New hacker trick may expose Oracle databases

update Technique lets intruders exploit flaws previously thought to be insignificant, security researcher says at Black Hat DC.
Written by Joris Evers, Contributor
A correction was made to this story. Read below for details.

update ARLINGTON, Va.--A new attack technique increases the risk of commonly found bugs in Oracle's database software, a security researcher has warned.

It was previously thought that an attacker needed high-level privileges on the database to exploit so-called PL SQL injection vulnerabilities. With a new attack technique, that's no longer true, David Litchfield, a database security expert with NGS Software, said on Thursday at the Black Hat DC event here.

"It is a trick that can be used by attackers with minimal privileges to gain complete control of the database server," Litchfield said in an interview. "You can use the trick through a large number of vulnerabilities that were previously thought not to be that significant."

Litchfield, who has had Oracle in his crosshairs for some time, detailed his technique, dubbed "cursor injection," in a paper that was originally published last weekend (PDF) and discussed at the event. Examples of attack code that takes advantage of the tricks have already appeared, Litchfield said.

Oracle is aware of the new attack technique, it said in a statement.

"NGS Software's 'Cursor Injection' paper describes a technique that may assist an attacker in exploitation of SQL injection vulnerabilities," the database software maker said. Oracle urges its customers to apply patches it has provided to fix known flaws.

In the past, PL SQL injection flaws often required a "create procedure" privilege on the database, which most users don't have. Using the cursor injection technique, anyone who can connect to a database can exploit such flaws, Litchfield said.

"This is achieved by injecting a pre-compiled cursor into vulnerable PL SQL objects," Litchfield wrote in his paper. "The driving force behind this research is to show that all SQL injection flaws can be fully exploited without any system privilege other than 'create session.'"

In the future, Oracle should no longer list the privilege requirements as a mitigating factor of PL SQL flaws, Litchfield said. Such mitigating factors may lead Oracle customers to postpone patching, which puts them at risk, he said. "Excuses to not patch this particular flaw are now gone," Litchfield said.

Another noted database expert said Litchfield's new technique poses a serious threat.

"The latest approach from David to exploit vulnerabilities via cursor is really cool and useful. This makes exploitation for attackers much...easier," said Alexander Kornbrust, who runs Germany's Red Database Security.

Oracle has been at loggerheads with security researchers for a couple of years. However, the company is changing and has been more candid about its product security processes. In January, Oracle started offering advance notification for its quarterly patch releases. In October, it included severity ratings for the first time.


Correction: An earlier version of this story included comments by Alexander Kornbrust that concerned a different paper by David Litchfield.

Editorial standards