Oracle Login Weakness
Oracle Login Weakness
Written by Kay Ewbank   
Monday, 24 September 2012

A flaw in the authentication protocol used by some Oracle databases could leave systems open to remote attack.

The vulnerability was reported by Application Security Inc. A researcher working for the company, Esteban Martinez Fayo, has worked out a way that attackers can forcibly gain knowledge of a token provided by the Oracle server to determine a user’s password. The attacker could then log on as an authenticated user and take unauthorized actions on the database. Fayo has developed a tool that can crack some simple passwords in a few hours using an ordinary PC and has scheduled a webinar on the flaw for October 16, 2012.

 

 

The vulnerability affects Oracle Database 11g Releases 1 and 2, and arises because of the way the authentication protocol protects session keys when users attempt a log in. When a client machine contacts the server, the server generates a random key as a session key and sends it back to the client. The vulnerability means an attacker can match up a particular session key with a particular password. The problem arises because the server generates and sends the key as the first stage before authentication is completed.  The server also sends a salt, a collection of random bits to be supplied along with the password in the next stage of the authentication process. The attacker simply closes the connection having received the session key and salt, so there’s no failed login attempt recorded in the server log because the authentication is never completed. Having acquired the session key and salt, they can then use the two as part of a brute force attack where passwords are generated and tried.

Fayo discovered the problem by noticing that log-in attempts with incorrect passwords are handled differently at the client and server ends. He worked out that the session key was in some ways leaking information about the password hash. He says the problem is serious because it’s so simple to exploit.

“The attacker just needs to send a few network packets or use a standard Oracle client to get a Session Key and Salt for a particular user.  Then, an attack similar to that of cracking SHA-1 password hash can be performed.”

Oracle has in fact released a new version of the authentication protocol, version 12, that is not vulnerable to the flaw, and the solution is to apply the patch and change the server configuration to use only the new version of the protocol. Oracle has no plans to fix the flaw in version 11.1 of the protocol.

 

 

More Information

Application Security Inc

Register for Webinar

Related Articles

 

 
 
 

blog comments powered by Disqus

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin,  or sign up for our weekly newsletter.

Banner


The Computer Science Breakthrough Of The Decade Now Reinstated!
10/01/2017

This is almost unprecedented. First we have a major result in computer science. A couple of months later  it is suddenly retracted, causing a wave of disappointment through the community. But to  [ ... ]



Get Ready for Expanded Pwn2Own 2017
19/01/2017

This year's Pwn2Own hacking contest will be the 10th anniversary edition and the first to be entirely run by Trend Micro. It will feature more targets and more prize money for security researchers who [ ... ]


More News

Last Updated ( Monday, 24 September 2012 )
 
 

   
RSS feed of news items only
I Programmer News
Copyright © 2017 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.
Banner