Oracle Login Weakness
Oracle Login Weakness
Written by Kay Ewbank   
Monday, 24 September 2012

A flaw in the authentication protocol used by some Oracle databases could leave systems open to remote attack.

The vulnerability was reported by Application Security Inc. A researcher working for the company, Esteban Martinez Fayo, has worked out a way that attackers can forcibly gain knowledge of a token provided by the Oracle server to determine a user’s password. The attacker could then log on as an authenticated user and take unauthorized actions on the database. Fayo has developed a tool that can crack some simple passwords in a few hours using an ordinary PC and has scheduled a webinar on the flaw for October 16, 2012.



The vulnerability affects Oracle Database 11g Releases 1 and 2, and arises because of the way the authentication protocol protects session keys when users attempt a log in. When a client machine contacts the server, the server generates a random key as a session key and sends it back to the client. The vulnerability means an attacker can match up a particular session key with a particular password. The problem arises because the server generates and sends the key as the first stage before authentication is completed.  The server also sends a salt, a collection of random bits to be supplied along with the password in the next stage of the authentication process. The attacker simply closes the connection having received the session key and salt, so there’s no failed login attempt recorded in the server log because the authentication is never completed. Having acquired the session key and salt, they can then use the two as part of a brute force attack where passwords are generated and tried.

Fayo discovered the problem by noticing that log-in attempts with incorrect passwords are handled differently at the client and server ends. He worked out that the session key was in some ways leaking information about the password hash. He says the problem is serious because it’s so simple to exploit.

“The attacker just needs to send a few network packets or use a standard Oracle client to get a Session Key and Salt for a particular user.  Then, an attack similar to that of cracking SHA-1 password hash can be performed.”

Oracle has in fact released a new version of the authentication protocol, version 12, that is not vulnerable to the flaw, and the solution is to apply the patch and change the server configuration to use only the new version of the protocol. Oracle has no plans to fix the flaw in version 11.1 of the protocol.



More Information

Application Security Inc

Register for Webinar

Related Articles


blog comments powered by Disqus

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin,  or sign up for our weekly newsletter.


Cayenne Makes IoT Easy, Really Easy

This really is the IoT for the rest of us. Cayenne is a drag-and-drop IoT builder that makes working with the Raspberry Pi to create IoT apps as easy as it possibly can be. This isn't just another IoT [ ... ]

Komodo IDE 10 Released

In response to enterprise develop requirements for mobile development Active State is releasing a major update to its cross-platform Komodo IDE, and its free open-source counterpart Komodo EDIT, with  [ ... ]

More News

Last Updated ( Monday, 24 September 2012 )

RSS feed of news items only
I Programmer News
Copyright © 2016 All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.