August 11, 2014 by

Oracle Database 12c’s Data Redaction Security Smashed Live on Stage


Oracle’s newly launched Data Redaction security feature in Oracle Database 12c can be easily disrupted by an attacker without any need to use exploit code, a security researcher long known as a thorn in Oracle’s side said at Defcon.

Data Redaction is one of the new Advanced Security features introduced in Oracle Database 12c. The service is designed to allow administrators to automatically protect sensitive data, such as credit card numbers or health information, during certain operations by either totally obscuring column data or partially masking it.

But according to David Litchfield, a self-taught security researcher who found dozens and dozens of critical vulnerabilities in Oracle’s products, a close look at this Data Redaction security feature help him found a slew of trivially exploitable vulnerabilities that an attacker don’t even need to execute native exploit code to defeat the feature.

David Litchfield is a security specialist at Datacomm TSS and the author of The Oracle Hacker’s Handbook, For many years, he was one of the top bug hunters in the game and specialized in digging into the Oracle’s database products and breaking them.

Data redaction feature is actually a “great idea”, Litchfield said during a talk at the Black Hat USA 2014 conference on Wednesday. But unfortunately, the feature is so thoroughly riddled with basic security vulnerabilities that it is trivial for attackers to bypass it. The database security expert found many methods to bypass the data redaction feature and tricking the system into returning data that should be actually masked in Oracle Database 12c. Litchfield then started giving a live demonstration of some of many flaws he had discovered in Oracle’s data redaction feature, some of which were previously documented in his paper PDF.

The first method is to use the “RETURNING INTO” clause after a DML operation. This clause allows data to be returned into a variable – a big failure on Oracle’s part that he said could be used to bypass Oracle data redaction, which would have been discovered by conducting only a penetration test.

A second method he found is essentially a brute force attack on the data in a redacted column in a database. Litchfield said that the methods he found were so simple and so easily done that he doesn’t even feel right to call them exploits.

The data redaction bypass flaws have been patched, but Litchfield said he recently sent Oracle a critical flaw that enables a user gain control of the database, which isn’t patched yet but is in the pipeline. This shows that its Java security problems still persist.

Enjoyed this post? Subscribe to our newsletter and don’t miss a thing!

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Hackers Steal $400,000 of Cryptocurrency in DNS Hijack

Unknown hackers have hijacked the DNS server for web-based wallet application BlackWallet, an online...

Read more arrow_forward

Hackers Steal Compromising Photos from High-Profile Plastic Surgeon

Hackers have broken into a high-profile plastic surgeon in London to steal a cache of sensitive...

Read more arrow_forward

Five Key Aspects of The GDPR

Effective beginning May 25, 2018, the General Data Protection Regulation (GDPR) is set to replace...

Read more arrow_forward