Litchfield, the managing director of U.K.-based NGSSoftware (Next Generation Security Software), has found a way to exploit Oracle vulnerabilities without requiring system privileges. The new tactic, which he spelled out in "Cursor Injection: A New Method for Exploiting PL/SQL Injection and Potential Defences (), increases the threat risk of many Oracle-disclosed bugs.
"On occasion, Oracle in their alerts state that the ability to create a procedure or a function is required for an attacker to be able to exploit a flaw," Litchfield said in the paper. "This is not the case. All SQL injection flaws can be fully exploited without any system privilege other than CREATE SESSION and, accordingly, the risk should never be 'marked down' [in an alert]," he said.
The new technique doesn't rely on a vulnerability and applies to all versions of Oracle. More importantly, said Symantec in an alert today, the method puts to rest one of the rationalizations that Oracle has used to downgrade some bug threats.
"In the past, Oracle advisories have contended that a vulnerability was not exploitable if the attacker couldn't create a procedure or function," said Symantec in its warning to customers of its DeepSight threat system. "But this settles the debate, showing that exploration is possible even when this privilege limitation is encountered."
Oracle's response neither confirmed nor denied that Litchfield's tactic worked as promised. "NGSSoftware's 'Cursor Injection' paper describes a technique that may assist an attacker in exploitation of SQL injection vulnerabilities," an Oracle spokesperson said in an e-mail.