This paper focuses on new threats on one of the most popular database
plat-forms: Oracle.
On 18 October 2005, the SANS institute published An Assess-ment of the
Oracle Password Hashing Algorithm[1]. An implementation ofthe
algorithm as described in this document enables attackers to crack
pass-words. With a cracked password, an attacker can gain unauthorized
access tocorporate data, or perform unauthorized transactions. But how
does it work?And what is the impact of newly discovered weaknesses?
The first sectionof this document describes how Oracle database
products generate passwordhashes[2] which are stored in the database
to authenticate users. The secondsection of this paper demonstrates
that a design flaw in the implementationof a key exchange enables an
attack on Oracle network authentication andrecovery of passwords used
in logins over the network.1
Attacking the Oracle password hashing algorithmOn 18 October 18 2005,
the SANS institute published An Assessment of the OraclePassword
Hashing Algorithm. This SANS paper describes how Oracle
databaseproducts generate password hashes which are stored in the
database to authenticateusers. An implementation of the algorithm
enables attackers to crack passwords.With a cracked password, an
attacker can gain unauthorized access to corporatedata. This chapter
focuses on the process and implementation of cracking Oraclepassword
hashes.1.1 Getting the hashesIn order to crack the hashes, a list
containing the username and encrypted pass-words must be retrieved
from the database. To do so, an attacker can follow differ-ent paths,
such as:• Retrieve hashes using authorized access. A personal account
of a user orfunctional application account might allow accessing the
table containing therequired data if authorizations are not strict
enough. This path is typicallyfollowed by curious employees or inside
attackers.• Retrieve hashes using unauthorized access. Oracle and
products using Ora-cle databases feature a number of default and wellknown
username/passwordcombinations[3]. By trying to login using this
information or guessing avalid username/password combination, access
might be obtained. In an sub-optimally secured environment, such
access frequently has the necessaryprivileges to access the account
names and password hashes. Also, accessto account names and password
hashes might be gained by abusing secu-rity flaws in Oracle itself.
This category of attack is typically performed byhackers.• Retrieve
hashes from the application layer. By utilising attacks such as SQLinjection,
database access can be obtained in some cases. This
category ofattack is often used by internet hackers.Extraction
techniques fall outside the scope of this paper.1.2 Cracking
hashesWhen the account names and password hashes are successfully
retrieved, a pass-word cracking attack can be started. The process of
cracking is visualized in figure1, and is a standard dictionary or
brute-force attack.1.3 Oracles password hashingOracle hashes are
generated using a known, fixed magic number with the valueof
0x0123456789ABCDEF, the username, the password, a PREPARE-function3
Page 4
Figure 1: cracking passwordsand the Data Encryption Standard (DES)[4]
algorithm in Cypher Block Chaining(CBC)[5] mode.// prepare datain =
PREPARE(username, password)// first DES CBCkey = DES_CBC_ENCRYPT(in,
magic_number)// second DES CBChash = DES_CBC_ENCRYPT(in, key)Assume
that retrieval of the hash of the account SYS is successful:SYS
C648972D2BE43FA4And the value H4X0R is used as the assumed candidate
password, the follow-ing input data is used:magic_number =
0x0123456789ABCDEFusername = SYSpassword = H4X0RFirst, the PREPAREfunction
converts all characters to uppercase and concate-nates the
username and the candidate password. The value of the output string
ofPREPARE is SYSH4X0R, which is 0x5359534834583052 in ASCII[6]. Then
thefunction stores all characters using 2 bytes per character, zeroing
the high bytes;0x53 becomes 0x0053, 0x59 becomes 0x0059 et cetera.
