Hey all,
I've just posted a new tool and paper for Oracle forensics. The tool,
orablock, allows a forensic investigator to dump data from a "cold" Oracle
data file - i.e. there's no need to load up the data file in the database
which would cause the data file to be modified, so using orablock preserves
the evidence. Orablock can also be used to locate "stale" data - i.e. data
that has been deleted or updated. It can also be used to dump SCNs for data
blocks which can be useful during the examination of a compromised Oracle
box. Indeed, this is the subject of the paper "Oracle Forensics Part 7:
Using the Oracle System Change Number in Forensic Examinations". Both the
a popular Black Hat speaker. This month's presenter is David Litchfield of
NGS software, speaking on Oracle database forensics, and he will be
releasing a new tool called orablock which he describes this way:
"Orablock allows a forensic investigator to dump data from a "cold" Oracle
data file - i.e. there's no need to load up the data file in the database
which would cause the data file to be modified, so using orablock preserves
the evidence. Orablock can also be used to locate "stale" data - i.e. data
that has been deleted or updated. It can also be used to dump SCNs for data
blocks which can be useful during the examination of a compromised Oracle
box."
Virus Scan for Linux v5.10.0
Copyright (c) 1992-2006 McAfee, Inc. All rights reserved.
(408) 988-3832 EVALUATION COPY - May 26 2006
Scan engine v5.1.00 for Linux.
Virus data file v4777 created Jun 05 2006
Scanning for 194376 viruses, trojans and variants.
# gdb /usr/local/uvscan/uvscan
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
2) Bug
======
RPM is affected by an unicode buffer-overflow during the handling of
the "data file" name used for the creation of the temporary file to
print.
#######################################################################
Debian-specific: no
CVE ID : CVE-2007-4650
Nicklous Roberts discovered that the Reupload module of Gallery 2, a web
based photo management application, allowed unauthorized users to edit
Gallery's data file.
The oldstable distribution (sarge) does not contain a gallery2 package.
The previous gallery package is not affected by this vulnerability.
For the stable distribution (etch) this problem has been fixed in
download it. By default, Word 2000 will open Word Documents in the
browser without prompting.
The vulnerability is triggered by conversion code not properly
validating a counter against the allocated length of a structure before
processing it. Depending on the contents of the data file, control
structures on the stack may be modified as a result, potentially
allowing the execution of arbitrary code.
One mitigating factor in the severity of this vulnerability is that, by
default, the converter is not installed until the first time you go to
arbitrary files readable by the webserver via a crafted
HTTP POST request.
CVE-2008-1567
The PHP session data file stored the username and password of
a logged in user, which in some setups can be read by a local
user.
CVE-2008-1149
payload_length) + payload)
else:
# If the data is bigger than one chunk, then send multiple
chunks and their headers.
curr_pos = 0 # keeps our current position into
the data file content
resync_chunk = True # flag to indicate if a new set of
chunk should be set
pos_in_chunk = 0 # keeps our position into the
current chunk set
do_recv = False # flag to indicate if recv is needed
the vulnerable parameter that is supplied to the application. A
moderately skilled attacker can reverse the obfuscation without any
access to the affected server or source code.
IDENTIFYING VULNERABLE INSTALLATIONS
Vulnerable installations can be identified by the XML data file
generated by SlideShowPro Director and used by the SlideShowPro
component and will have base64-encoded “a” parameters to the “p.php”
function:
<?xml version="1.0" encoding="utf-8"?>
