[NEWS] Oracle Native Authentication Version 9i and 10g



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Oracle Native Authentication Version 9i and 10g
------------------------------------------------------------------------


SUMMARY

Oracle's Native Authentication algorithm has been changed in version 9i
and 10g of the product, the following article illustrates an issue with
the algorithm which makes it possible to off-line brute force the password
and recover the plain text.

DETAILS

Introduction:
In the recent years several papers were published about Oracle's native
authentication protocol and its weaknesses (e.g.: [1.] or [2.]). Those
papers covered the 8i version of the protocol which is used by the thin
driver in 9i and 10g. Programs have been released to exploit some of these
weaknesses (e.g. [2.] or [3.]). The most detailed description can be found
in [3.]. The excellent book explains the details of version 8.1.7.4 and
says "the general process is the same on other oracle versions".

The authentication protocol in the OCI driver was changed in 9i and
changed again in 10g. There is not too much information available about
these new protocols. This article shows at least two problems exist in the
new protocols:
* If you have the password hash you can decrypt the password from the
captured authentication data,
* Therefore off-line brute forcing is possible

Laszlo Toth did not analyze the cryptography used in the new versions,
just used the Oracle's own DLLs to prove the existing problems.

9i version
In the 9i version the AUTH_SESSKEY and AUTH_PASSWORD are twice as long as
in 8i. They are 128bit long as you can see below:

0000050A 00 87 00 00 06 00 00 00 00 00 08 01 00 0c 00 00 ........
.......
0000051A 00 0c 41 55 54 48 5f 53 45 53 53 4b 45 59 20 00 ..AUTH_S ESSKEY


========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] PPPd DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Point-to-Point Protocol for Unix systems". ... It reads in the packet at line 932, ... The loop continues processing the packet as long as len is!= 0. ...
    (Securiteam)
  • [UNIX] Cyrus IMSP Remote Root Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... IMSP protocol. ... Rob Siemborski sends a patch ...
    (Securiteam)
  • [TOOL] Protowalk: Generic Protocol Fuzzer and Protocol Testing Tool
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Generic Protocol Fuzzer and Protocol Testing Tool ... Protowalk is a tool that has been created to allow for developers, ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [TOOL] PktAnon - Packet Trace Anonymization Tool
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PktAnon supports a large number of protocol and anonymization primitives. ...
    (Securiteam)
  • [TOOL] Fast SYN Scanner (libnet, libpcap)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... struct bpf_program cfilter; ... const unsigned char *packet; ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)