Oracle database can be hacked

Oracle database is facing a new and more serious attack, a researcher has warned so while speaking at Black Hat's seminar.

Oracle database is facing a new and more serious attack, a researcher has warned so while speaking at Black Hat's seminar.

In an article that was intended to be discussed on Wednesday at the 2007 Black Hat DC conference, renowned security researcher David Litchfield said there was a new attack method against Oracle databases. This method can be harmful to unpatched systems.

Litchfield, managing director of UK NGSSoftware (Next Generation Security Software), discovered a method to exploit vulnerabilities in Oracle databases without raising system privileges. This new method, he called Cursor Injection: A new method for Exploiting PL / SQL Injection and Potential Defences (download PDF), increasing the risk of Oracle's error.

Litchfield said: ' Once, Oracle in its warnings declared that it is entirely possible to create a required procedure or function for an attacker to exploit a vulnerability. This is not the only case, but all SQL injection vulnerabilities can be fully exploited without any system privileges over CREATE SESSION and therefore the risk will never be reduced . '

Picture 1 of Oracle database can be hacked
This new technology does not depend on a vulnerability and applies to all versions of Oracle. More importantly, Symantec said yesterday, this method takes advantage of the loophole in the analysis Oracle used and underestimated the threat.

Symantec also said in its warning to customers: ' In the past, Oracle also said that a vulnerability would not be exploited if an attacker could not create a procedure or a function. But that has just stopped in the debate, the exploitation is possible even when meeting this privilege restriction . '

Oracle's response does not confirm nor limit how important Litchfield's method is. NGSSoftware 'Cursor Injection' article describes a technique that can assist attackers to exploit SQL injection vulnerabilities. A spokesman said so in an email.

Fixing SQL injection vulnerabilities was discussed in the October 2006 Critical Patch Update (CPU) article, adding: ' To prevent attackers based on the methods described in the article, Oracle must advise the latest patch application customers, though this is not a measure against new attack methods but only known vulnerabilities. '

This vulnerability was short lived because Oracle used Litchfield's 'cursor injection' technique to patch it up. According to Symantec, there are at least four issues that Oracle's key products have updated yesterday to protect against this new security bug.

Update 13 December 2018
« PREV
NEXT »
Category

Technology

Life

Discover science

Medicine - Health

Event

Entertainment