.

Gates Get Shoutout from Dark Reading

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Fri Feb 27, 2009 10:19 pm

Gates Get Shoutout from Dark Reading

From John Sawyer's article, "Oracle Patches Get Bad Rap":


What I do want to point out for you infosec pros and pentesters is a great resource on hacking Oracle servers. Chris Gates has put together some awesome examples of using the Metasploit Framework's Oracle modules over the last few months on his blog, Carnal0wnage. If you have Oracle servers in your environment or perform pentests for companies who use Oracle, take the time to walk through the examples and test out the modules. You never know when they might come in handy.



For entire story:
http://www.darkreading.com/blog/archive ... tches.html

Keep up the good work, Chris.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Sat Feb 28, 2009 2:05 am

Re: Gates Get Shoutout from Dark Reading

Congrats Gates. This one'll definitely up your reputation more. 8)
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

LSOChris

Post Sat Feb 28, 2009 8:08 am

Re: Gates Get Shoutout from Dark Reading

thanks!
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat Feb 28, 2009 10:51 am

Re: Gates Get Shoutout from Dark Reading

<Oracle_Rant>

I used to be an Oracle DBA, worse actually, Oracle Applications DBA.  For those of you not familiar with Oracle Apps, it's basically their ERP suite, CRM, Inventory and others, powered by Oracle RDBMS.  It includes Apache, Tomcat, tons of JSP pages, tons of shell scripts, tons compiled java code, etc.  The installation literally used to come on 50 CDs.  Most people run it on at least two servers.  I hate to admit it, but I have skipped patching the behemoth on more then one occasion.  Here is why....

Most Oracle patches have prerequisites.  Those prerequisites have their own prerequisites.  By the time you figure which patch you have to start with, you have forgotten what you are patching.  Once you have applied the patches,  you have to figure what those patches broke, and they will break something.  It's not always evident in the hundreds of GB of code what's broken.  By the time you find the issue, you have more patches  that you have apply.  If you are lucky, you don't have to go back to your backup and restore the entire monster. 

And then you get into custom code that is somewhat unsupported by Oracle.  If you patch something, it will break it.  Why do we have custom code in Oracle?  Because Oracle Apps is great if you you are making widgets.  If you don't, you need to customize.  Oracle will give you a great deal on the software, even 80% off the sticker price.  The customization will cost a few million $$ depending on your size.

Oh, and you can't update Java on your machine to the latest version, because the latest version is never certified by Oracle.  All the Java security issues that are so well documented, guess what, you can't patch those.  Oracle has yet to "certify" that they won't break anything.  I find their "certification" quite hilarious actually.

Test systems don't always behave the same way as the production systems.  Just because you've successfully patches a test system, it doesn't mean you get to sleep shortly after patching the production system.

I can go on, but in short it's a mess.  I don't see how Oracle can consider itself security-conscious, at least with Oracle Apps.  Oracle RDMS by itself is a different story.  Complexity and security are never friends, and calling this beast Complex is quite an understatement.  There is an unwritten rule among very experienced Oracle Apps DBAs.  You don't patch if it ain't broken. 

</Oracle_Rant>

I am interested in what others think about this as well.  As you can see, I have some deep emotional scarring inflicted by Oracle :).  What about you guys?  Have you had experience with Oracle Apps?  I can't imagine that any installation will pass an Audit or a Pen Test.  I've never worked with SAP.  Does anyone know if that's any different?
~~~~~~~~~~~~~~
Ketchup

Return to Gates

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software