14 DAY TRIAL // A security hole in Oracle Database 11g releases 1 and 2 allows remote attackers to crack user passwords. The attack is possible because of the way the authentication protocol protects session keys during the login process.
According to the researcher who identified the vulnerability - Esteban Martinez Fayo of AppSec Inc – when customers log on to a database, the server sends them a session key, which is a random value generated by the server, and a salt.
If a cybercriminal manages to obtain the session key and the salt, he can perform a brute force attack on them to recover the password.
“This is very similar to a SHA-1 password hash cracking. Rainbow tables can’ t be used because there is a Salt used for password hash generation, but advanced hardware can be used, like GPUs combined with advanced techniques like Dictionary hybrid attacks, which can make the cracking process much more efficient,” the expert said, cited by Kaspersky’s ThreatPost.
“Basically, I discovered that not all failed login attempts were recorded by the database. Looking closer at the issue, I located the problem in the way that one of the components of the logon protocol, the Session Key, was protected. I noticed that, in a certain way, the Session Key was leaking information about the password hash,” he added.
Fayo claims that the flaw is easy to exploit and the attack doesn’t leave any traces in the database server. With the proof-of-concept tool he developed, the researcher managed to crack an 8-character alphabetic password in just 5 hours.
The expert told DarkReadings that the vulnerability had been addressed by Oracle with the release of version 12 of the authentication protocol, but the company doesn’t plan to address this issue in older variants such as 11.1 and 11.2.
In order to protect their databases against such attacks, administrators must “disable the protocol in Version 11.1 and start using older versions like Version 10g.”