Dangling Cursor Snarfing: A New Class of Attack in Oracle
In Oracle, a failure to close cursors created and used by DBMS_SQL or a failure to clean up open cursors in the event of an exception can lead to a security hole. If the cursor in question has been created by higher privileged code and left hanging then it’s possible for a low privileged user to snarf and use the cursor outside of the application logic that created it. This can lead to data being exposed. Ensuring that cursors are closed after use is, of course, good programming practice but, as we know, good programming practices do not always prevail. What is detailed in this document should provide a security reason as to why developers should ensure that cursors are closed properly, especially in the event of an exception. This type of vulnerability will also affect other kinds of handles, such as those returned from UTL_FILE and may affect other RDBMSes.
Author: David Litchfield