Oracle Login Weakness
Written by Kay Ewbank   
Monday, 24 September 2012

A flaw in the authentication protocol used by some Oracle databases could leave systems open to remote attack.

The vulnerability was reported by Application Security Inc. A researcher working for the company, Esteban Martinez Fayo, has worked out a way that attackers can forcibly gain knowledge of a token provided by the Oracle server to determine a user’s password. The attacker could then log on as an authenticated user and take unauthorized actions on the database. Fayo has developed a tool that can crack some simple passwords in a few hours using an ordinary PC and has scheduled a webinar on the flaw for October 16, 2012.



The vulnerability affects Oracle Database 11g Releases 1 and 2, and arises because of the way the authentication protocol protects session keys when users attempt a log in. When a client machine contacts the server, the server generates a random key as a session key and sends it back to the client. The vulnerability means an attacker can match up a particular session key with a particular password. The problem arises because the server generates and sends the key as the first stage before authentication is completed.  The server also sends a salt, a collection of random bits to be supplied along with the password in the next stage of the authentication process. The attacker simply closes the connection having received the session key and salt, so there’s no failed login attempt recorded in the server log because the authentication is never completed. Having acquired the session key and salt, they can then use the two as part of a brute force attack where passwords are generated and tried.

Fayo discovered the problem by noticing that log-in attempts with incorrect passwords are handled differently at the client and server ends. He worked out that the session key was in some ways leaking information about the password hash. He says the problem is serious because it’s so simple to exploit.

“The attacker just needs to send a few network packets or use a standard Oracle client to get a Session Key and Salt for a particular user.  Then, an attack similar to that of cracking SHA-1 password hash can be performed.”

Oracle has in fact released a new version of the authentication protocol, version 12, that is not vulnerable to the flaw, and the solution is to apply the patch and change the server configuration to use only the new version of the protocol. Oracle has no plans to fix the flaw in version 11.1 of the protocol.



More Information

Application Security Inc

Register for Webinar

Related Articles


blog comments powered by Disqus

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin,  or sign up for our weekly newsletter.


ShellShock - Yet Another Code Injection Vulnerability

A vulnerability in the Bash shell has the Internet in full alarmed mode and like all good security holes it even has a catchy name - Shell Shock. How does it work?

Google Code-In 2014 Announced

Now in its 5th year Google Code-In is an opportunity for pre-university students aged between 13 and 17 to have an experience of real world coding and making a contribution to an open source proj [ ... ]

More News

Last Updated ( Monday, 24 September 2012 )

RSS feed of news items only
I Programmer News
Copyright © 2014 All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.