This morning I attended Anatomy of a Database Attack Through Forensics, presented by Josh Shaul of Application Security, Inc.
I've always been interested in the security aspects of Oracle going back to their start at the CIA. I've even gotten myself into trouble proving these types of things to others (I'll never do that again without saying something to someone prior). I've read David Litchfield's The Oracle Hacker's Handbook.
Mr. Shaul went through 2 attack vectors one against 10gR2 and one against 11g. In the 10g attack, the user only had the CREATE SESSION and was able to gain access utilizing a sys package that has a SQL Injection vulnerability. One anonymous block and the DBA role was acquired. I could have sworn that packages in SYS had to be given explicitly? Hmmm...
Attack 2 the user had CREATE SESSION and CREATE PROCEDURE. Creating a procedure within their schema that used Invokers rights. This one was in fact fixed in the most recent (April) CPU. So patch 'em up.
Some other notes from his presentation:
Default accounts and passwords
Easily guessed passwords
Web app attacks (sql injection)
Weak or non-existent audit controls
He also discussed The Heartland data breach which forced us to take a second look at how we did things and ended up tightening up our controls. VPD, Least Privilege, and others were used.
I'm off to Running Oracle in the Amazon EC2 Cloud.