A security researcher will use the at the Black Hat DC 2007 conference in Washington to outline a new attack method against Oracle databases.
David Litchfield , the managing director of NGSSoftware (Next Generation Security Software), has found a way to exploit Oracle vulnerabilities without requiring system privileges.
The new tactic, which he spelled out in "Cursor Injection: A New Method for Exploiting PL/SQL Injection and Potential Defences, increases the threat risk to unpatched systems of many Oracle-disclosed bugs.
"On occasion, Oracle in their alerts state that the ability to create a procedure or a function is required for an attacker to be able to exploit a flaw," Litchfield said in the paper. "This is not the case. All SQL injection flaws can be fully exploited without any system privilege other than CREATE SESSION and, accordingly, the risk should never be 'marked down' [in an alert]," he said.
The new technique doesn't rely on a vulnerability and applies to all versions of Oracle. More importantly, said security company Symantec in an alert today, the method puts to rest one of the rationalisations that Oracle has used to downgrade some bug threats.
"In the past, Oracle advisories have contended that a vulnerability was not exploitable if the attacker couldn't create a procedure or function," said Symantec in its warning to customers of its DeepSight threat system. "But this settles the debate, showing that exploration is possible even when this privilege limitation is encountered."
Oracle's response neither confirmed nor denied that Litchfield's tactic worked as he claimed. "NGSSoftware's 'Cursor Injection' paper describes a technique that may assist an attacker in exploitation of SQL injection vulnerabilities," Oracle said.
"Fixes for the SQL injection vulnerabilities discussed in the paper were included in Oracle's October 2006 Critical Patch Update (CPU)," the company added. "To help prevent an attack based on the methods described in the paper, Oracle strongly encourages customers to apply the latest CPU."
Deploying the patches in the most recent Oracle CPU, however, does not block the new attack scheme, only specific, known vulnerabilities.
It has not taken long for existing Oracle exploits to be reworked to include Litchfield's cursor injection technique. According to Symantec, at least four exploits that target Oracle products were updated yesterday to use the new exploitation method.