|Click here for more of Dark Reading's Black Hat articles.|
David Litchfield, well-known within the Oracle community as one of the world's top database security researchers, lived up to his reputation at Black Hat USA last week when he shined the light on another Oracle database security blind spot -- this time how monkeying with code and permissions within Oracle indexes can lead to privilege escalation. He explained that the impetus behind his talk was to highlight the research of colleagues within the community and additional work done by himself to call attention to a relatively under-explored area of research that could pose big risks as a result.
"Oracle has done a great job in terms of things like PL SQL injection flaws—they've almost been hunted to extinction. But they seem to be led by what the security research part of the industry is doing. That's what they're focused on," says Litchfield, chief security architect for Accuvant Labs. "When the security research side turns to a new area that no one has looked at before, suddenly there's a bunch of low-hanging fruit again. People have been looking at the index side of things and again there are a whole slew of flaws."
Some of the flaws discussed were those already patched by Oracle within the last few years, including a stack-based buffer overflow vulnerability patched in April 2012 that was of the similar type that Litchfield cut his teeth on a decade ago when he first made a name for himself. Another patched flaw Litchfield showed a proof-of-concept attack on was a vulnerability in a RDBMS core component that allows an attacker to take advantage of granting over-generous permissions in the index to gain full DBA privileges on the database.
"You can see how giving index permissions to table to public or anyone for that matter is dangerous because basically it gives them the ability to run code as that user. So don't do it," Litchfield says. "It's naughty."
The highlight of the talk was what Litchfield called a zero-day vulnerability but which some other security researchers believe may have been discreetly patched by Oracle in its July 2012 quarterly CPU for Oracle 11g revision 2 databases only. In it he described a second-order SQL injection attack against the index to gain full DBA privileges.
According to Josh Shaul, CTO of Application Security Inc., the attack and vulnerability described in the talk closely resembles many Oracle vulnerabilities found today.
"This is not much different than a lot of the other Oracle vulnerabilities that we see. It's a privilege escalation, you can become the DBA of the database and you need some pretty basic privileges -- the kind of privileges that the lowest level developer would always have and in most shops that don't really do good privilege management, the kind of privileges that just about everybody has," Shaul says.
According to Shaul, after the talk his researchers at AppSec looked into the vulnerability and found that while it would have impact, as it would likely be unpatched on most Oracle databases, Oracle may have quietly patched the vulnerability described in its July 2012 CPU for Oracle 11g revision 2 databases only.
"Although Oracle won't confirm it, one of our guys went and reverse-engineered the patch, found the code change, but when we went and tested 11g release one, the exploit worked," he says. "They've released the patch but they're not even acknowledging that this issue is in the patch. So it only applies to 11g release two. If you're on release one or 10g or 9i, you're (out of luck) on this one."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.