Database security expert David Litchfield has devised a new method of exploiting various PL/SQL procedures that...
do not take any input. The technique, which he describes as lateral SQL injection, can be used to compromise Oracle databases remotely.
The attack exploits some common data types, including DATE and NUMBER, which do not take any input from the user and so are not normally considered to be exploitable. But, as Litchfield writes in his new paper on the lateral injection attack , using a bit of creative coding and some knowledge of the way the Oracle database management system works, an attacker can manipulate some common functions.
Litchfield, one of the founders of NGS Software Inc., of Surrey, England, says that the problem may not turn out to be easily exploitable in the wild, but that in specific cases it can be used to pass arbitrary SQL commands to the database.
PL/SQL is Oracle Corp.'s proprietary extension to SQL (structured query language).
" In conclusion, even those functions and procedures that don't take user input can be exploited if SYSDATE is used. The lesson here is always, always validate and prevent this type of vulnerability getting into your code. The second lesson is that no longer should DATE or NUMBER data types be considered as safe and not useful as injection vectors: as this paper has proved, they are," he writes.
The attack works like this: Using the SYSDATE function, an attacker can use the ALTER SESSION privilege to fool the SQL compiler into accepting arbitrary SQL data as the input for the DATE data type. Typically, the DATE_PROC procedure uses the variable V_DATE to set the date after it calls the SYSDATE function. However, by altering the session and inserting a SQL command, the attacker can force the database to execute his command.
And an attacker need not have local access to the database to execute this attack.
" This can be done remotely, for example through a SQL injection flaw via a Web application, but not directly," Litchfield said in an email interview. "First off we exploit the inject point to execute a facilitator function, which allows us to run arbitrary SQL, where we can then use this technique."
One of the interesting points in Litchfield's paper is the fact that data types such as DATE and NUMBER are typically considered to be "safe," meaning that they are not thought to be exploitable. More and more attacks of this kind have popped up in recent months, as researchers have begun looking more deeply into popular applications, in some cases finding serious new attack vectors.
Last summer, researchers at Watchfire Inc., now part of IBM, discovered a way of exploiting dangling pointers , a common programming error that had been though to be useless for attacks. And just this month, Mark Dowd, a researcher in IBM's ISS unit, published a paper that details a method for exploiting NULL pointer dereferences .
For his part, Litchfield produced his new method not through countless hours of mind-numbing work, but after watching TV.
"Whilst watching an episode of 'Bones,' something happened in it that made me think of not accepting something believed to be true, i.e., in this case that it's not possible to SQL inject via DATE or NUMBER data types. So after sitting down for a bit and giving it some thought I came up with the techniques presented in the paper," he said.