Researcher issues Oracle DB 'cursor injection' warning

Researcher issues Oracle DB 'cursor injection' warning

Summary: David Litchfield's ongoing assault on Oracle databases has unearthed a new method of exploiting PL/SQL injection vulnerabilities. Litchfield, co-founder and managing director at NGSS (Next Generation Security Software), plans to discuss the new technique at the Black Hat DC 2007 conference later this week.

SHARE:
TOPICS: Security, Oracle
2
David Litchfield's ongoing assault on Oracle databases has unearthed a new method of exploiting PL/SQL injection vulnerabilities.

Litchfield, co-founder and managing director at NGSS (Next Generation Security Software), plans to discuss the new technique at the Black Hat DC 2007 conference later this week.

In a paper (PDF) released ahead of the show, LItchfield warned that the new attack method entirely removes the requirement for an attacker to create functions to be able to execute arbitrary SQL. "This should finally put to bed those arguments about whether such and such a PL/SQL injection flaw is exploitable in practice or not by a user with only the CREATE SESSION system privilege," he explained.

The technique, called "cursor injection," is a direct challenge to Oracle's assertion that an attacker needs the ability to create a procedure or function on a vulnerable database. Instead, Litchfield argues, an attacker can inject a pre-compiled cursor into vulnerable PL/SQL objects.

His position is that *all* SQL injection flaws can be fully exploited without any system privilege other than CREATE SESSION and DBAs should be wary of a vendor attempting to downplay the severity of certain vulnerabilities.

Litchfield, who found himself embroiled in a flaw disclosure dispute with Oracle at last year's conference, recently issued an alert for a brand-new class of vulnerabilities affecting Oracle databases. In that research report, he warned that dangling cursors in database code can be manipulated and used to expose sensitive data.

Topics: Security, Oracle

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Unbreakable.... ??

    Good thing they dropped 'Unbreakable' from their advertisements of Oracle db's. Where are all of the people that bang on Microsoft for security holes at. Oracle db's have had alot of vunerabilities over the last 2 years and Microsoft's SQL Server had had zero !
    redtrain65
    • Hear hear

      And... the SQL Server drivers are far more robust than the Oracle ones.

      Oracle keep on breaking their OLE/DB drivers and then fixing them again.
      Jeremy.Lloyd