On Tue, 9 Sep 2008, douglen (at) hotmail (dot) com [email concealed] wrote:
[snip]
> Of course, I'm looking forward to hearing about other instances of
> this...
Interesting reasearch.
It looks like Oracle DBMS may be vulnerable to the "Unicode Smuggling"
attack exploiting homoglyphic translation. As outlined by David Litchfield
in an old full-disclosure post [1]:
"It didn't take long to discover that this patch could be bypassed using
the following techinque: due to internationalization, an Oracle database
server will convert the ? character (value 0xFF) to a capital Y. The PLSQL
Gateway will not. Thus, if we request:
On Tue, 9 Sep 2008, douglen (at) hotmail (dot) com [email concealed] wrote:
[snip]
> Of course, I'm looking forward to hearing about other instances of
> this...
Interesting reasearch.
It looks like Oracle DBMS may be vulnerable to the "Unicode Smuggling"
attack exploiting homoglyphic translation. As outlined by David Litchfield
in an old full-disclosure post [1]:
"It didn't take long to discover that this patch could be bypassed using
the following techinque: due to internationalization, an Oracle database
server will convert the ? character (value 0xFF) to a capital Y. The PLSQL
Gateway will not. Thus, if we request:
http://www.example.com/pls/dad/S%FFS.PACKAGE.PROCEDURE
the gateway will happily pass it over to the database server where the ?
is conveted to a Y and we can gain access again".
Cheers,
[1]. See http://seclists.org/fulldisclosure/2006/Feb/0011.html
--
Marco Ivaldi, OPST
Red Team Coordinator Data Security Division
@ Mediaservice.net Srl http://mediaservice.net/
[ reply ]