In a paper he plans to discuss today at the Black Hat 2007 ‘future of security’ conference, noted database security researcher David Litchfield is expected to outline a new attack method against Oracle databases that increases the danger to unpatched systems.
Litchfield, the managing director of UK-based Next Generation Security (NGS) Software, has found a way to exploit Oracle vulnerabilities without requiring system privileges. The new tactic, which he spelled out in his paper, "Cursor Injection: A New Method for Exploiting PL/SQL Injection and Potential Defences", increases the threat risk of many Oracle-disclosed bugs.
"On occasion, Oracle in their alerts state that the ability to create a procedure or a function is required for an attacker to be able to exploit a flaw," Litchfield said in the paper. "This is not the case. All SQL injection flaws can be fully exploited without any system privilege other than ‘create session’ and, accordingly, the risk should never be 'marked down' [in an alert]," he said.
The new technique doesn't rely on a vulnerability and applies to all versions of Oracle. More importantly, said Symantec in an alert this week, the method puts to rest one of the rationalisations that Oracle has used to downgrade some bug threats.
"In the past, Oracle advisories have contended that a vulnerability was not exploitable if the attacker couldn't create a procedure or function," said Symantec in its warning to customers of its DeepSight threat system. "But this settles the debate, showing that exploration is possible even when this privilege limitation is encountered."
Oracle's response neither confirmed nor denied that Litchfield's tactic worked as promised. "NGS's 'Cursor Injection' paper describes a technique that may assist an attacker in exploitation of SQL injection vulnerabilities," an Oracle spokesperson said.
"Fixes for the SQL injection vulnerabilities discussed in the paper were included in Oracle's October 2006 Critical Patch Update [CPU]," the spokesperson added. "To help prevent an attack based on the methods described in the paper, Oracle strongly encourages customers to apply the latest CPU." Deploying the patches in the most recent Oracle CPU, however, does not block the new attack scheme, only specific, known vulnerabilities.
It didn't take long for existing Oracle exploits to be revamped with Litchfield's cursor injection technique. According to Symantec, at least four exploits that target Oracle products were updated yesterday to leverage the new exploitation method.