he intends to publish a white paper on the topic. He added Oracle appears to be relying too much on security tools to catch problems after its product is shipped.

Here are the latest Insider stories. More Insider Sign Out. This was a great explanation of the different attack types using numbers, chars, metadata, and pure binary sequences; application fuzzing, protocol fuzzing, and file format fuzzing. Without a doubt, we found this to have been another worthwhile Black Hat Briefing. The information they provided showed our audience how to gather evidence from attacks to use in determining where attacks originate from and the intent behind these attacks.

Maybe it was just the expression on their faces, but there might have been a lot of opposing opinions among onlookers during this briefing.

White hat methodologies versus black hat methodologies were the center theme. Attackers versus defenders—offensive versus defensive—We went down the entire trail from information gathering to data collection with stopovers at vulnerability assessment and exploitation.

This was one of the more exciting briefings at Black Hat DC this year, and we could have gone on way past sundown without running out of Black Hat versus White Hat information security issues to discuss. Black Hat DC was an awesome information security event.

We look forward to seeing you at the next event! Sign Out Sign In Register. Latest Insider. Check out the latest Insider stories here. More from the IDG Network. Researcher claims hack of processor used to secure Xbox , other products David Litchfield, a researcher at NGS Consulting, demonstrated how a user can subvert security to elevate his privileges to take complete control over Oracle 11g and also showed how to bypass the Oracle Label Security used to set mandatory access controls over information depending on security level.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.