The last few days has seen Oracle database products become a fresh target for new attacks. The first bit of ammo for the attacks, a paper by David Litchfield detailing a new method of exploiting PL/SQL Injection attacks. Then yesterday a series of exploits targeting Oracle products. 

Firstly the paper, David Litchfield is well known for his targeting of Oracle products. In the paper entitled ‘Cursor Injection -  A New Method for Exploiting PL/SQL Injection and Possible Defenses’ he describes a new method that shows how all SQL Injection flaws can be exploited with just CREATE SESSION privileges.

In the past Oracle have contended that a vulnerability was not exploitable if the attacker couldn’t create a procedure or function. It seems however that David with this new method has settled the debate showing that exploitation is possible even when this privilege limitation is in place.

You can read more on this new attack here, in the original paper.

Next came a series of exploits for vulnerabilities within Oracle products on Monday. The first of the exploits is for the Oracle Database SYS.KUPV$FT Multiple SQL Injection vulnerability, which was originally discovered in January 2006 by Alexander Kornbrust of Red-Database-Security.

Then we got exploit code for the Oracle 10g Database SUBSCRIPTION_NAME Remote SQL Injection vulnerability, this is an oldie from 2005. Then we have exploit code for DB05 vulnerability from Oracle’s January 2006 security update. Finally we had exploit code released for the DB03 vulnerability from the July 2006 Oracle Security Update.

The exploits for the vulnerabilities shouldn't really be an issue as these are for long since patched security problems. However on the off chance that you've not patched any of the affected products, how you have a very good reason to do so.

Add this page to your favorite Social Bookmarking websites