Hackproofing Oracle EBusiness Suite

Explore a comprehensive security analysis of Oracle's eBusiness Suite in this Black Hat conference talk. Delve into the vulnerabilities discovered by David Litchfield, including unauthenticated remote code execution flaws, SQL injection vulnerabilities, and Cross Site Scripting bugs. Learn about the weaknesses in both 11.5 and 12.x versions, with demonstrations of exploit techniques. Discover methods to secure eBusiness Suite implementations against these attacks, covering topics such as trusted.conf, PL/SQL Gateway, HR UTIL DISP WEB, and SYSTEM.AD_APPS PRIVATE. Gain insights into protecting large corporate systems using this widely-deployed product, and participate in a Q&A session to address specific security concerns.

Intro
Who Am I?
eBusiness Suite Overview
eBusiness Suite components
eBusiness Suite Vulnerabilities
Some 11.5 Issues
trusted.conf
PL/SQL Gateway
HR UTIL DISP WEB
display_fatal errors
Attack Sequence
ORACLESSWA
RUNFUNCTION
Arbitrary SQL
Some 12.x Issues
Many ways to skin a cat
JSP forwards
Auxiliary Inject Functions 1/2
Executing SQL as SYS
SQL Injection in SYSTEM.AD_APPS PRIVATE
Securing 12.x and 11.5
Specific to Securing 11.5
Securing eBusiness Suite
Questions?