Monday, June 25, 2007

Reflection on Cesar Cerrudo

This week on reflection we have someone who has done a lot of database research and published several advisories and presented at Blackhat, CanSecWest and other conferences on database security. Cesar Cerrudo works for his own company “Argeniss” and has contributed a lot to some of the databases to be more secure today. He has also identified a lot of vulnerabilities in Microsoft Windows, Microsoft Commerce Server, etc. He is passionate about application security and a big believer in open source community both for software and books. Cesar shares his journey with application security in his own words

"I think I always have had "hacker mind" for calling it in some way, I remember being a child and breaking things to look inside. When I was 10 or so I got my first computer a CZ Spectrum (I don't remember the exact model) but it ran BASIC. when I wanted to learn how to use it and to code in BASIC, I went to a place for kids but got bored after many days of being taught PRINT "HOLA MUNDO" only, so I used that computer for games (games were stored on a audio cassette tape and loading them required playing it in a cassette player). I learnt few tricks looking at the guy from a store that recorded games so I started to modify screens when the games were loading, I also hacked multilevel games by loading parts of one level and the rest from a different level, which for my age was a big deal. After a couple of years I stopped using that computer and I didn’t do anything computer related for several years apart from taking few boring classes of MS DOS, QPRO, Lotus, etc. When I was 19 I started to study Computer Science but I didn't have a PC (they were a bit expensive on this side of the planet earth) so I only read old books available at the university and played with a friend's computer, on those days the challenge was to try running cool games on old computers, I became an expert in MS DOS :)

I remember one day being very excited because I found the assembly code from a MS DOS virus in one of the PC at the university, I spent several hours with an old assembly book (thanks Norton-Socha!) until I learnt how the virus worked (in the process I learnt some x86 assembler without coding it in a PC). After some time I started to work on a client/server software for a couple of different local companies and one of the companies had internet access so I started using Internet and since I always liked hacking, Internet was a really good source of information so I started to learn something about hacking for the first time, I was lucky since I had a good academic background on programming, computers, etc. so I didn't end up reading and learning stupid things, but because I had an old PC and no Internet access at home I couldn't test much of the stuff I learnt. Then I took up a new job where I started using Internet frequently and started trying things in free time, this was like 7 years ago and that was when I started with webappsec. I had worked a lot with MS SQL Server so when I first read about SQL Injection I was really amazed with it and I started to create my own techniques, tools, etc.

That’s when I started to play with MS SQL Server and after some time I found my first vulnerability, then the next one and so on when I realized I had found dozen of vulnerabilities on MS SQL Server, I also learnt how to code exploits and new techniques for finding vulnerabilities, since then I have found several vulnerabilities on MS Windows, Oracle Database Server, etc. I have also created new exploitation and attack techniques. Few years ago I designed and wrote a complete web application scanner for a security company, the scanner at that time was better than other available web app scanners but because of some patent issues the product was stop being sold (hurray for Watchfire!!!). Currently I do research on application security mostly focused on database security and in my spare time I like to hack MS Windows :)

I always try to keep big vendors improving on security, I don't care if I have to publish 0day vulnerabilities or controversial papers in order to accomplish that. I have been offered to write books but the only way I can write or contribute in a book is if it will be available for free in some way (electronic, etc.), I know what is not having resources for learning, all people should have easy access to knowledge, books only makes money for the editors and people without money can't get them."

Based out of Parana, Entre Rios, Argentina, Cesar is 31 years old. Below is a list of his contribution to the community


Hacking databases for owning your data

Practical security audit: Oracle case

WLSI-Windows Local Shellcode Injection

Story of a dumb patch

Demystifying MS SQL Server & Oracle Database Server security

Hacking Windows Internals

Auditing ActiveX Controls

Hunting Flaws in SQL Server

Manipulating Microsoft SQL Server Using SQL Injection

Tools written by him:-


Shared section tools


WASC - Web Security Threat Classification


Microsoft Windows Kernel GDI local privilege escalation procedure

Oracle Database Server Directory traversal

COM+ Vulnerability

COM Structured Storage Vulnerability

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege

Vulnerability in Windows LSASS Could Allow Elevation of Privilege

Multiple vulnerabilities in Oracle Database Server

Vulnerability in Utility Manager Could Allow Code Execution

Utility Manager Vulnerability

Biztalk Server Vulnerabilities

Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution

Symantec Security Check RuFSI ActiveX Control Buffer Overflow Vulnerability
Yahoo! Chat and Messenger Hostname Buffer Overflow Vulnerability

Multiple buffer overflows in DBCC and SQL Injections

BULK INSERT buffer overflow

Encoded password written by service pack

Microsoft SQL Server: Buffer Overflows in numerous extended stored procedures

xp_dirtree Buffer Overflow

Heterogenous Queries Buffer Overflow


Hacking databases for owning your data - Black Hat Europe 2007

Practical security audit: Oracle case - Black Hat DC 2007

DataTheft - How databases are hacked and how to protect them - No cON Name 2006

WLSI - Windows Local Shellcode Injection - Black Hat Europe 2006

WLSI - Windows Local Shellcode Injection - EUSecWest/core06 conference

Database Hacking and Security - Web Application Security and Hacking

Demystifying Microsoft SQL Server & Oracle Database Server security - Black Hat USA 2005

Hacking Windows Internals - cansecwest/core05 conference

Hacking Windows Internals - Bellua Cyber Security Asia 2005

Hacking Windows Internals - Black Hat Europe 2005

Auditing ActiveX Controls - Black Hat Windows 2004

Hunting Flaws in MS SQL Server - Black Hat Windows 2003

Company working for:-


Companies worked for:-

Application Security Inc.





Analyst programmer

Cesar is very driven and passionate about application security. One of the best in database security. Though he doesn't have a blog right now but you can get all the information on his website along with the whitepapers and latest on database security.

Last Week – Alex Stamos

Next Week – Dinis Cruz

No comments: