Brute-force attack on Oracle passwords feasible
A security researcher has provided details on vulnerabilities in the authentication protocol of Oracle's database that he originally discovered in 2010. The researcher, Esteban Martinez Fayó from security specialist AppSec, presented his findings and the methods by which they can be exploited at the ekoparty Security Conference; this is currently taking place in Buenos Aires.
Although Oracle closed the hole with the 18.104.22.168 patch set, which introduced the new version 12 of the protocol in mid-2011, Fayó said that there has been no fix for versions 11.1 and 11.2 of the database because the update was never included in any of Oracle's regular "critical patch updates". The researcher explained that unless administrators activate the new protocol manually, the database will continue to use the vulnerable version 11.2 protocol.
Fayó says that when a log-in attempt is made, the database server initially sends a session key and the salt value of the password hash. Apparently, potential attackers only require the name of a user and that of a database file; they can then abort communication with the server and launch a brute-force attack on the password offline. This method does not cause any failed log-in attempts to be recorded in the log files.
According to the researcher, the undisclosed security hole allows attackers to make a connection between the user's session key and password hash. Fayó said that the random salt value is designed to make brute-force attacks on this hash very difficult because it doesn't allow attackers to use, for example, rainbow tables.
He continued to explain that, although these tables can't be used in this attack, the passwords can be cracked quite efficiently using special hardware, such as GPUs, and hybrid dictionaries. The researcher noted that it is also possible to use cloud services. To crack a password, attackers will try out random character combinations until they find one that matches the hash of a given value. Once they have a match, it is highly likely that they have found the right password.