I’ve attended BlackHat Vegas last week and of course went to see David Litchfield’s presentation. It started rather slow with vulnerabilities I was already familiar with but he saved the best for last. Another Oracle 0day – and I’ve got the pictures to prove it!
As you can see above, creating a table with a specially crafted blob column, creating an ODCI (Oracle Data Cartridge Interface) index on it, gathering statistics and then dropping the table triggers a dynamic statement with the column name not properly escaped.
Nice one, David – although we had to scramble and quickly protect against it with our McAfee vPatch solution.