Cursor games with Oracle
Database expert David Litchfield has demonstrated a new type of attack on Oracle databases that he has dubbed "Dangling Cursor Snarfing". The exploit is based on an improperly closed cursor. Working with Oracle's DBMS_SQL frequently relies on the cursor, which serves as a reference for the context in which queries, variables and access rights are stored.
If low-privileges users succeed in creating, for example, an exception, by feeding invalid input to a procedure that works with system rights, the cursor is not always closed. The attacker can then tinker about with the dangling, ownerless cursor and potentially abuse it for his own purposes. By changing parameters, he can then manipulate variable parts of the SQL instructions executed with system rights.
"Dangling Cursor Snarfing" attacks therefore require initial access to the database system and some knowledge of the structure of the procedures available there. After all, not every system procedure involves critical data. Most procedures also contain a close statement. Whether the cursor is closed in all potential exception conditions is another question though. As a protection against this kind of attack, Litchfield recommends setting what are known as "others exceptions ", which are provoked by unforeseen exception conditions and close the cursor.
- Dangling Cursor Snarfing: A New Class of Attack in Oracle by David Litchfield