Feeds

New attack technique threatens databases

Lateral thinking about SQL injection

Providing a secure and efficient Helpdesk

Database security expert David Litchfield has published details of a new type of database attack technique. Lateral SQL injection creates a means for hackers to access database data or inject hostile code onto vulnerable systems.

Exploitation is difficult and only possible in limited circumstances, Litchfield notes. Nonetheless, the discovery of the approach - a variant on earlier attack methods - means that database admins can no longer consider DATE or NUMBER data types safe from attack. Lateral SQL injection is a variant of SQL injection attacks, one of the most common methods for attacking database systems.

Litchfield first outlined the new approach during a presentation at the Black Hat security conference in Washington in late February. He published details of the approach in a paper (pdf) last week.

SQL injection attacks involve attempts by hackers to trick database servers into running SQL commands, typically after crackers use vulnerabilities to inject character strings onto databases. Lateral SQL injections are a variant of the theme that use other forms of data - DATE and NUMBER data types - to much the same effect. The new attack relates to the Procedural Language/SQL programming language used by Oracle developers, and involves the possible development of exploits that involve hostile DATE or even NUMBER data types instead of user input, the fodder for conventional SQL injection attacks.

"In the past this has not been possible but as this paper will demonstrate, with a little bit of trickery, you can in the Oracle RDBMS [Relational database management system]," Litchfield explains, adding that the attack approach would probably only work in limited cases. "Whether this becomes 'exploitable' in the 'normal' sense, I doubt. But in very specific and limited scenarios there may be scope for abuse, for example in cursor snarfing attacks [pdf]," he adds.

A noted database security expert, Litchfield is perhaps best known for uncovering a bug in Microsoft SQL Server database server that was subsequently used by the SQL Slammer worm. Litchfield has long criticised Oracle for the time it takes to fix vulnerabilities in its database software.

The latest attack vector ought to spur developers into a more careful review of code, particularly where external developers have been used. "Even those functions and procedures that don’t take user input can be exploited if SYSDATE is used," Litchfield concludes. "The lesson here is always, always validate and don’t let this type of vulnerability get into your code. The second lesson is that no longer should DATE or NUMBER data types be considered as safe and not useful as injection vectors." ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.