David Litchfield, a renowned Oracle database hacker and author of The Oracle Hacker`s Handbook, outlined at the ITWeb Security Summit some of the various ways in which even the modern Oracle database is vulnerable to attack.
Litchfield said a relatively recent discovery was the "lateral SQL injection" attack, in which a hacker could, by exploiting the SYSDATE function, inject any piece of arbitrary code he chose into an Oracle database. This opened the door to the kind of abuses that lead to data loss and corruption such as the granting of DBA (database administrator) privileges to PUBLIC. Until this discovery, DATE and NUMBER data types had been widely considered not to be useful as an injection vector.
An older attack, called "cursor snarfing", was similarly useful to hackers particularly when the cursor in question was created by an account with high privileges, he said.
An open cursor not closed through a lack of adherence to programming best practices, or a cursor not closed as the result of an exception, could be "snarfed" by an attacker and used in ways not intended by the original coder.
"Snarfing" in this case is the act of retrieving command line resources, and a cursor in database terms is a "control structure for the successive traversal (and potential processing) of records in a result set". This means that an open cursor, once found, can be recycled by an attacker using a login with very few privileges, to retrieve data such as the password of a SYS user.
Other database vulnerabilities included custom applications and vulnerable underlying software, and this was something that not even customised web applications and database security detection and prevention software could thwart, Litchfield said.
He went so far as to say that installing these security applications only widened the potential attack area thanks to vulnerabilities widely known within the database hacking community.
He said the expense of such software packages would actually be better spent on code review, and with much better results.
|
Post a comment
|
Login.
Business Best Practise
