February 4th, 2009

Fuzzing for Oracle database vulnerabilities

Posted by Ryan Naraine @ 1:34 pm

Categories: Arbitrary Code Execution, Browsers, Data theft, Locally Running Web Servers, Pen testing, Research, Web Applications

Tags: Oracle Corp., Vulnerability, PL/SQL, Oracle Database, Tool, Programming Languages, Databases, Productivity, Storage, Security

Database security vendor Sentrigo has released an open-source fuzz testing tool to help pinpoint security-related coding deficiencies in Oracle databases.

The tool, called FuzzOr, runs on Oracle 8i and is aimed at PL/SQL programmers and DBAs looking to find and eliminate vulnerabilities that may be exploited via SQL injection and buffer overflow attacks — the most common techniques used to launch hacker attacks on databases.

[ SEE: Hacker finds 492,000 unprotected Oracle, SQL database servers ]

From Sentrigo’s announcement:

• A dynamic scanning tool, FuzzOr enables DBAs and security pros to test PL/SQL code inside Oracle-stored program units. Once vulnerabilities are detected by FuzzOr, a programmer can then repair the PL/SQL code.

Pete Finnigan, who had a look at FuzzOr prior to today’s release, explains the nitty-gritty of how it works:

• It’s written in PL/SQL, tests PL/SQL packages, functions and procedures and is driven by a set of database tables to hold the configuration and the results. The idea is that you can target a particular package or a complete schema.
• The nature of a fuzzer is that it sends random input to a particular function or procedure so its running that code hoping to crash it. Therefore do not run this tool on a production database or any database that you do not want to damage.

The tool is available as a free download (registration required).