While Oracle databases are nowhere near as vulnerable as they were five years ago, there is still a great deal of attention being paid to them by both security professionals and hackers alike.
David Litchfield, a renowned Oracle database hacker and author of The Oracle Hacker's Handbook, revealed yesterday at ITWeb Security Summit 2008 only a handful of the various ways in which even the modern Oracle database is vulnerable to attack.
Lateral SQL injection
A relatively recent discovery by Litchfield is a "lateral SQL injection" attack, in which a hacker can, by exploiting the SYSDATE function, inject any piece of arbitrary code he chooses into an Oracle database, opening the door to the kind of abuses that lead to data loss and corruption such as the granting of database administrator privileges to PUBLIC.
Until this discovery, DATE and NUMBER data types were widely considered not to be useful as an injection vector.
Cursor snarfing
An older attack, "cursor snarfing", is similarly useful to hackers particularly when the cursor in question was created by an account with high privileges.
An open cursor not closed through a lack of adherence to programming best practices, or a cursor not closed as the result of an exception, can be "snarfed" by an attacker and used in ways not intended by the original coder.
"Snarfing" in this case is the act of retrieving command line resources, and a cursor in database terms is a "control structure for the successive traversal (and potential processing) of records in a result set". This means that an open cursor, once found, can be recycled by an attacker using a login with very few privileges to retrieve data such as the password of a SYS user.
Code review the way to go
Vulnerabilities that lead to unwanted persons gaining access to databases include custom applications and vulnerable underlying software. This is something that not even customised Web applications and database security detection and prevention software can thwart.
Litchfield went so far as to say that installing these security applications only widens the potential attack area thanks to vulnerabilities that are widely known within the database hacking community.
He said the expense of such software packages would actually be better-spent on code review, and with much better results.
Share
