Oracles up for being a whipping-boy at Black Hat 2007 Washington, Feb. 28-March 1, with two briefings dedicated to Oracle security and/or insecurity.
Cesar Cerrudo, founder of information security service firm Argeniss, is expected to release at least one zero-day vulnerability and exploit code for an Oracle product during his presentation, called “Practical 10-Minute Security Audit: The Oracle Case.”
On a related subject, although not focusing on Oracle, Amichai Shulman, co-founder and chief technology officer of data security and compliance vendor Imperva, will deliver a briefing entitled “Danger from Below: The Untold Tale of Database Communication Protocol Vulnerabilities.”
But the worst news for Oracle will likely be David Litchfields presentation, “Advanced Oracle Attack Techniques.”
Litchfield, an expert on database security, has discovered a new exploit technique using cursor injection that lets just about any Oracle user adopt the privileges of a database administrator, from which point he or she can then execute arbitrary SQL. The method doesnt rely on any vulnerability, Litchfield said in an e-mail exchange, and it works on all versions of Oracle.
Litchfield, who is co-founder and managing director at NGSS (Next Generation Security Software), in Surrey, England, said he had planned to talk about a method of exploiting PL/SQL injection flaws with low-level privileges, but had backed off due to the ethics of responsible disclosure-namely, that the exploit relied on two unpatched holes.
Litchfield and Oracle have bumped heads over security often over the years. At Black Hat 2006, Litchfield went public with a technical description of a flaw, including a blow-by-blow demonstration of the ease in which an attack could occur. Oracle lashed back, accusing him of endangering its customers for selfish, irresponsible reasons.
about the controversy surrounding Litchfields announcement of an Oracle flaw at Black Hat 2006.
Litchfield went public in November 2006 with a research paper that warns that dangling cursors in database code can be manipulated and used to expose sensitive data.
The attack technique-called “dangling cursor snarfing”-can be launched if developers fail to close cursors created and used by DBMS_SQL, the Oracle package that provides an interface for using dynamic SQL to parse data manipulations or data definition languages.
Over the weekend, Litchfield found a way to work that exploit so it didnt rely on unpatched flaws. On Feb. 24, he published a new paper on the technique, titled “Cursor Injection: A New Method for Exploiting PL/SQL Injection and Potential Defences.” (PDF) This new exploit technique breaks from all currently known means of exploiting Oracle databases. Pete Lindstrom, senior security analyst at Burton Group, contrasted Litchfields find with the endless stream of buffer overflow flaws reported on any given day.
“Any new buffer overflow vulnerability does nothing to further the knowledge base of the security community, and it only serves to increase risk [to users],” Lindstrom said. “In cases where there are entire new classes of attack, where youre learning a whole new technique, rather than throwing a whole lot of data at a process and waiting for it to break-which everyone and their grandmother could do- … youre learning about new ways in which applications can be exploited.”
In effect, this discovery should rip off the security blanket that some Oracle users have counted on until now. In the case of many Oracle advisories, users refrain from patching certain holes since they feel the risk is mitigated by an attackers need for escalated privileges in order to exploit it, Litchfield said in the e-mail exchange.
“… By proving that for *ALL* SQL injection flaws you dont need [the] ability to create functions [a high-level privilege] to fully exploit them, then we remove a barrier to patching,” he said.
That puts Oracle in a similar position when it comes to downplaying the risk of SQL injection holes, Litchfield continued. “Oracle will no longer be able to say this or that SQL injection hole cant be exploited without the attacker being able to create functions.”
In his paper, Litchfield points to one example of Oracle downplaying a risk, in this case for a vulnerability in the SDO_DROP_USER_BEFORE trigger, sent out in Oracles October 2006 Critical Patch Update. “In the Risk Matrix section of the alert it states that an attacker must have the CREATE PROCEDURE privilege to exploit the flaw,” Litchfield writes. “As we will see, this is not the case.”
The paper details exactly how the exploit works in terms of code. As to how to mitigate the risk of this technique being used to attack an Oracle database, Litchfield on Page 10 suggests limiting who can do what in terms of DDL (Data Definition Language) by using a trigger to prevent unauthorized attempts, and he provides code for a sample trigger to do this.
Litchfield said that during his presentation he plans to show how the new attack technique works. He will then examine a few holes that Oracle has said are exploitable only if an attacker can create a function, and he will show that Oracle is wrong in that assertion, he said.
Litchfields discovery is getting nods of approval in security experts blogs. “This is quite a cool attack technique,” Pete Finnigan, a renowned expert on Oracle security, said in a recent blog.
Oracle had not provided a response by the time this story was posted.
Editors Note: This story was updated to include more comments by analysts.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.