A security expert has given details of a new class of attack on Oracle databases that could expose enterprise data to attackers.
David Litchfield, co-founder and managing director of Next Generation Security Software (NGSS), said the database vulnerability affected cursors - the pointers used by a database to fetch rows of data from the results set of a query.
The bug results from a failure to close cursors created or used by DBMS_SQL, or a failure to clean up open cursors especially in the event of an exception (a code problem).
In a paper entitled Dangling Cursor Snarfing: A New Class of Attack in Oracle, Litchfield said that cursors that were left open could allow attackers to steal ("snarf") data.
"If the cursor in question has been created by higher privileged code and left hanging, it is possible for a low-privileged user to snarf and use the cursor outside of the application logic that created it. This can lead to data being exposed," said Litchfield.
The flaw affects the confidentiality of data, as an attacker can gain access to data that they would not normally be able to access. It also affects the integrity of data, because an attacker could use higher privileged code with DBMS_SQL to perform an insert, update or delete command, and so change the data within the database directly.
For example, in a case where the data being inserted must not contain single quote marks, and the higher privileged code checks for their presence, the attacker can snarf and replace data so that it does contain a single quote mark, thereby causing an exception.
"Ensuring that cursors are closed after use is, of course, good programming practice, but, as we know, good programming practices do not always prevail," Litchfield said.
"In certain cases, the class of attack may expose data to an attacker. When performing security code reviews of PL/SQL, this should be checked for and fixed. Instances should be easy to spot: look for code that uses DBMS_SQL but contains no exception handling code, or that does not close the cursor in exception handling code if present, or cases where the developer has forgotten to close the cursor period."
In the past few months a number of vulnerabilities have been identified in the Oracle database.
Eric Maurice, security manager for Oracle's global technology business unit, said, "One of Oracle's highest priorities is the security of our customers. We believe that a key requirement to meeting this objective is to be transparent about our policies, even if this sometimes means that we will be under additional public scrutiny."
Read Litchfield's paper:
IN A NUTSHELL
● DBMS_SQL (Database Management System Structured Query Language) controls the storage, retrieval and security of data in a database. It accepts requests from the application and instructs the operating system to transfer the appropriate data.
● PL/SQL (Procedural Language/SQL) is Oracle's proprietary server-based procedural extension to the SQL database programming language.
Comment on this article: firstname.lastname@example.org