Flaw in Oracle Logon Protocol Leads to Easy Password Cracking

There is a serious vulnerability in the authentication protocol used by some Oracle databases, a flaw that could enable a remote attacker to brute-force a token provided by the server prior to authentication and determine a user’s password. The attacker could then log on as an authenticated user and take unauthorized actions on the database. The researcher who discovered the bug has a tool that can crack some simple passwords in about five hours on a normal PC.

OracleThere is a serious vulnerability in the authentication protocol used by some Oracle databases, a flaw that could enable a remote attacker to brute-force a token provided by the server prior to authentication and determine a user’s password. The attacker could then log on as an authenticated user and take unauthorized actions on the database. The researcher who discovered the bug has a tool that can crack some simple passwords in about five hours on a normal PC.

The vulnerability exists in Oracle Database 11g Releases 1 and 2 and is caused by a problem with the way the authentication protocol protects session keys when users try to log in. The first step in the authentication process when a client contacts the database server is for the server to send a session key back to the client, along with a salt. The vulnerability enables an attacker to link a specific session key with a specific password hash.

“This Session Key is a random value that the server generates and sends as the initial step in the authentication process, before the authentication has been completed.  This is the reason why this attack can be done remotely without the need of authentication and also, as the attacker can close the connection once the Session Key has been sent, there is no failed login attempt recorded in the server because the authentication is never completed,” said Esteban Martinez Fayo, a researcher at AppSec Inc., who discovered the flaw and will discuss it at the Ekoparty conference Thursday.

“Once the attacker has a Session Key and a Salt (which is also sent by the server along with the session key), the attacker can perform a brute force attack on the session key by trying millions of passwords per second until the correct one is found.  This is very similar to a SHA-1 password hash cracking.  Rainbow tables can’ t be used because there is a Salt used for password hash generation, but advanced hardware can be used, like GPUs combined with advanced techniques like Dictionary hybrid attacks, which can make the cracking process much more efficient.”

Fayo found the bug after noticing that there was an inconsistency in the way that clients and database servers handled failed log-in attempts. He found that log-in attempts with incorrect passwords were handled differently by the client than by the server and started looking more closely at why that was.

“Basically, I discovered that not all failed login attempts were recorded by the database.  Looking closer at the issue, I located the problem in the way that one of the components of the logon protocol, the Session Key, was protected.  I noticed that, in a certain way, the Session Key was leaking information about the password hash,” he said.

Fayo said that Oracle has released a new version of the authentication protocol, version 12, which fixes this problem. However, he said that Oracle is not planning to fix the bug in version 11.1 of the protocol, and that even after applying the patch that includes the updated protocol, database servers are still vulnerable by default. Administrators need to change the configuration of the server in order to only allow the new version of the protocol.

Because the vulnerability is in a widely deployed product and is easy to exploit, Fayo said he considers it to be quite dangerous.

“The Oracle stealth password cracking vulnerability is a critical one.  There are many components to affirm this: It is easy to exploit, it doesn’t leave any trace in the database server and it resides in an essential component of the logon protocol,” he said.

“It is very simple to exploit.  The attacker just needs to send a few network packets or use a standard Oracle client to get a Session Key and Salt for a particular user.  Then, an attack similar to that of cracking SHA-1 password hash can be performed. I developed a proof-of-concept tool that shows that it is possible to crack an 8 characters long lower case alphabetic password in approximately 5 hours using standard CPUs.”

In addition to–or in lieu of–the patch, Fayo said database administrators also could mitigate the effects of the vulnerability by requiring external authentication or disabling the Oracle logon protocol version 11 on the server.

 

Suggested articles

Discussion

  • Anonymous on

    I would say "easy password cracking" is a bit of an overstatement. A brute force isn't exactly easy or fast - though I agree that the salt shouldn't be so readily available.
  • Ixisa Nobody on

    This proofs that users should not being allowed to use passwords as numeric sequences and simple words for critical systems.
    Imagine if the password was 12 characters long and included upper case, lower case and numbers. In that case I doubt you will be able to get access in that 5 hours the article says.

  • Bill R on

    Wouldn't setting the security profile to lock the account after 10 failed login attempts (the 11g standard) defeat this? 

  • Anonymous on

    Mm, where's the bug? I don't see it..

  • Niall L on

    Bill 

     

    I think the key phrase is "Basically, I discovered that not all failed login attempts were recorded by the database" 

  • Marcel Lambrechts on

    I don't quite understand how being able to get the encrypted session key  (a random number generated by the database server and encrypted, using AES - 192 bit, using the SHA-1 password hash for the user) can leak the actual password, at least not "as simple" as mentioned in this article. As I understand from how the O5LOGON protocol works, you would have todo the following steps to be able to bruteforce the password:

    1. Get the SALT (is available through AUTH_VRF_DATA field)
    2. Get the encrypted server session key (is available through AUTH_SESSKEY field)
    3. Brute force on encrypted (AES 192-bit) AUTH_SESSKEY to determine the SHA-1 password hash - I wonder how long this would take, if reasonably possible, because you don't know the decrypted session key.
    4. If you are able to determine the SHA-1 hash value then you would have to brute force the password using the known value for the SALT.

    Step 4 can be done pretty easy, although if you use a little bit more sophisticated passwords, with more then 8 characters, numbers, capitals and maybe even punctuation marks, it would take a lot longer than the mentioned 5 hours.

    Step 3 is a lot more difficult I think (maybe someone else thinks differently) because first of all you don't know the used SHA-1 hash and secondly you don't know the used session key generated by the database server, so I don't know how you can extract either of these values from that.

    I'm not completely sure about how serious I should take this bug, the description of the problem doesn't really convinces me...

     

    Marcel

  • Anonymous on

    Does this include global authenticated accounts, those authenticating to LDAP using OID?

  • Anonymous on

    Wouldnt the account get locked if there are defalut number of failed login attempts?

  • Anonymous on

    If we are not using sqlnet.ora on server side, does that mean we are not using version 11 and are safe? Can someone mention the steps to disable Oracle logon protocol version 11.

  • Marcel Lambrechts on

    Use the following command on your database to set the SEC_CASE_SENSITIVE_LOGON parameter (this won't require a database restart):

    ALTER SYSTEM SET sec_case_sensitive_logon=FALSE SCOPE=BOTH;

    This will make sure the database will start using O3LOGON protocol again. Don't forget to recreate your oracle database password file with orapwd file=<password file> ignorecase=y and regrant any SYSDBA and/or SYSOPER privileges. (Do a SELECT * FROM v$pwfile_users;)

     

     

     

  • Anonymous on

    Ettercap and JtR plug-ins to sniff and crack O5LOGON protocol have been published.

    Search "[PoC] Cryptographic flaws in Oracle Database authentication protocol".

     

     

     

  • Klas on

    Does this vulnerability exist in older versions of Oracle, e.g. 9 ocr 10G or is it only 11 G v1&2 that is affected?

  • Anonymous on

    Is there a CVE or bugtraq for this vuln?

  • Anonymous on

    Has the presentation been published yet?

  • Anonymous on

    Does this vulnerability have a exploit for testing?

  • rebeshko on

    Компания наймет на работу тестеров игр, возможна частичная занятость. Зарплата от 300 долл. Возможен прием на работу школьников и студентов. Обязательно: желание играть в разные игры и получать от этого удовольствие, умение находить ошибки в играх (логические, погрешности дизайна и т.п.). Если Вы решили, что эта работа Вам подходит, отправьте Ваше резюме (в свободной форме) на емэйл: rebesko"собачка"ukr.net Контактное лицо: Светлана.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.