Database Security - The Pot and the Kettle. presented at BlackHatAsia 2002

by David Litchfield,

Summary : This talk will examine the database server offerings from both Microsoft and Oracle and show that, regardless of certification, market campaigns and slurs, each would be better spending their time writing a more secure product.
Microsoft
This will cover two new vulnerabilities that allow full compromise of a system running MS SQL Server 2000 with a single UDP packet and without needing to authenticate.
Oracle
This will cover two format strings vulnerabilities and a buffer overrun that can be exploited without authentication.
The talk will end with what steps one can take to help prevent database system compromise.