Furthermore, the input isextended to a multiple of 8 bytes, padded
with zeros if needed. In this case theinput string size is 16 bytes so
nothing will happen. The complete operation:4
Page 5
// prepare datain[] = PREPARE(username, password)=
{0x0053005900530048, 0x003400580300052}DES in CBC mode actually
XORs[7] the input of block N with the output of blockN − 1. The
example calculation shows this explicit form:// first DES CBCtemp =
DES_ENCODE(in[0], magic_number)= DES_ENCODE(0x0053005900530048,
0x0123456789ABCDEF)= 0x170453E89F8CDA7in[1] = temp XOR in[1]=
0x170453E89F8CDA7 XOR 0x0034005800300052= 0x48BB68C2B4C18FD0key =
DES_ENCODE(in[1], magic_number)= DES_ENCODE(0x48BB68C2B4C18FD0,
0x0123456789ABCDEF)= 0x6B539939C572D9AC// second DES CBCtemp =
DES_ENCODE(in[0], key)= DES_ENCODE(0x0053005900530048,
0x6B539939C572D9AC)=0x6517F03B233E4991in[1] = temp XOR in[1]=
0x6517F03B233E4991 XOR 0x0034005800300052= 0x6523F063230E49C3hash =
DES_ENCODE(in[1], key)= DES_ENCODE(0x6523F063230E49C3,
0x6B539939C572D9AC)= 0xC648972D2BE43FA4To see if the password is
cracked successfully, the retrieved hash is compared tothe hash
calculated. Both have the value of 0xC648972D2BE43FA4 indicating
asuccessful guess: the password of SYS is H4X0R.1.4 LimitationsWhat
happens if this attack is launched in a perfect world? In the perfect
worldall systems - database and host operating system - are fully
patched. No knownexploits[8] work. All users have only got the
privileges they really need. Unautho-rized hash retrieval is not
possible. Default username/password combinations donot exist anymore
since passwords are changed or accounts are disabled.
Thereforeunauthorized access is not possible. In a prefect world, if a
database administratorselects a view or table containing the hashes1,
it will be recorded in the audit trailand disciplinary action can be
taken. In such an environment, the conclusion isthat an attacker will
not be able to obtain the encrypted passwords. No referencematerial
means no cracking therefore no risk. End of story? No, not at all.2
Introducing a passive attackAs seen in the previous chapter, an
attacker can actively retrieve Oracle passwordhashes to crack them. In
a perfect world access to this information is restrictedto prevent an
attacker launching an attack. This section focuses on the process1DBA
USERS, SYS.USER$5
Page 6
and implementation of network logins of Oracle database clients. What
data istransmitted during a network logon? Can this data - which can
be retrieved in apassive way - be abused to crack passwords?2.1
Documentation studyIf retrieving hashes from the database directly is
not an option, what can be doneto obtain passwords? Where are the
hashes used besides in the server side loginprocess? In the Advanced
Security Administrator’s Guide[9], Oracle states (fairuse quote):The
purpose of Authentication Key Fold-in is to defeat a possiblethird
party attack (historically called the man-in-the-middle attack) onthe
Diffie-Hellman key negotiation. It strengthens the session key significantly
by combining a shared secret, known only to the client
andthe server, with the original session key negotiated by Diffie-
The client and the server begin communicating using the
session keygenerated by Diffie-Hellman. When the client authenticates
to theserver, they establish a shared secret that is only known to
both parties.Oracle Advanced Security combines the shared secret and
the Diffie-Hellman session key to generate a stronger session key
designed todefeat a man-in-the-middle attack.So there’s got to be a
key exchange process in place, using a shared secret toencrypt a
session key. To identify the key exchange, sample data is required.2.2
Capturing network trafficUsing a network sniffer - a piece of software
designed for capturing and analysis ofthe packets going through the
network - , a login session of user SYS with passwordH4X0R is
captured. The client uses the standard Oracle client driver and
connectsto a default installation of Oracle 8i running on the
Microsoft Windows platform2:PC CLIENT>>0000034800 bb 00 00 06 04 00
0000 00 03 76 02 30 74 3e ........ ...v.0t>0000035804 03 00 00 00 01
00 0000 00 da 13 00 04 00 00 ........ ........0000036800 d0 d7 13 00
c0 db 1300 03 73 79 73 0d 00 00 ........ ..sys...0000037800 0d 41 55
54 48 5f 5445 52 4d 49 4e 41 4c 07 ..AUTH_T ERMINAL.0000038800 00 00
07 56 4f 4e 4a45 45 4b 00 00 00 00 0f ....VONJ EEK.....0000039800 00
00 0f 41 55 54 485f 50 52 4f 47 52 41 4d ....AUTH _PROGRAM000003A85f
4e 4d 08 00 00 00 0854 4f 41 44 2e 65 78 65 _NM.....
