By Ryan Naraine
November 28, 2006
British security researcher David Litchfield is raising an alert for a
brand-new class of vulnerabilities affecting Oracle database products.
Litchfield, a database security expert who has clashed with Oracle in
the past, went public with the discovery in a research paper that warns
that dangling cursors in database code can be manipulated and used to
expose sensitive data.
The attack techniquecalled "dangling cursor snarfing"can be launched if
developers fail to close cursors created and used by DBMS_SQL, the
Oracle package that provides an interface for using dynamic SQL to parse
data manipulations or data definition languages.
Litchfield, co-founder and managing director at NGSS (Next Generation
Security Software), in Surrey, England, warned that the new
vulnerability class "can lead to data being exposed."
"If the cursor in question has been created by higher-privileged code
and left hanging, then it's possible for a low-privileged user to snarf
and use the cursor outside of the application logic that created it,"
Cursors are used in code to offer software developers a way to process
database information, but if cursors are not closed, Litchfield said, an
exception can lead to a security vulnerability. "Ensuring that cursors
are closed after use is, of course, good programming practice, but, as
we know, good programming practices do not always prevail," he added.
In the research paper (here as a PDF file ), Litchfield provided
several examples of the new vulnerability class and ways in which it can
be exploited to launch SQL injection attacks.
"An attacker can gain access to data they would not normally be able to
access," Litchfield said. However, he noted that an attacker is confined
by the query that is parsed by the higher-privileged code. "Whilst it is
possible to parse a new query on the cursor this is done with the
privileges of the attacker, so it is not possible to change to query to
say, 'GRANT DBA TO PUBLIC.' An attacker is limited to manipulating the
variable aspects of the query such as the bind variables," he explained.
Litchfield said the new class of flaw can also affect the integrity of
data in cases where the malicious attacker can insert data into the
He recommended that Oracle developers perform strict input validation to
block attackers from generating an exception. "The second form of
defense is to always have an 'others' exception block that closes any
open cursors," Litchfield said.
"The sky is not falling, but in certain cases the class of attack may
expose data to an attacker," he said, urging that security code reviews
of PL/SQL should check for and fix instances of open cursors.
"Instances should be easy to spotlook for code that uses DBMS_SQL but
contains no exception-handling code or doesn't close the cursor in
exception-handling code if present or simply cases where the developer
has forgotten to close the cursor," he said.
Cesar Cerrudo, founder and CEO of Argeniss Information Security, in
Parana, Argentina, described Litchfield's discovery as "very
interesting" and warned developers to be wary of the security
Cerrudo, who said he plans to release Oracle zero-day vulnerabilities as
part of a new project called WoODB (Week of Oracle Database Bugs), said
attackers could modify parameters to launch malicious exploits in
Litchfield's latest warning follows the release of whitepaper (here in
PDF ) comparing security flaws in Oracle and Microsoft database
products. The comparison measured the number of vulnerabilities found
and patched by the vendors over the past six years and gave a resounding
victory to Microsoft's SQL server.
Litchfield's research rated Microsoft's SQL Server 2000 Service Pack 4
as the most secure database available. "The conclusion is clearif
security robustness and a high degree of assurance are concerns when
looking to purchase database server softwaregiven these results one
should not be looking at Oracle as a serious contender," he said.
Eric Maurice, manager for security in Oracle's Global Technology
Business Unit, used his company's blog  to address the flurry of
publicity around Oracle security.
"Because software engineering is a complex discipline, the absence of
security flaws in released software cannot be fully guaranteed. Such
flaws may be detected during internal testing, or may be discovered
externally by customers and security researchers. Regardless of who
discovers these issues, Oracle's top priority is to efficiently fix
those flaws across all supported platforms in order to allow customers
to maintain their security posture," he wrote.
"This means that Oracle prioritizes those security flaws in order of
severity, regardless of how they were discovered, in order to produce
the appropriate fix," Maurice wrote.
Subscribe to InfoSec News