http://www.eweek.com/article2/0,1895,2098506,00.asp 

By Lisa Vaas
February 26, 2007 

Updated: Oracle's slated to be the whipping boy in two Oracle-specific 
Black Hat briefings and will be among the clump of databases faulted in 
one general database communication protocol weakness briefing. Expect at 
least one zero-day exploit and an entirely new class of attack 
technique, all with Oracle in their crosshairs.

Oracle's up for being a whipping-boy at Black Hat 2007 Washington, Feb. 
28-March 1, with two briefings dedicated to Oracle security and/or 
insecurity.

Cesar Cerrudo, founder of information security service firm Argeniss, is 
expected to release at least one zero-day vulnerability and exploit code 
for an Oracle product during his presentation, called "Practical 
10-Minute Security Audit: The Oracle Case."

On a related subject, although not focusing on Oracle, Amichai Shulman, 
co-founder and chief technology officer of data security and compliance 
vendor Imperva, will deliver a briefing entitled "Danger from Below: The 
Untold Tale of Database Communication Protocol Vulnerabilities."

But the worst news for Oracle will likely be David Litchfield's 
presentation, "Advanced Oracle Attack Techniques."

Litchfield, an expert on database security, has discovered a new exploit 
technique using cursor injection that lets just about any Oracle user 
adopt the privileges of a database administrator, from which point he or 
she can then execute arbitrary SQL. The method doesn't rely on any 
vulnerability, Litchfield said in an e-mail exchange, and it works on 
all versions of Oracle.

Litchfield, who is co-founder and managing director at NGSS (Next 
Generation Security Software), in Surrey, England, said he had planned 
to talk about a method of exploiting PL/SQL injection flaws with 
low-level privileges, but had backed off due to the ethics of 
responsible disclosurenamely, that the exploit relied on two unpatched 
holes.

Litchfield and Oracle have bumped heads over security often over the 
years. At Black Hat 2006, Litchfield went public with a technical 
description of a flaw, including a blow-by-blow demonstration of the 
ease in which an attack could occur. Oracle lashed back, accusing him of 
endangering its customers for selfish, irresponsible reasons.

Litchfield went public in November 2006 with a research paper that warns 
that dangling cursors in database code can be manipulated and used to 
expose sensitive data.

The attack techniquecalled "dangling cursor snarfing"can be launched if 
developers fail to close cursors created and used by DBMS_SQL, the 
Oracle package that provides an interface for using dynamic SQL to parse 
data manipulations or data definition languages.

Over the weekend, Litchfield found a way to work that exploit so it 
didn't rely on unpatched flaws. On Feb. 24, he published a new paper on 
the technique, titled "Cursor Injection: A New Method for Exploiting 
PL/SQL Injection and Potential Defences." (PDF) This new exploit 
technique breaks from all currently known means of exploiting Oracle 
databases. Pete Lindstrom, senior security analyst at Burton Group, 
contrasted Litchfield's find with the endless stream of buffer overflow 
flaws reported on any given day.

"Any new buffer overflow vulnerability does nothing to further the 
knowledge base of the security community, and it only serves to increase 
risk [to users]," Lindstrom said. "In cases where there are entire new 
classes of attack, where you're learning a whole new technique, rather 
than throwing a whole lot of data at a process and waiting for it to 
breakwhich everyone and their grandmother could do you're learning about 
new ways in which applications can be exploited."

In effect, this discovery should rip off the security blanket that some 
Oracle users have counted on until now. In the case of many Oracle 
advisories, users refrain from patching certain holes since they feel 
the risk is mitigated by an attacker's need for escalated privileges in 
order to exploit it, Litchfield said in the e-mail exchange.

" By proving that for *ALL* SQL injection flaws you don't need [the] 
ability to create functions [a high-level privilege] to fully exploit 
them, then we remove a barrier to patching," he said.

That puts Oracle in a similar position when it comes to downplaying the 
risk of SQL injection holes, Litchfield continued. "Oracle will no 
longer be able to say this or that SQL injection hole can't be exploited 
without the attacker being able to create functions."

In his paper, Litchfield points to one example of Oracle downplaying a 
risk, in this case for a vulnerability in the SDO_DROP_USER_BEFORE 
trigger, sent out in Oracle's October 2006 Critical Patch Update. "In 
the Risk Matrix section of the alert it states that an attacker must 
have the CREATE PROCEDURE privilege to exploit the flaw," Litchfield 
writes. "As we will see, this is not the case."

The paper details exactly how the exploit works in terms of code. As to 
how to mitigate the risk of this technique being used to attack an 
Oracle database, Litchfield on Page 10 suggests limiting who can do what 
in terms of DDL (Data Definition Language) by using a trigger to prevent 
unauthorized attempts, and he provides code for a sample trigger to do 
this.

Litchfield said that during his presentation he plans to show how the 
new attack technique works. He will then examine a few holes that Oracle 
has said are exploitable only if an attacker can create a function, and 
he will show that Oracle is wrong in that assertion, he said.

Litchfield's discovery is getting nods of approval in security experts' 
blogs. "This is quite a cool attack technique," Pete Finnigan, a 
renowned expert on Oracle security, said in a recent blog.

Oracle had not provided a response by the time this story was posted.

Editor's Note: This story was updated to include more comments by 
analysts.


______________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss