Researcher finds new way to hack Oracle database
'Lateral SQL injection' details released in paper
Called a lateral SQL injection, the attack could be used to gain database administrator privileges on an Oracle server in order to change or delete data or even install software, Litchfield said in an interview on Thursday.
Litchfield first disclosed this type of attack at the Black Hat Washington conference last February, but on Thursday he published a paper with technical details.
In a SQL injection, attackers create specially crafted search terms that trick the database into running SQL commands. Previously, security experts thought that SQL injections would work only if the attacker was inputting character strings into the database, but Litchfield has shown that the attack can work using new types of data, known as date and number data types.
Litchfield's attack targets the Procedural Language/SQL programming language used by Oracle developers.
A noted database hacker, Litchfield is best known as the researcher who published details on the bug used in the 2003 SQL Slammer worm, which targeted Microsoft's SQL Server database.
Litchfield wasn't sure how widespread lateral SQL injection vulnerabilities are, but he thinks the attack could cause real damage in some scenarios.
"If you happen to be using Oracle and you write your own applications on it, then yes, you could be writing vulnerable code," he said. "The sky is not falling ... but it's certainly something that people should be made aware of."
Database programmers should review their code to be sure it is checking to make sure that all of the data it is processing is legitimate, and not injected SQL commands, he said.
Oracle did not return a call seeking comment.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Going Paperless? Here's What You Need to Think About As makers of some of the world's most popular PDF solutions, we often consult with businesses & governmental agencies that have the goal...
- The Big Data Opportunity for HR and Finance If CEOs, CFOs, CIOs, and CHROs want to drive their businesses forward, they will need to quickly recognize the enormous value of big...
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- The Value of IBM InfoSphere BigInsights The IBM® InfoSphere® BigInsights™ software platform helps firms discover and analyze business insights hidden in large volumes of a diverse range of data....
Transforming Finance, Procurement and Supply Chain Effectiveness with Cross-Functional Analytics
Date: May 6th, 2014
Time: 1 PM EDT
Attend this Webcast to find out how Oracle's packaged analytic applications enable line-of-business managers to examine all...
- Unified Communications 101 What's the best way to implement a unified communications solution for your organization? Join independent networking expert, Ed Tittel, as he weighs the... All Business Intelligence/Analytics White Papers | Webcasts