Oracle database authentication protocol vulnerability opens door for brute-force attack

oracleA serious vulnerability in the authentication protocol used by some Oracle databases is detected by a Researcher with Appsec tomorrow. The backdoor enables hackers to perform the brute force attack similar to the SHA1 password hack.

The authentication process currently used by Oracle databases - contacts the database server to get the session key back to the client, along with a salt. The vulnerability enables a hacker to link a specific session key with a  specific password hash.

The Researcher Esteban Martinez Fayo will demonstrate a proff-of-concept attack. Martinez first reported the bug in the Oracle database back in May 2010. Oracle did a great job fixing it in their next version, but left the current/previous version without the patch or other updates to get it fixed.

But they never fixed the current version, so the current 11.1 and 11.2 versions are still vulnerable. Martinez Fayo says, and Oracle has no plans to fix the flaws for version 11.1

Once the attacjer has a Session Key and a salt, the attacker can perform a brute force attack on the session key by trying millions of passwords per second until the correct on is found. This is very similar to a SHA-1 password hash cracking. Rainbow tables can't be used becayse there is a salt ussed for password hash generation, but advanced hardware can be used, like GPUs combined with advanced techniques like Dictionary hybrid attacks, which can make the cracking process much more efficient

If the vulnerability is widely deployed it is sure a one heck of the problem for IT firms and other services relying on oracle database. The oracle developers team should consider it as a dangerous backdoor which can put millions on passwords ready for the hackers to sneak upon.


Leave your comments

Post comment as a guest

0 Character restriction
Your text should be more than 5 characters
  • No comments found