David Litchfield's ongoing assault on Oracle databases has unearthed a new method of exploiting PL/SQL injection vulnerabilities.
Litchfield, co-founder and managing director at NGSS (Next Generation Security Software), plans to discuss the new technique at the Black Hat DC 2007 conference later this week.
In a paper (PDF) released ahead of the show, LItchfield warned that the new attack method entirely removes the requirement for an attacker to create functions to be able to execute arbitrary SQL. "This should finally put to bed those arguments about whether such and such a PL/SQL injection flaw is exploitable in practice or not by a user with only the CREATE SESSION system privilege," he explained.
The technique, called "cursor injection," is a direct challenge to Oracle's assertion that an attacker needs the ability to create a procedure or function on a vulnerable database. Instead, Litchfield argues, an attacker can inject a pre-compiled cursor into vulnerable PL/SQL objects.
His position is that *all* SQL injection flaws can be fully exploited without any system privilege other than CREATE SESSION and DBAs should be wary of a vendor attempting to downplay the severity of certain vulnerabilities.
Litchfield, who found himself embroiled in a flaw disclosure dispute with Oracle at last year's conference, recently issued an alert for a brand-new class of vulnerabilities affecting Oracle databases. In that research report, he warned that dangling cursors in database code can be manipulated and used to expose sensitive data.