At the DerbyCon 2.0 conference, security experts Laszlo Toth and Ferenc Spala presented a range of attacks, some of which were previously unknown, on Oracle databases and SQL servers; they even released suitable tools to exploit them at the same time.

In "Hacking the Oracle Client", Laszlo Toth demonstrated that, although Oracle saves the user name and password for a database connection in encrypted form in the client's main memory, this data remains in memory after the session has ended and can easily be decrypted. A trojan, for example, could exploit this to harvest plain-text passwords from the client, which was impressively demonstrated by the ocioralog meterpreter extension.



"Think differently about database hacking", a presentation by Laszlo Toth & Ferenc Spala.

The experts also demonstrated how Oracle connections can be hijacked and exploited. Due to the unpatched TNS poisoning security vulnerability, their approach works with any standard Oracle database, unless special security measures for the TNS listener are in place. The presented pytnsproxy TNS proxy, combined with a suitable Metasploit module called tnspoison, allows unauthenticated attackers to sniff out or modify the connections to the database; arbitrary SQL commands can even be sent using the TNS proxy.

Finally, the researchers presented a meterpreter extension called oralog; this extension is a kind of password sniffer that writes the database passwords of all users who sign into the database server to a file in unencrypted form. Another Metasploit module that allows attackers to execute operating system commands is available for the oradebug hole.

The researchers have made the extension for the Metasploit penetration testing platform available to other security testers and administrators.

( Alexander Kornbrust / djwm)