Cesar Cerrudo of Argeniss (http://www.argeniss.com) published a paper titled “Practical 10 minutes security audit: Oracle Case (http://www.argeniss.com/research/10MinSecAudit.zip)“. You just gotta live his writing style, be sure you can deal with a good deal of sarcasm. The paper is a relatively short, but insightful and technically interesting writeup.

From his description: This paper will show a extremely simple technique to quickly audit a software product in order to infer how trustable and secure it is. I will show you step by step how to identify half dozen of local 0day vulnerabilities in few minutes just making a couple of clicks on very easy to use free tools, then for the technical guys enjoyment the vulnerabilities will be easily pointed out on disassembled code and detailed, finally a 0day exploit for one of the vulnerabilities will be demonstrated.

If you are interested in software security and have 10 minutes of time left, it’s definitely worth it.

Tools involved:

* Process Explorer (http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx)
* WinObj (http://www.microsoft.com/TechNet/Sysinternals/Utilities/WinObj.mspx)
* PipeACL Tools (http://www.bindview.com/Services/RAZOR/Utilities/Windows/pipeacltools1_0.cfm)

Share This (http://www.marsmenschen.com/?p=145&akst_action=share-this)



http://www.marsmenschen.com/2007/03/11/auditing-oracle-with-cesar-cerrudo/