In this Reuters article titled
Hacking Oracle's database will soon get easier , we see that the
Metasploit tool can be used to hack into Oracle databases,
Chris Gates, the developer of Metasploit notes:
""There is no way to keep these tools out of the hands
of people who want to use them for nefarious purposes," said Alan Paller,
director of research for the SANS Institute. SANS trains security
professionals in areas including use of Metasploit.
Gates
seems happy that his new tool can be used by crooks, even though it appears
as-if he is aiding and abetting criminals by publishing this tool:
"Security testers and hackers have previously used other
programs to break into Oracle databases, but the new software from
Metasploit is easier to operate and runs more quickly than existing options"
Metasploit has no legitimate purpose as a "penetration testing tool", since
it only seeks database with inept DBA's who have failed to keep current with
their security patches, and will, de-facto, not be used by those who might
benefit from it.
While Oracle has patches to prevent these exploits,
those Oracle shops that have no applied their quarterly Cumulative Patch
Updates (CPU's) will be at-risk.
Designed for the typical non-technical criminal (the
"stupid" crook), we also have
this video , giving criminals a step-by-step guide into hacking an Oracle
database.
Irresponsible, selfish and possibly criminal
There has long been concern that it's aiding and abetting
criminals to openly publish Oracle vulnerabilities where the bad guys are
likely to use them. See these
notes on how white hat
hacking guides are
used to aid and abet criminal hacking .
In the past, Oracle Corporation
has chided
some security experts as being "selfish", "irresponsible" and
"dangerous" for openly publishing instruction on how-to hack into Oracle
databases:
A few hours after Litchfield went public with a technical
description of the flaw, including a blow-by-blow demonstration of ease in
which an attack could occur,
Oracle lashed back, accusing the British researcher of
putting its customers at severe risk for selfish, irresponsible reasons...
Even as he downplayed the severity of the flaw, Harris
said Litchfield's decision to go the way of "irresponsible disclosure" was a
"dangerous thing to do."
In sum, while this tools only targets irresponsible DBA's, it's not any
danger to those shops who have followed due diligence and applied their
security patches.Reader Comments:
"Do you know how many legitimate companies use Metasploit or tools
like it? Do you know how many tools are out there like it? Core Impact,
Canvas, NeXpose, Qualys, Acunetix, Nikto, just to name a few. Any tool
can be used by good guys or bad guys. In fact, using simple redirection
on a Unix command line, an attacker can create a remote shell on the
system.
Every day, thousands of people set about to finding
security flaws in software; some are the good guys, and some are the bad
guys. When a good guy finds one, they generally contact the vendor with
the details so that a patch can be produced and distributed. Once a
patch is released, the party which found the flaw may choose to publish
it publicly, for others to study and confirm that nothing has been
missed, or to confirm that the patch truly fixes the problem. Most
often, in the "put up or shut up" world of information security, there
is exploit code released with the flaw so that others can confirm their
vulnerability.
Symantec (yes, as in Symantec anti-virus) runs a mailing list so that
these flaws can be distributed to anyone who wants to subscribe. It's
called "Bugtraq" and it's been around for years. If you think that
Metasploit is giving malicious hackers the keys to the kingdom, you're
wrong. Metasploit is just the keyring.
Of course, there's lots of debate on how flaws should be disclosed, and
I'm sure I know your stance already, but there was a time when security
researchers could not publish their work with their name on it for fear
of being sued. When a vendor didn't sue, they typically just swept the
flaws under the rug, and instead of lots of people being able to use
well-known flaws, a smaller group of people were able to use
little-known flaws for years at a time, penetrating any system they
wished to. How do you think hackers gained an almost magical quality in
the eyes of the public? It's because there was nothing to stop them.
Running around like crazy trying to patch your system is a pain, but
would you rather just be blind to all the threats out there? I
know I don't." - Dan