A security expert has given details of a new class of
attack on Oracle databases that could expose enterprise data to
attackers.
David Litchfield, co-founder and managing director of Next
Generation Security Software (NGSS), said the database
vulnerability affected cursors - the pointers used by a database to
fetch rows of data from the results set of a query.
The bug results from a failure to close cursors created or used
by DBMS_SQL, or a failure to clean up open cursors especially in
the event of an exception (a code problem).
In a paper entitled Dangling Cursor Snarfing: A New Class of
Attack in Oracle, Litchfield said that cursors that were left open
could allow attackers to steal ("snarf") data.
"If the cursor in question has been created by higher privileged
code and left hanging, it is possible for a low-privileged user to
snarf and use the cursor outside of the application logic that
created it. This can lead to data being exposed," said
Litchfield.
The flaw affects the confidentiality of data, as an attacker can
gain access to data that they would not normally be able to access.
It also affects the integrity of data, because an attacker could
use higher privileged code with DBMS_SQL to perform an insert,
update or delete command, and so change the data within the
database directly.
For example, in a case where the data being inserted must not
contain single quote marks, and the higher privileged code checks
for their presence, the attacker can snarf and replace data so that
it does contain a single quote mark, thereby causing an
exception.
"Ensuring that cursors are closed after use is, of course, good
programming practice, but, as we know, good programming practices
do not always prevail," Litchfield said.
"In certain cases, the class of attack may expose data to an
attacker. When performing security code reviews of PL/SQL, this
should be checked for and fixed. Instances should be easy to spot:
look for code that uses DBMS_SQL but contains no exception handling
code, or that does not close the cursor in exception handling code
if present, or cases where the developer has forgotten to close the
cursor period."
In the past few months a number of vulnerabilities have been
identified in the Oracle database.
Eric Maurice, security manager for Oracle's global technology
business unit, said, "One of Oracle's highest priorities is the
security of our customers. We believe that a key requirement to
meeting this objective is to be transparent about our policies,
even if this sometimes means that we will be under additional
public scrutiny."
Read Litchfield's paper:
www.nextgenss.com
IN A NUTSHELL
● DBMS_SQL (Database Management System Structured Query
Language) controls the storage, retrieval and security of data in a
database. It accepts requests from the application and instructs
the operating system to transfer the appropriate data.
● PL/SQL (Procedural Language/SQL) is Oracle's proprietary
server-based procedural extension to the SQL database programming
language.
Comment on this article:
computer.weekly@rbi.co.uk