HOME
Technology
Life
Discover science
Medicine - Health
Event
EntertainmentOracle database can be hacked
Oracle database is facing a new and more serious attack, a researcher has warned so while speaking at Black Hat's seminar.
In an article that was intended to be discussed on Wednesday at the 2007 Black Hat DC conference, renowned security researcher David Litchfield said there was a new attack method against Oracle databases. This method can be harmful to unpatched systems.
Litchfield, managing director of UK NGSSoftware (Next Generation Security Software), discovered a method to exploit vulnerabilities in Oracle databases without raising system privileges. This new method, he called Cursor Injection: A new method for Exploiting PL / SQL Injection and Potential Defences (download PDF), increasing the risk of Oracle's error.
Litchfield said: ' Once, Oracle in its warnings declared that it is entirely possible to create a required procedure or function for an attacker to exploit a vulnerability. This is not the only case, but all SQL injection vulnerabilities can be fully exploited without any system privileges over CREATE SESSION and therefore the risk will never be reduced . '
This new technology does not depend on a vulnerability and applies to all versions of Oracle. More importantly, Symantec said yesterday, this method takes advantage of the loophole in the analysis Oracle used and underestimated the threat.
Symantec also said in its warning to customers: ' In the past, Oracle also said that a vulnerability would not be exploited if an attacker could not create a procedure or a function. But that has just stopped in the debate, the exploitation is possible even when meeting this privilege restriction . '
Oracle's response does not confirm nor limit how important Litchfield's method is. NGSSoftware 'Cursor Injection' article describes a technique that can assist attackers to exploit SQL injection vulnerabilities. A spokesman said so in an email.
Fixing SQL injection vulnerabilities was discussed in the October 2006 Critical Patch Update (CPU) article, adding: ' To prevent attackers based on the methods described in the article, Oracle must advise the latest patch application customers, though this is not a measure against new attack methods but only known vulnerabilities. '
This vulnerability was short lived because Oracle used Litchfield's 'cursor injection' technique to patch it up. According to Symantec, there are at least four issues that Oracle's key products have updated yesterday to protect against this new security bug.
- Vietnam is free to use Oracle Database XE
- First training Oracle Database 10G in Vietnam
- Oracle suddenly revealed a security error
- Oracle released the free version
- Oracle has 23 security holes in applications
- Error appears in the embedded database
- Errors in Oracle password protection system
- New deep variant exploits Oracle errors
- Oracle again swallowed MySQL
- An Oracle error exploit code appears
- Oracle announced the beta version of Database 11g
- Oracle Database has more errors than SQL Server
What is the Snapdragon SiP chip?
How to create a yellow circle around the mouse cursor on Windows
Edit the Boot.ini file in Windows XP
3 ways to restart the remote computer via the Internet