Researcher finds new way to hack Oracle database
'Lateral SQL injection' details released in paper
Called a lateral SQL injection, the attack could be used to gain database administrator privileges on an Oracle server in order to change or delete data or even install software, Litchfield said in an interview on Thursday.
Litchfield first disclosed this type of attack at the Black Hat Washington conference last February, but on Thursday he published a paper with technical details.
In a SQL injection, attackers create specially crafted search terms that trick the database into running SQL commands. Previously, security experts thought that SQL injections would work only if the attacker was inputting character strings into the database, but Litchfield has shown that the attack can work using new types of data, known as date and number data types.
Litchfield's attack targets the Procedural Language/SQL programming language used by Oracle developers.
A noted database hacker, Litchfield is best known as the researcher who published details on the bug used in the 2003 SQL Slammer worm, which targeted Microsoft's SQL Server database.
Litchfield wasn't sure how widespread lateral SQL injection vulnerabilities are, but he thinks the attack could cause real damage in some scenarios.
"If you happen to be using Oracle and you write your own applications on it, then yes, you could be writing vulnerable code," he said. "The sky is not falling ... but it's certainly something that people should be made aware of."
Database programmers should review their code to be sure it is checking to make sure that all of the data it is processing is legitimate, and not injected SQL commands, he said.
Oracle did not return a call seeking comment.
- Top 12 Laptop Bags for Mobile Pros
- Think Deleted Text Messages Are Gone Forever? Think Again
- 7 New Faces of the C-suite
- 5 Ways CIOs Can Rationalize Application Portfolios
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Four Myths of High-Productivity App Dev Debunked Debunk the main myths surrounding high-productivity application development and how both platforms have overcome them.
- Shifting Gears: The Value of Customer-Driven Quality in Manufacturing In today's competitive manufacturing market, the customer must be the center of the quality universe. This paper details how manufacturers can improve customer...
- Aberdeen Group: Marketing Analytics for Manufacturing: Forging Customer Insights There are no recalls for poor marketing. Manufacturers need to get their customer intelligence and messaging right the first time. Learn how.
- Unlocking the Promise of Demand Sensing and Shaping through Big Data Analytics Many organizations have limited insight into big data. These limitations have significant opportunity costs and can have a negative effect on identifying and...
- Live Webcast Increasing the Value of Your Reports and Dashboards Learn how incorporating other analytical capabilities such as predictive modeling and visualization can increase the value of your reports and dashboards by providing...
On-Demand Webcast: 7 Reasons to Choose VoIP
Thinking about a new phone system for your business?
Be sure to watch this informative webcast. Steve Strauss, small business columnist for USA...
- Top 8 Communications Tools for Small Businesses Powerful technology is available to help your small business improve its communications with customers, employees and suppliers. View this free On-Demand Webcast produced... All Business Intelligence/Analytics White Papers | Webcasts
By Rob F. Walker, Ph.D.
In the previous installment, we looked at and discussed strategies for business simulation and the infrastructure needed to make such initiatives successful. Now, we¿re ready to discuss some practical examples of business simulation. Imagine a mail order company selling products together with the necessary financing. more