Oracle Login Weakness
Oracle Login Weakness
Written by Kay Ewbank   
Monday, 24 September 2012

A flaw in the authentication protocol used by some Oracle databases could leave systems open to remote attack.

The vulnerability was reported by Application Security Inc. A researcher working for the company, Esteban Martinez Fayo, has worked out a way that attackers can forcibly gain knowledge of a token provided by the Oracle server to determine a user’s password. The attacker could then log on as an authenticated user and take unauthorized actions on the database. Fayo has developed a tool that can crack some simple passwords in a few hours using an ordinary PC and has scheduled a webinar on the flaw for October 16, 2012.

 

 

The vulnerability affects Oracle Database 11g Releases 1 and 2, and arises because of the way the authentication protocol protects session keys when users attempt a log in. When a client machine contacts the server, the server generates a random key as a session key and sends it back to the client. The vulnerability means an attacker can match up a particular session key with a particular password. The problem arises because the server generates and sends the key as the first stage before authentication is completed.  The server also sends a salt, a collection of random bits to be supplied along with the password in the next stage of the authentication process. The attacker simply closes the connection having received the session key and salt, so there’s no failed login attempt recorded in the server log because the authentication is never completed. Having acquired the session key and salt, they can then use the two as part of a brute force attack where passwords are generated and tried.

Fayo discovered the problem by noticing that log-in attempts with incorrect passwords are handled differently at the client and server ends. He worked out that the session key was in some ways leaking information about the password hash. He says the problem is serious because it’s so simple to exploit.

“The attacker just needs to send a few network packets or use a standard Oracle client to get a Session Key and Salt for a particular user.  Then, an attack similar to that of cracking SHA-1 password hash can be performed.”

Oracle has in fact released a new version of the authentication protocol, version 12, that is not vulnerable to the flaw, and the solution is to apply the patch and change the server configuration to use only the new version of the protocol. Oracle has no plans to fix the flaw in version 11.1 of the protocol.

 

 

More Information

Application Security Inc

Register for Webinar

Related Articles

 

justjsquare

 



 

Comments




or email your comment to: comments@i-programmer.info

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin,  or sign up for our weekly newsletter.

Banner


Apache Flink 1.5.0 Adds Support For Broadcast State
08/06/2018

The latest version of Apache Flink has been released with a rewritten deployment and process model, and support for broadcast state.



New Record For Simultaneously Dancing Robots
26/05/2018

The latest Guinness World Record for the largest number of robots dancing simultaneously was set on February 1st 2018 during the San Remo music festival in Rome when 1372 sub-knee-high robots wer [ ... ]


More News

Last Updated ( Monday, 24 September 2012 )
 
 

   
Banner
Banner
RSS feed of news items only
I Programmer News
Copyright © 2018 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.