A new attack technique is common in Oracle database software greatly increased risk of defects, security researchers warned.
Over the past generally believed that an attacker needed high-end database permissions to perform the so-called
PL SQL injection vulnerabilities.But information security experts NGS Software David Litchfield on Thursday at the Black Hat DC conference said, that may not necessarily.
"Attackers with minimal privileges, you can use this tactic full control of the database server," Litchfield said in an interview."You can use it to invade a bunch of weaknesses in your past that is not important."
Long-term Oracle (Oracle)'s Litchfied report released last week called this technique as "cursor injection" and use the tactics of attack processes have been there, Litchfield said.
Oracle also issued a statement that the company had taken note of the new methods of attack.
"NGS Software's" Cursor Injection "the report said the new approach may assist an attacker in exploitation of SQL injection vulnerabilities," database software maker said.Oracle has reminded customers to install patches to prevent.
(Sohu IT)
PL SQL injection flaws over the past requires a database on the "production process (create procedure)" permission, this permission is only a small number of users have.The use of cursor injection technique, anyone can connect to the database, attack, Litchfield said.
"It is the pre-compiled (compile) the defective good cursor into PL SQL objects to then attack the purpose," Litchfield said in a report."The purpose of this study show that all SQL injection flaws as long as the permissions to create session could be invaded."
Oracle should not let the future be delayed repair permissions required factors PL SQL flaws, Litchfield said.Oracle's customers may delay the installation of the patch, which puts them in danger, he said."Avoid the repair of the defects have no excuse," Litchfield said.
Oracle for several years, and security researchers often dispute, but has now reformed to perform good deeds, willingness to honestly face the problem of product safety procedures.Oracle began in January issued a patch for the quarter prior notice.Last October, the company added the first time in his briefing severity level.