March 1, 2007 12:34 PM PST

New hacker trick may expose Oracle databases

A correction was made to this story. Read below for details.

update ARLINGTON, Va.--A new attack technique increases the risk of commonly found bugs in Oracle's database software, a security researcher has warned.

It was previously thought that an attacker needed high-level privileges on the database to exploit so-called PL SQL injection vulnerabilities. With a new attack technique, that's no longer true, David Litchfield, a database security expert with NGS Software, said on Thursday at the Black Hat DC event here.

"It is a trick that can be used by attackers with minimal privileges to gain complete control of the database server," Litchfield said in an interview. "You can use the trick through a large number of vulnerabilities that were previously thought not to be that significant."

Litchfield, who has had Oracle in his crosshairs for some time, detailed his technique, dubbed "cursor injection," in a paper that was originally published last weekend (PDF) and discussed at the event. Examples of attack code that takes advantage of the tricks have already appeared, Litchfield said.

Oracle is aware of the new attack technique, it said in a statement.

"NGS Software's 'Cursor Injection' paper describes a technique that may assist an attacker in exploitation of SQL injection vulnerabilities," the database software maker said. Oracle urges its customers to apply patches it has provided to fix known flaws.

In the past, PL SQL injection flaws often required a "create procedure" privilege on the database, which most users don't have. Using the cursor injection technique, anyone who can connect to a database can exploit such flaws, Litchfield said.

"This is achieved by injecting a pre-compiled cursor into vulnerable PL SQL objects," Litchfield wrote in his paper. "The driving force behind this research is to show that all SQL injection flaws can be fully exploited without any system privilege other than 'create session.'"

In the future, Oracle should no longer list the privilege requirements as a mitigating factor of PL SQL flaws, Litchfield said. Such mitigating factors may lead Oracle customers to postpone patching, which puts them at risk, he said. "Excuses to not patch this particular flaw are now gone," Litchfield said.

Another noted database expert said Litchfield's new technique poses a serious threat.

"The latest approach from David to exploit vulnerabilities via cursor is really cool and useful. This makes exploitation for attackers much...easier," said Alexander Kornbrust, who runs Germany's Red Database Security.

Oracle has been at loggerheads with security researchers for a couple of years. However, the company is changing and has been more candid about its product security processes. In January, Oracle started offering advance notification for its quarterly patch releases. In October, it included severity ratings for the first time.


Correction: An earlier version of this story included comments by Alexander Kornbrust that concerned a different paper by David Litchfield.

See more CNET content tagged:
David Litchfield, Oracle Corp., SQL, flaw, Black Hat


Join the conversation!
Add your comment
Big deal
Only a total amateur writes SQL code that's open to injection attacks.
Posted by jd1023948 (47 comments )
Reply Link Flag
and no amatures ever work on Oracle databases. ROTFLMAO
Posted by gggg sssss (2285 comments )
Link Flag
How would you know?
What does such code look like?
Posted by baswwe (299 comments )
Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.