Hacking Oracle Database Indexes

  /     /     /  
Publicated : 22/11/2024   Category : security


Hacking Oracle Database Indexes


Database indexes the new low-hanging fruit for database vulnerabilities



Organizations seeking to better secure their Oracle database deployments would do well to look more closely at their Oracle index infrastructure, which is open to a number of attacks on both patched and unpatched vulnerabilities with what one researcher called trivial exploits that could lead to unauthorized access to DBA privileges.
David Litchfield, well-known within the Oracle community as one of the worlds top database security researchers, lived up to his reputation at Black Hat USA last week when he shined the light on another Oracle database security blind spot -- this time how monkeying with code and permissions within Oracle indexes can lead to privilege escalation. He explained that the impetus behind his talk was to highlight the research of colleagues within the community and additional work done by himself to call attention to a relatively under-explored area of research that could pose big risks as a result.
Oracle has done a great job in terms of things like PL SQL injection flaws—theyve almost been hunted to extinction. But they seem to be led by what the security research part of the industry is doing. Thats what theyre focused on, says Litchfield, chief security architect for Accuvant Labs. When the security research side turns to a new area that no one has looked at before, suddenly theres a bunch of low-hanging fruit again. People have been looking at the index side of things and again there are a whole slew of flaws.
Some of the flaws discussed were those already patched by Oracle within the last few years, including a stack-based buffer overflow vulnerability patched in April 2012 that was of the similar type that Litchfield cut his teeth on a decade ago when he first made a name for himself. Another patched flaw Litchfield showed a proof-of-concept attack on was a vulnerability in a RDBMS core component that allows an attacker to take advantage of granting over-generous permissions in the index to gain full DBA privileges on the database.
You can see how giving index permissions to table to public or anyone for that matter is dangerous because basically it gives them the ability to run code as that user. So dont do it, Litchfield says. Its naughty.
The highlight of the talk was what Litchfield called a zero-day vulnerability but which some other security researchers believe may have been discreetly patched by Oracle in its July 2012 quarterly CPU for Oracle 11g revision 2 databases only. In it he described a second-order SQL injection attack against the index to gain full DBA privileges.
According to Josh Shaul, CTO of Application Security Inc., the attack and vulnerability described in the talk closely resembles many Oracle vulnerabilities found today.
This is not much different than a lot of the other Oracle vulnerabilities that we see. Its a privilege escalation, you can become the DBA of the database and you need some pretty basic privileges -- the kind of privileges that the lowest level developer would always have and in most shops that dont really do good privilege management, the kind of privileges that just about everybody has, Shaul says.
According to Shaul, after the talk his researchers at AppSec looked into the vulnerability and found that while it would have impact, as it would likely be unpatched on most Oracle databases, Oracle may have quietly patched the vulnerability described in its July 2012 CPU for Oracle 11g revision 2 databases only.
Although Oracle wont confirm it, one of our guys went and reverse-engineered the patch, found the code change, but when we went and tested 11g release one, the exploit worked, he says. Theyve released the patch but theyre not even acknowledging that this issue is in the patch. So it only applies to 11g release two. If youre on release one or 10g or 9i, youre (out of luck) on this one.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Hacking Oracle Database Indexes