RE: Interesting Exploit in PL/SQL

  • From: "Richard J. Goulet" <rgoulet@xxxxxxxxxx>
  • To: "Oracle-L Freelists" <oracle-l@xxxxxxxxxxxxx>
  • Date: Tue, 28 Nov 2006 11:37:37 -0500


        I'm not a security bug finder fan, because I think a lot of the
"holes" should be kept quiet between the finder & the code owner.
Otherwise the finder becomes just another source for the hackers to
exploit.  But in this case what you've found is a hole that anyone of us
could intentionally or unintentionally create within an application.
For that I seriously thank you for publishing it. 

Dick Goulet, Senior Oracle DBA
45 Bartlett St  Marlborough, Ma 01752, USA
Tel.: 508.573.1978 |Fax:  508.229.2019 | Cell:508.742.5795 

-----Original Message-----
From: David Litchfield [mailto:davidl@xxxxxxxxxxxxxxx] 
Sent: Tuesday, November 28, 2006 11:14 AM
To: rjamya@xxxxxxxxx; Richard J. Goulet
Cc: Oracle-L Freelists
Subject: Re: Interesting Exploit in PL/SQL

Hi again Raj,
> And to use the exploit the script relies on re-using the cursor. In my

> normal code I never put out a cursor number, because in most cases it 
> is useless for me once i am done with it. I close my cursors like a 
> good boy.

As I say in the paper, you don't need to "see" the number of the cursor
- you can just loop until you hit it trying 1 to n...

From your other mail...

>The point of my email was, if someone is careless enough to not handle 
>exceptions at all, they can make one more mistake and the sky would 
>still keep falling.

Not handling exception happens in numerous default packages as shipped
with the database.

>also if someone is stupid enough to bind variables without checking the

>input value, 'when others ...' would seem logical to them as well.

This also happens in numerous default packages as shipped with the

If Oracle developers can't get it right I'm sure there are 3rd party
developers who can't get it right. Hence the warning :)



Other related posts: