Researcher issues Oracle DB 'cursor injection' warning

Summary:David Litchfield's ongoing assault on Oracle databases has unearthed a new method of exploiting PL/SQL injection vulnerabilities. Litchfield, co-founder and managing director at NGSS (Next Generation Security Software), plans to discuss the new technique at the Black Hat DC 2007 conference later this week.

David Litchfield's ongoing assault on Oracle databases has unearthed a new method of exploiting PL/SQL injection vulnerabilities.

Litchfield, co-founder and managing director at NGSS (Next Generation Security Software), plans to discuss the new technique at the Black Hat DC 2007 conference later this week.

In a paper (PDF) released ahead of the show, LItchfield warned that the new attack method entirely removes the requirement for an attacker to create functions to be able to execute arbitrary SQL. "This should finally put to bed those arguments about whether such and such a PL/SQL injection flaw is exploitable in practice or not by a user with only the CREATE SESSION system privilege," he explained.

The technique, called "cursor injection," is a direct challenge to Oracle's assertion that an attacker needs the ability to create a procedure or function on a vulnerable database. Instead, Litchfield argues, an attacker can inject a pre-compiled cursor into vulnerable PL/SQL objects.

His position is that *all* SQL injection flaws can be fully exploited without any system privilege other than CREATE SESSION and DBAs should be wary of a vendor attempting to downplay the severity of certain vulnerabilities.

Litchfield, who found himself embroiled in a flaw disclosure dispute with Oracle at last year's conference, recently issued an alert for a brand-new class of vulnerabilities affecting Oracle databases. In that research report, he warned that dangling cursors in database code can be manipulated and used to expose sensitive data.

Topics: Security, Oracle

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.