[ISN] Oracle Hacker Gets The Last Word

[InfoSec News]

http://www.forbes.com/2010/02/02/hacker-litchfield-ellison-technology-security-oracle.html

By Andy Greenberg
Forbes.com
02.02.10

ARLINGTON, Va. -- In 2001, Larry Ellison brashly proclaimed in a keynote 
speech at the computing conference Comdex that his database software was 
"unbreakable." David Litchfield has devoted the last nine years to 
making the Oracle chief executive regret that marketing stunt.

At the Black Hat security conference Tuesday afternoon, Litchfield 
unveiled a new bug in Oracle's 11G database software, a critical, 
unpatched vulnerability that would allow a hacker to take control of an 
Oracle database and access or modify information at any security level. 
"Anything that God can do on that database, you can do," Litchfield told 
Forbes in an interview following his talk.

The attack that Litchfield laid out for Black Hat's audience of hackers 
and cybersecurity researchers exploits a combination of flaws in 
Oracle's software. Two sections of code within the company's database 
application--one that allows data to be moved between servers and 
another that allows management of Oracle's implementation of java--are 
left open to any user, rather than only to privileged administrators. 
Those vulnerable subroutines each have their own simple flaws that allow 
the user to gain complete access to the database's contents.

Litchfield says he warned Oracle about the flaws in November, but they 
haven't been patched. Oracle didn't immediately respond to a request for 
comment.

The bug is far from the first that 34-year-old Litchfield has outed on 
Oracle's behalf. As a cybersecurity researcher and penetration tester, 
Litchfield has exposed more than a thousand database software security 
flaws, mostly in Oracle's code.

[...]