Security Researcher: Beware Dangling Cursors in Oracle Code

Security Researcher: Beware Dangling Cursors in Oracle Code
Security Researcher: Beware Dangling Cursors in Oracle Code,1895,2064828,00.asp 

By Ryan Naraine
November 28, 2006

British security researcher David Litchfield is raising an alert for a 
brand-new class of vulnerabilities affecting Oracle database products.

Litchfield, a database security expert who has clashed with Oracle in 
the past, went public with the discovery in a research paper that warns 
that dangling cursors in database code can be manipulated and used to 
expose sensitive data.

The attack techniquecalled "dangling cursor snarfing"can be launched if 
developers fail to close cursors created and used by DBMS_SQL, the 
Oracle package that provides an interface for using dynamic SQL to parse 
data manipulations or data definition languages.

Litchfield, co-founder and managing director at NGSS (Next Generation 
Security Software), in Surrey, England, warned that the new 
vulnerability class "can lead to data being exposed."

"If the cursor in question has been created by higher-privileged code 
and left hanging, then it's possible for a low-privileged user to snarf 
and use the cursor outside of the application logic that created it," 
Litchfield said.

Cursors are used in code to offer software developers a way to process 
database information, but if cursors are not closed, Litchfield said, an 
exception can lead to a security vulnerability. "Ensuring that cursors 
are closed after use is, of course, good programming practice, but, as 
we know, good programming practices do not always prevail," he added.

In the research paper (here as a PDF file [1]), Litchfield provided 
several examples of the new vulnerability class and ways in which it can 
be exploited to launch SQL injection attacks.

"An attacker can gain access to data they would not normally be able to 
access," Litchfield said. However, he noted that an attacker is confined 
by the query that is parsed by the higher-privileged code. "Whilst it is 
possible to parse a new query on the cursor this is done with the 
privileges of the attacker, so it is not possible to change to query to 
say, 'GRANT DBA TO PUBLIC.' An attacker is limited to manipulating the 
variable aspects of the query such as the bind variables," he explained.

Litchfield said the new class of flaw can also affect the integrity of 
data in cases where the malicious attacker can insert data into the 

He recommended that Oracle developers perform strict input validation to 
block attackers from generating an exception. "The second form of 
defense is to always have an 'others' exception block that closes any 
open cursors," Litchfield said.

"The sky is not falling, but in certain cases the class of attack may 
expose data to an attacker," he said, urging that security code reviews 
of PL/SQL should check for and fix instances of open cursors.

"Instances should be easy to spotlook for code that uses DBMS_SQL but 
contains no exception-handling code or doesn't close the cursor in 
exception-handling code if present or simply cases where the developer 
has forgotten to close the cursor," he said.

Cesar Cerrudo, founder and CEO of Argeniss Information Security, in 
Parana, Argentina, described Litchfield's discovery as "very 
interesting" and warned developers to be wary of the security 

Cerrudo, who said he plans to release Oracle zero-day vulnerabilities as 
part of a new project called WoODB (Week of Oracle Database Bugs), said 
attackers could modify parameters to launch malicious exploits in 
specific scenarios.

Litchfield's latest warning follows the release of whitepaper (here in 
PDF [2]) comparing security flaws in Oracle and Microsoft database 
products. The comparison measured the number of vulnerabilities found 
and patched by the vendors over the past six years and gave a resounding 
victory to Microsoft's SQL server.

Litchfield's research rated Microsoft's SQL Server 2000 Service Pack 4 
as the most secure database available. "The conclusion is clearif 
security robustness and a high degree of assurance are concerns when 
looking to purchase database server softwaregiven these results one 
should not be looking at Oracle as a serious contender," he said.

Eric Maurice, manager for security in Oracle's Global Technology 
Business Unit, used his company's blog [3] to address the flurry of 
publicity around Oracle security.

"Because software engineering is a complex discipline, the absence of 
security flaws in released software cannot be fully guaranteed. Such 
flaws may be detected during internal testing, or may be discovered 
externally by customers and security researchers. Regardless of who 
discovers these issues, Oracle's top priority is to efficiently fix 
those flaws across all supported platforms in order to allow customers 
to maintain their security posture," he wrote.

"This means that Oracle prioritizes those security flaws in order of 
severity, regardless of how they were discovered, in order to produce 
the appropriate fix," Maurice wrote.


Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods