Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle 'Worm' Exploit Modified

Posted by CowboyNeal on from the flirting-with-disaster dept.

answers writes "Two months after an anonymous researcher released the first public example of an Oracle database worm, the exploit code has been advanced and republished, adding new techniques to attack databases. From the article: "It's still very theoretical right now, but I don't think any DBA should be underestimating the risk," said Alexander Kornbrust, CEO of Red-Database-Security GmbH. "If you're running a large company with hundreds of valuable databases, a worm can be very destructive. It is very possible to use this code to release a worm. I can do this right now if I wanted to.""

9 of 87 comments (clear)

  1. yeah. by User+956 · · Score: 3, Funny

    It is very possible to use this code to release a worm. I can do this right now if I wanted to.""

    That seems like an odd quote. Did the author of the article like Double-Dog dare him, or something?

    --
    The theory of relativity doesn't work right in Arkansas.
    1. Re:yeah. by hey! · · Score: 4, Funny
      Odd? Nah, it must sounds awkward because it was edited for brevity. The full quote was:

        It is very possible to use this code to release a worm. I can do this right now if I wanted to. Mwahahaha!
      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  2. firewalls? by mtenhagen · · Score: 5, Insightful

    How many oracle db's are connected directly to the internet? Even within most company's their isnt a direct connection option to the db but only thru an application.

    Of course this is an exploit but the impact shouldn't be overrated.

    --
    200GB/2TB $7.95 Coupon: SAVE90DOLLAR
  3. Backup Data? by Artie+Dent · · Score: 5, Insightful

    It seems that any "valuable database" would be sufficiently backed up in non-attackable media. So while it probably could create a lot of hassle, I'd have a hard time seeing this worm bringing down companies.

    1. Re:Backup Data? by KiloByte · · Score: 4, Insightful

      You're assuming that they are run by competent people -- and this is a thoroughly false assumption.

      If I combine everyone from my company and all companies we cooperate with, I can name only two people who consider backups to be anything but an annoying waste of time some pessimists are blabbing about in order to suck in some of their money.
      Redundant hardware runs against the principle of cutting costs; no bean counter would even consider investing in data integrity.

      When I tell people that I installed a script that will back up the most valuable part of the data and dump them to a remote location, the reaction is like: uh, cool, but what if it breaks things?

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  4. doesn't exploit a vulnerability by kpharmer · · Score: 4, Informative

    This attack relies on default userids & passwords, not on any vulnerability. Oracle used to use default scott/tiger userid/passwd. I think it still does in 10g, but I'm not positive.

    Given enough databases, someone will forget to change these. For that reason any shop with more than a half-dozen databases should be using some kind of application policy-checker that will automatically test for this kind of a policy violation.

  5. The Realm of the Professional Cracker by mosel-saar-ruwer · · Score: 4, Insightful

    How many oracle db's are connected directly to the internet? Even within most company's their isnt a direct connection option to the db but only thru an application.

    Here you begin to enter the realm of the professional cracker [apologies to chef], my little padawan novitiate.

    The professional employs something like the WMF vulnerability to crack the client OS, and then uses the client application to crack the DB.

    And when he's seen what he needs to see, the professional tidies up and removes any evidence of his intrusion.

    In all seriousness, the PRC Red Army's "TITAN RAIN" operation is more than a little troubling in this regard:

    The Invasion of the Chinese Cyberspies
    (And the Man Who Tried to Stop Them)

    ...The hackers he was stalking, part of a cyberespionage ring that federal investigators code-named Titan Rain, first caught Carpenter's eye a year earlier when he helped investigate a network break-in at Lockheed Martin in September 2003. A strikingly similar attack hit Sandia several months later, but it wasn't until Carpenter compared notes with a counterpart in Army cyberintelligence that he suspected the scope of the threat...

    http://www.securityteam.us/article.php/20050829200 849601/print

    http://it.slashdot.org/article.pl?sid=05/08/28/174 5245

  6. Blackmailing Oracle by Xemu · · Score: 3, Interesting
    Alexander Kornbrust, CEO of Red-Database-Security GmbH. "...It is very possible to use this code to release a worm. I can do this right now if I wanted to." (emphasis mine)

    Doesn't this sound very much like something a blackmailer would say?

    Alexander is an ex-Oracle employee. I wonder if he was let go because of his poor judgement.

    --
    Tell your friends about xenu.net
  7. This sounds so familiar. by DeltaHat · · Score: 3, Funny

    It is very possible to use this code to release a worm. I can do this right now if I wanted to.

    MICHAEL
    I'm gonna find out the hard way that I'm not a pussy if they don't start treating us software people better.

    SAMIR
    That's right.

    MICHAEL
    They don't understand. I could come up with a program that could rip that place off big time...big time.

    PETER
    Yeah.