Ekoparty Conference: Stealth Password Cracking Vulnerability Found in Oracle Database

Ekoparty Conference: Stealth Password Cracking Vulnerability Found in Oracle Database

Researchers unveiled serious vulnerability in the authentication protocol used by some Oracle databases, a flaw that could enable a remote attacker to brute-force a token provided by the server prior to authentication and determine a user's password. The attacker could then log on as an authenticated user and take unauthorized actions on the database. The vulnerability exists in Oracle Database 11g Releases 1 and 2 and is caused by a problem with the way the authentication protocol protects session keys when users try to log in. The first step in the authentication process when a client contacts the database server is for the server to send a session key back to the client, along with a salt. The vulnerability enables an attacker to link a specific session key with a specific password hash. The researcher who discovered the bug named Esteban Martinez Fayó has also released a tool that can crack some simple passwords in about five hours on a normal PC.  Fayó is a security specialist of AppSec Inc, he demonstrated his findings at the Ekoparty conference which is currently taking place in Buenos Aires. 
According to Esteban Martinez Fayo "This Session Key is a random value that the server generates and sends as the initial step in the authentication process, before the authentication has been completed.  This is the reason why this attack can be done remotely without the need of authentication and also, as the attacker can close the connection once the Session Key has been sent, there is no failed login attempt recorded in the server because the authentication is never completed."  He also staid "Once the attacker has a Session Key and a Salt (which is also sent by the server along with the session key), the attacker can perform a brute force attack on the session key by trying millions of passwords per second until the correct one is found.  This is very similar to a SHA-1 password hash cracking.  Rainbow tables can’ t be used because there is a Salt used for password hash generation, but advanced hardware can be used, like GPUs combined with advanced techniques like Dictionary hybrid attacks, which can make the cracking process much more efficient."  
"Basically, I discovered that not all failed login attempts were recorded by the database.  Looking closer at the issue, I located the problem in the way that one of the components of the logon protocol, the Session Key, was protected.  I noticed that, in a certain way, the Session Key was leaking information about the password hash," he added 
Although Oracle closed the hole with the patch set, which introduced the new version 12 of the protocol in mid-2011, Fayó said that there has been no fix for versions 11.1 and 11.2 of the database because the update was never included in any of Oracle's regular "critical patch updates". The researcher explained that unless administrators activate the new protocol manually, the database will continue to use the vulnerable version 11.2 protocol. The vulnerability is in a widely deployed product and is easy to exploit, Fayo said he considers it to be quite dangerous. "The Oracle stealth password cracking vulnerability is a critical one.  There are many components to affirm this: It is easy to exploit, it doesn’t leave any trace in the database server and it resides in an essential component of the logon protocol," he said.
"It is very simple to exploit.  The attacker just needs to send a few network packets or use a standard Oracle client to get a Session Key and Salt for a particular user.  Then, an attack similar to that of cracking SHA-1 password hash can be performed. I developed a proof-of-concept tool that shows that it is possible to crack an 8 characters long lower case alphabetic password in approximately 5 hours using standard CPUs."

-Source (Threat Post)


Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info. Thank You ! -Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You! -Team VOGH

Related Posts Plugin for WordPress, Blogger...