Security Researcher: Beware Dangling Cursors in Oracle Code

Database security guru David Litchfield of NGSS raises the alert for a brand-new class of vulnerabilities in Oracle databases.

British security researcher David Litchfield is raising an alert for a brand-new class of vulnerabilities affecting Oracle database products.

Litchfield, a database security expert who has clashed with Oracle in the past, went public with the discovery in a research paper that warns that dangling cursors in database code can be manipulated and used to expose sensitive data.

The attack technique—called "dangling cursor snarfing"—can be launched if developers fail to close cursors created and used by DBMS_SQL, the Oracle package that provides an interface for using dynamic SQL to parse data manipulations or data definition languages.

Litchfield, co-founder and managing director at NGSS (Next Generation Security Software), in Surrey, England, warned that the new vulnerability class "can lead to data being exposed."

"If the cursor in question has been created by higher-privileged code and left hanging, then its possible for a low-privileged user to snarf and use the cursor outside of the application logic that created it," Litchfield said.

Cursors are used in code to offer software developers a way to process database information, but if cursors are not closed, Litchfield said, an exception can lead to a security vulnerability. "Ensuring that cursors are closed after use is, of course, good programming practice, but, as we know, good programming practices do not always prevail," he added.

In the research paper (here as a PDF file), Litchfield provided several examples of the new vulnerability class and ways in which it can be exploited to launch SQL injection attacks.

"An attacker can gain access to data they would not normally be able to access," Litchfield said. However, he noted that an attacker is confined by the query that is parsed by the higher-privileged code. "Whilst it is possible to parse a new query on the cursor this is done … with the privileges of the attacker, so it is not possible to change to query to say, GRANT DBA TO PUBLIC. An attacker is limited to manipulating the variable aspects of the query such as the bind variables," he explained.

Litchfield said the new class of flaw can also affect the integrity of data in cases where the malicious attacker can insert data into the database.


Building an Integrated IT Security Strategy for 2007: eSeminars invites you to join this virtual tradeshow on November 30, and learn how to reduce security costs and mitigate the risks associated with users and their access rights across your entire organization.

Click here

to read more.

He recommended that Oracle developers perform strict input validation to block attackers from generating an exception. "The second form of defense is to always have an others exception block that closes any open cursors," Litchfield said.

"The sky is not falling, but in certain cases the class of attack may expose data to an attacker," he said, urging that security code reviews of PL/SQL should check for and fix instances of open cursors.

"Instances should be easy to spot—look for code that uses DBMS_SQL but contains no exception-handling code or doesnt close the cursor in exception-handling code if present or simply cases where the developer has forgotten to close the cursor," he said.

Cesar Cerrudo, founder and CEO of Argeniss Information Security, in Parana, Argentina, described Litchfields discovery as "very interesting" and warned developers to be wary of the security implications.

Cerrudo, who said he plans to release Oracle zero-day vulnerabilities as part of a new project called WoODB (Week of Oracle Database Bugs), said attackers could modify parameters to launch malicious exploits in specific scenarios.

Litchfields latest warning follows the release of whitepaper (here in PDF) comparing security flaws in Oracle and Microsoft database products. The comparison measured the number of vulnerabilities found and patched by the vendors over the past six years and gave a resounding victory to Microsofts SQL server.

Litchfields research rated Microsofts SQL Server 2000 Service Pack 4 as the most secure database available. "The conclusion is clear—if security robustness and a high degree of assurance are concerns when looking to purchase database server software—given these results one should not be looking at Oracle as a serious contender," he said.

Eric Maurice, manager for security in Oracles Global Technology Business Unit, used his companys blog to address the flurry of publicity around Oracle security.

"Because software engineering is a complex discipline, the absence of security flaws in released software cannot be fully guaranteed. Such flaws may be detected during internal testing, or may be discovered externally by customers and security researchers. Regardless of who discovers these issues, Oracles top priority is to efficiently fix those flaws across all supported platforms in order to allow customers to maintain their security posture," he wrote.

"This means that Oracle prioritizes those security flaws in order of severity, regardless of how they were discovered, in order to produce the appropriate fix," Maurice wrote.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.