Metasploit tool attacks Oracle's vulnerabilities
Chris Gates of the Metasploit hacker group will present a free tool for attacking Oracle databases at the Black Hat conference that begins in Las Vegas this Saturday. A video in which Gates demonstrates such attacks appeared in February.
In it he shows how first the protected SID (Oracle System ID) is determined, then a user name and password are established using a brute-force attack, and finally the privileges of that user are escalated to administrator level. The target is an Oracle 10.1.0.2.0 database.
According to Oracle, the vulnerabilities then present that were exploited by the tool have now been fixed, but not all database administrators regularly update the product, even though patches are issued every three months.