Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Attack Exploits "Safe" Oracle Inputs

Posted by Soulskill on from the it's-safe-until-it-isn't dept.

Trailrunner7 writes "Database security super-genius David Litchfield has found a way to manipulate common Oracle data types, which were not thought to be exploitable, and inject arbitrary SQL commands. The new method shows that you can no longer assume any data types are safe from attacker input, regardless of their location or function. 'In conclusion, even those functions and procedures that don't take user input can be exploited if SYSDATE is used. The lesson here is always, always validate and prevent this type of vulnerability getting into your code. The second lesson is that no longer should DATE or NUMBER data types be considered as safe and not useful as injection vectors: as this paper (PDF) has proved, they are,' Litchfield writes."

11 of 118 comments (clear)

  1. heh by stoolpigeon · · Score: 4, Interesting

    It's an interesting piece but when he points out that there really is little chance of it being used in the real world, that is an understatement. Using this method in the real world wouldn't even make sense.
     
    In order to pull this off you need to have alter session priveleges. And you need to already have injected sql into the database- which means there is absolutely no point to taking the extra steps to modify some other data type to allow you to do what you have already done.
     
    It's an interesting mental exercise but I don't think it really has an practical ramifications. If you've already handed out alter session to anyone using a form you've hosed yourself so many times over, playing with sysdate or number is the least of your worries.
     
    Anything that reminds people to be careful about how they handle input is good, but I think a lot of people are going to think this is a bigger deal than it is.

    --
    It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
    1. Re:heh by arth1 · · Score: 4, Insightful

      Lack of input validation is usually a bigger problem than what you think it is -- the context might make the instance safe, but code tends to be re-used, coding practices repeated, and projects getting additions that might introduce a vector that weren't there before.

      The only time when lack of validation is good practice is at extreme low level where you control the input. Otherwise, it usually signifies a coder that lacks the ability to think outside his own procedures.

      Regards,
      --
      *Art

    2. Re:heh by Joe+U · · Score: 4, Insightful

      Too many poor developers just make the web app run as dbo. They also tend to use 'select * from' all too often.

      Drives me nuts, because I'm the exact opposite, you don't get any (yes including read) access except a few stored procedures you need to read/write data.

    3. Re:heh by moderatorrater · · Score: 4, Insightful

      he points out that there really is little chance of it being used in the real world, that is an understatement I believe it was George Guninski who saw the possible exploit in buffer overflows several decades ago and said something along the lines of "this is possible, but the difficulty in crafting the message makes this seems unlikely". If there's the possibility of an attack vector, then someone will use it. Computers are fast enough to try hundreds of attacks per second; "unlikely" often means "only works 1/1000 times, therefore used every day".
  2. nTier validation by Joe+U · · Score: 5, Insightful

    The 3 minimum levels of validation:

    Validate at the client tier. (To save a return trip)
    Validate at the application server tier. (to save a database trip)
    Validate at the data tier. (to save your data)

    Why is this so hard for developers to understand?

  3. Re:To all you type safe ninnies by AKAImBatman · · Score: 4, Informative

    Type safety and "safe" data types are two different things. One is a language construct intended to prevent errors in code through compile-time checking (though you pay in flexibility), the other is types of data that theoretically can be used in a database without doing validation checks.

    I'll leave it as an exercise for you to figure out which one is which.

    --
    Javascript + Nintendo DSi = DSiCade
  4. From comic to reality by GoNINzo · · Score: 5, Funny

    This makes it clear it's only a matter of time before xkcd predictions become reality.

    --
    Gonzo Granzeau
    "Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
  5. Re:DB Programming 101? by 0racle · · Score: 5, Insightful

    People learn database programming now? I thought they just threw together whatever SQL and PHP they could find online and called themselves programmers.

    --
    "I use a Mac because I'm just better than you are."
  6. This is not merit a whitepaper by Anonymous Coward · · Score: 4, Interesting

    First off, this isn't a new class of attack. This type of attack is already known as second order SQL injection. Second, as several people have noted, you need to be able to execute the ALTER SESSION command. That means you're already issuing SQL commands directly. So, this attack is really only useful when can already inject, but need SQL to run in the context of a more privileged stored procedure. Finally, this attack relies on a very abnormal statement form. All said, that's a whole lot of dominoes that need to line up for a simple elevated SQL privilege.

    This whole thing just sounds like an odd bug that someone at NGS found somewhere. It's certainly clever, but it's not a common pattern or new class of bug--and definitely not worthy of a white paper. What I find really odd is that Litchfield and the NGS guys used to do really impressive work. This is way below the bar of what they've produced in the past.

  7. Re:DB Programming 101? by Shados · · Score: 4, Insightful

    DB Programming (even the science part, such as the relational model) is virtually never taught in colleges. When it is, its as an elective class most of the time, even in the big name tear-through-your-wallet colleges.

    Still cracks me up how in every interview I pass, I always get asked "Ok, so can you explain to me the difference between an inner and an outer join?" or "What is the main benefit of an index on a database table?". Shows the state of the workforce...

  8. Re:Why validate when you can sanitize? by Shados · · Score: 4, Insightful

    No no no. This has a tons of potential holes, such as an encoding based attack in UTF16 or similar encoding. Use -prepared statements-.

    Escaping/sanitizing is just one step up from validating. Let the -driver- do it for you, not the language or the framework. The database itself is the only one who truly knows how to handle itself, and drivers tap into that in prepared statements. -THAT- will protect you. Parameterized query APIs do -not- simply escape stuff in the back. Things are done at the level of the connection, chatting with the database API to create a cached/compiled version of the query, then plug in parameters -after- the query was parsed (so at that point its impossible to modify it).

    That is -much- safer than just cleaning up a string (because it cannot abuse encoding/string related features), and has the extra advantage in many DBMS to also allow you to reuse query plan cache, thus improving performance and making it easier to benchmark and profile queries.