"Speaking at the BlackHat DC Conference, Litchfield unveiled a flaw in Oracle 11g that would allow a hacker to take over the database server. In an article in Forbes , Litchfield said that his latest bug find was one that would be obvious to any competent software developer."
"It allows an attacker without a user ID and password to take complete control.
All firewalls become irrelevant."
- David Litchfield, as reported by Reuters
Oracle Hacker Gets The Last Word
ForbesDavid Litchfield exposes one last Oracle security bug before walking away from his database battles.
Litchfield's Last Hurrah
Kelly Jackson Higgins, The Dark Dominion"[I've] been bashing heads since Larry Ellison said [Oracle's database] was 'unbreakable.' It was like waving a red flag to a bull," Litchfield quipped during his presentation at Black Hat DC yesterday on his latest research.
Vulnerability in Oracle 11gR2 allows system privileges for all
The HA second bug, however, allows users to adapt these privileges as required. The guilty procedure is DBMS_JAVA.SET_OUTPUT_TO_JAVA. This launches a new Java VM with the privileges of the SYS user and starts by executing any SQL code passed to it with said privileges.