10 Oracle Bugs in 10 Minutes

ARLINGTON, Va. -- Black Hat DC -- The researcher who scrapped plans for a week of Oracle bugs late last year found nearly a bug a minute in the database software during an audit demonstration of the database software here today.

Cesar Cerrudo, CEO of Argeniss, demonstrated a simple 10-minute audit that developers and security managers can use with free tools such as Process Explorer, WinObj, Pipeacl, and Interactive Disassembler (IDA) to determine the security of Windows applications. He found the process-permissions bugs in Oracle version 10g R2 running over Windows. Weak permissions parameters can let an attacker manipulate objects in an app.

The bugs were very easy to find, he says. "The new version of Oracle is more secure than previous versions, but that doesn't mean it is secure," Cerrudo says. Oracle still has a lot of work to do, he says.

"In this case, I showed it on Oracle. But any [database] software could be affected." Most of the bugs Cerrudo found would allow an attacker to launch a denial-of-service attack, and some, to execute code remotely.

Security experts agree such a simple hack with free and easily accessible tools is a bit unnerving.

"These kinds of permissions problems are rampant on Windows-based applications. It's probably not just Oracle," says Steve Christey, principal information security engineer for Mitre. "And not many people [researchers] are looking at this issue" at this time.

Cerrudo demonstrated proof-of-concept exploit code he had developed and emphasized how simple the techniques for finding these bugs are. "You don't need any [special] skills" to use these tools and find bugs, he says. "You just follow some basic instructions."

— Kelly Jackson Higgins, Senior Editor, Dark Reading