Oracle 'Worm' Exploit Modified

answers writes "Two months after an anonymous researcher released the first public example of an Oracle database worm, the exploit code has been advanced and republished, adding new techniques to attack databases. From the article: "It's still very theoretical right now, but I don't think any DBA should be underestimating the risk," said Alexander Kornbrust, CEO of Red-Database-Security GmbH. "If you're running a large company with hundreds of valuable databases, a worm can be very destructive. It is very possible to use this code to release a worm. I can do this right now if I wanted to.""

doesn't exploit a vulnerability

[kpharmer]

This attack relies on default userids & passwords, not on any vulnerability. Oracle used to use default scott/tiger userid/passwd. I think it still does in 10g, but I'm not positive.

Given enough databases, someone will forget to change these. For that reason any shop with more than a half-dozen databases should be using some kind of application policy-checker that will automatically test for this kind of a policy violation.

Re:doesn't exploit a vulnerability

[Zathrus]

Oracle used to use default scott/tiger userid/passwd. I think it still does in 10g, but I'm not positive.

Nope, scott/tiger is deprecated -- the current sample schemas are separated into multiple users, and they are all disabled by default. These users are installed by default, but it's not hard to tell Oracle to not install them.

Of course, there's a lot of non-10g databases out there. Heck, there's a lot of pre-8i databases out there still even though you have to pay an arm, leg, and torso for support, if you can get it at all. And scott/tiger (as well as some other default users/passwords) certainly did exist in them.