By Lisa Vaas
February 26, 2007
Updated: Oracle's slated to be the whipping boy in two Oracle-specific
Black Hat briefings and will be among the clump of databases faulted in
one general database communication protocol weakness briefing. Expect at
least one zero-day exploit and an entirely new class of attack
technique, all with Oracle in their crosshairs.
Oracle's up for being a whipping-boy at Black Hat 2007 Washington, Feb.
28-March 1, with two briefings dedicated to Oracle security and/or
Cesar Cerrudo, founder of information security service firm Argeniss, is
expected to release at least one zero-day vulnerability and exploit code
for an Oracle product during his presentation, called "Practical
10-Minute Security Audit: The Oracle Case."
On a related subject, although not focusing on Oracle, Amichai Shulman,
co-founder and chief technology officer of data security and compliance
vendor Imperva, will deliver a briefing entitled "Danger from Below: The
Untold Tale of Database Communication Protocol Vulnerabilities."
But the worst news for Oracle will likely be David Litchfield's
presentation, "Advanced Oracle Attack Techniques."
Litchfield, an expert on database security, has discovered a new exploit
technique using cursor injection that lets just about any Oracle user
adopt the privileges of a database administrator, from which point he or
she can then execute arbitrary SQL. The method doesn't rely on any
vulnerability, Litchfield said in an e-mail exchange, and it works on
all versions of Oracle.
Litchfield, who is co-founder and managing director at NGSS (Next
Generation Security Software), in Surrey, England, said he had planned
to talk about a method of exploiting PL/SQL injection flaws with
low-level privileges, but had backed off due to the ethics of
responsible disclosurenamely, that the exploit relied on two unpatched
Litchfield and Oracle have bumped heads over security often over the
years. At Black Hat 2006, Litchfield went public with a technical
description of a flaw, including a blow-by-blow demonstration of the
ease in which an attack could occur. Oracle lashed back, accusing him of
endangering its customers for selfish, irresponsible reasons.
Litchfield went public in November 2006 with a research paper that warns
that dangling cursors in database code can be manipulated and used to
expose sensitive data.
The attack techniquecalled "dangling cursor snarfing"can be launched if
developers fail to close cursors created and used by DBMS_SQL, the
Oracle package that provides an interface for using dynamic SQL to parse
data manipulations or data definition languages.
Over the weekend, Litchfield found a way to work that exploit so it
didn't rely on unpatched flaws. On Feb. 24, he published a new paper on
the technique, titled "Cursor Injection: A New Method for Exploiting
PL/SQL Injection and Potential Defences." (PDF) This new exploit
technique breaks from all currently known means of exploiting Oracle
databases. Pete Lindstrom, senior security analyst at Burton Group,
contrasted Litchfield's find with the endless stream of buffer overflow
flaws reported on any given day.
"Any new buffer overflow vulnerability does nothing to further the
knowledge base of the security community, and it only serves to increase
risk [to users]," Lindstrom said. "In cases where there are entire new
classes of attack, where you're learning a whole new technique, rather
than throwing a whole lot of data at a process and waiting for it to
breakwhich everyone and their grandmother could do you're learning about
new ways in which applications can be exploited."
In effect, this discovery should rip off the security blanket that some
Oracle users have counted on until now. In the case of many Oracle
advisories, users refrain from patching certain holes since they feel
the risk is mitigated by an attacker's need for escalated privileges in
order to exploit it, Litchfield said in the e-mail exchange.
" By proving that for *ALL* SQL injection flaws you don't need [the]
ability to create functions [a high-level privilege] to fully exploit
them, then we remove a barrier to patching," he said.
That puts Oracle in a similar position when it comes to downplaying the
risk of SQL injection holes, Litchfield continued. "Oracle will no
longer be able to say this or that SQL injection hole can't be exploited
without the attacker being able to create functions."
In his paper, Litchfield points to one example of Oracle downplaying a
risk, in this case for a vulnerability in the SDO_DROP_USER_BEFORE
trigger, sent out in Oracle's October 2006 Critical Patch Update. "In
the Risk Matrix section of the alert it states that an attacker must
have the CREATE PROCEDURE privilege to exploit the flaw," Litchfield
writes. "As we will see, this is not the case."
The paper details exactly how the exploit works in terms of code. As to
how to mitigate the risk of this technique being used to attack an
Oracle database, Litchfield on Page 10 suggests limiting who can do what
in terms of DDL (Data Definition Language) by using a trigger to prevent
unauthorized attempts, and he provides code for a sample trigger to do
Litchfield said that during his presentation he plans to show how the
new attack technique works. He will then examine a few holes that Oracle
has said are exploitable only if an attacker can create a function, and
he will show that Oracle is wrong in that assertion, he said.
Litchfield's discovery is getting nods of approval in security experts'
blogs. "This is quite a cool attack technique," Pete Finnigan, a
renowned expert on Oracle security, said in a recent blog.
Oracle had not provided a response by the time this story was posted.
Editor's Note: This story was updated to include more comments by
Subscribe to the InfoSec News RSS Feed