http://www.eweek.com/article2/0,1895,2064828,00.asp By Ryan Naraine November 28, 2006 British security researcher David Litchfield is raising an alert for a brand-new class of vulnerabilities affecting Oracle database products. Litchfield, a database security expert who has clashed with Oracle in the past, went public with the discovery in a research paper that warns that dangling cursors in database code can be manipulated and used to expose sensitive data. The attack techniquecalled "dangling cursor snarfing"can be launched if developers fail to close cursors created and used by DBMS_SQL, the Oracle package that provides an interface for using dynamic SQL to parse data manipulations or data definition languages. Litchfield, co-founder and managing director at NGSS (Next Generation Security Software), in Surrey, England, warned that the new vulnerability class "can lead to data being exposed." "If the cursor in question has been created by higher-privileged code and left hanging, then it's possible for a low-privileged user to snarf and use the cursor outside of the application logic that created it," Litchfield said. Cursors are used in code to offer software developers a way to process database information, but if cursors are not closed, Litchfield said, an exception can lead to a security vulnerability. "Ensuring that cursors are closed after use is, of course, good programming practice, but, as we know, good programming practices do not always prevail," he added. In the research paper (here as a PDF file [1]), Litchfield provided several examples of the new vulnerability class and ways in which it can be exploited to launch SQL injection attacks. "An attacker can gain access to data they would not normally be able to access," Litchfield said. However, he noted that an attacker is confined by the query that is parsed by the higher-privileged code. "Whilst it is possible to parse a new query on the cursor this is done with the privileges of the attacker, so it is not possible to change to query to say, 'GRANT DBA TO PUBLIC.' An attacker is limited to manipulating the variable aspects of the query such as the bind variables," he explained. Litchfield said the new class of flaw can also affect the integrity of data in cases where the malicious attacker can insert data into the database. He recommended that Oracle developers perform strict input validation to block attackers from generating an exception. "The second form of defense is to always have an 'others' exception block that closes any open cursors," Litchfield said. "The sky is not falling, but in certain cases the class of attack may expose data to an attacker," he said, urging that security code reviews of PL/SQL should check for and fix instances of open cursors. "Instances should be easy to spotlook for code that uses DBMS_SQL but contains no exception-handling code or doesn't close the cursor in exception-handling code if present or simply cases where the developer has forgotten to close the cursor," he said. Cesar Cerrudo, founder and CEO of Argeniss Information Security, in Parana, Argentina, described Litchfield's discovery as "very interesting" and warned developers to be wary of the security implications. Cerrudo, who said he plans to release Oracle zero-day vulnerabilities as part of a new project called WoODB (Week of Oracle Database Bugs), said attackers could modify parameters to launch malicious exploits in specific scenarios. Litchfield's latest warning follows the release of whitepaper (here in PDF [2]) comparing security flaws in Oracle and Microsoft database products. The comparison measured the number of vulnerabilities found and patched by the vendors over the past six years and gave a resounding victory to Microsoft's SQL server. Litchfield's research rated Microsoft's SQL Server 2000 Service Pack 4 as the most secure database available. "The conclusion is clearif security robustness and a high degree of assurance are concerns when looking to purchase database server softwaregiven these results one should not be looking at Oracle as a serious contender," he said. Eric Maurice, manager for security in Oracle's Global Technology Business Unit, used his company's blog [3] to address the flurry of publicity around Oracle security. "Because software engineering is a complex discipline, the absence of security flaws in released software cannot be fully guaranteed. Such flaws may be detected during internal testing, or may be discovered externally by customers and security researchers. Regardless of who discovers these issues, Oracle's top priority is to efficiently fix those flaws across all supported platforms in order to allow customers to maintain their security posture," he wrote. "This means that Oracle prioritizes those security flaws in order of severity, regardless of how they were discovered, in order to produce the appropriate fix," Maurice wrote. [1] http://securitywatch.eweek.com/cursor-snarfing.pdf [2] http://www.databasesecurity.com/dbsec/comparison.pdf [3] http://blogs.oracle.com/security/2006/11/27#a39 _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Tue Nov 28 2006 - 22:33:51 PST