TOAD.exe000003B800 00 00 00 0c 00 00 000c 41 55 54 48 5f 4d
41 ........ .AUTH_MA000003C843 48 49 4e 45 0e 00 0000 0e 4c 4f 43 41
4c 5c CHINE... ..LOCAL\000003D856 4f 4e 4a 45 45 4b 0000 00 00 00 08
00 00 00 VONJEEK. ........000003E808 41 55 54 48 5f 50 4944 09 00 00
00 09 31 34 .AUTH_PI D.....14000003F834 30 3a 31 39 36 34 0000 00
0040:1964. ...ORACLE SERVER<<2login session to other Oracle database
server version, client software and/or platforms mightshow other data6
Page 7
0000024500 91 00 00 06 00 00 0000 00 08 01 00 0c 00
00 ........ ........0000025500 0c 41 55 54 48 5f 5345 53 53 4b 45 59
10 00 ..AUTH_S ESSKEY..0000026500 00 10 34 33 39 32 3134 33 42 30 38
30 37 39 ...43921 43B080790000027533 35 44 00 00 00 00 0401 00 00 00
00 00 00 00 35D..... ........0000028500 00 00 00 00 00 00 0000 40 00
00 00 00 00 00 ........ .@......0000029500 00 00 00 00 00 00 0000 00
00 00 00 00 00 00 ........ ........000002A500 00 02 00 00 00 00 0000
36 01 00 00 90 d1 1c ........ .6......000002B500 e8 15 1d 00 00 00
0000 00 00 00 00 00 00 00 ........ ........000002C500 00 00 00 00 00
00 0000 00 00 00 00 00 00 00 ........ ........000002D500.PC
CLIENT>>0000040302 1e 00 00 06 04 00 0000 00 03 73 03 30 74
3e ........ ...s.0t>0000041304 03 00 00 00 01 01 0000 1c e9 13 00 07
00 00 ........ ........0000042300 d4 e5 13 00 60 eb 1300 03 73 79 73
0d 00 00 .....‘.. ..sys...0000043300 0d 41 55 54 48 5f 5041 53 53 57
4f 52 44 11 ..AUTH_P ASSWORD.0000044300 00 00 11 43 41 44 4346 46 38
42 35 31 41 45 ....CADC FF8B51AE0000045335 41 31 37 33 00 00 0000 0d
00 00 00 0d 41 55 5A173... ......AU0000046354 48 5f 54 45 52 4d 494e
41 4c 07 00 00 00 07 TH_TERMI NAL.....0000047356 4f 4e 4a 45 45 4b
0000 00 00 0f 00 00 00 0f VONJEEK. ........0000048341 55 54 48 5f 50
52 4f47 52 41 4d 5f 4e 4d 08 AUTH_PRO GRAM_NM.0000049300 00 00 08 54
4f 41 442e 65 78 65 00 00 00 00 ....TOAD .exe....000004A30c 00 00 00
0c 41 55 5448 5f 4d 41 43 48 49 4e .....AUT H_MACHIN000004B345 0e 00
00 00 0e 4c 4f43 41 4c 5c 56 4f 4e 4a E.....LO CAL\VONJ000004C345 45
4b 00 00 00 00 0008 00 00 00 08 41 55 54 EEK..... .....AUT000004D348
5f 50 49 44 09 00 0000 09 31 34 34 30 3a 31 H_PID... ..
1440:1000004E339 36 34 00 00 00 00 0800 00 00 08 41 55 54 48
964..... ....AUTH000004F35f 41 43 4c 04 00 00 0004 34 34 30 30 00 00
00 _ACL.... .4400...0000050300 12 00 00 00 12 41 5554 48 5f 41 4c 54
45 52 ......AU TH_ALTER000005135f 53 45 53 53 49 4f 4ef8 00 00 00 fe
40 41 4c _SESSION ....._at_AL0000052354 45 52 20 53 45 53 5349 4f 4e 20
53 45 54 20 TER SESS ION SET000005334e 4c 53 5f 4c 41 4e 4755 41 47 45
3d 20 27 41 NLS_LANG UAGE= ’A000005434d 45 52 49 43 41 4e 2720 4e 4c
53 5f 54 45 52 MERICAN’NLS_TER0000055352 49 54 4f 52 59 3d 2027 41 4d
45 52 49 40 43 RITORY=’AMERI_at_C0000056341 27 20 4e 4c 53 5f 4355 52 52
45 4e 43 59 3d A’ NLS_C URRENCY=0000057320 27 24 27 20 4e 4c 535f 49
53 4f 5f 43 55 52’$’ NLS _ISO_CUR0000058352 45 4e 43 59 3d 20 2741 4d
45 52 49 43 41 27 RENCY= ’ AMERICA’0000059320 4e 4c 53 5f 4e 55 4d45
52 49 43 5f 43 48 40NLS_NUM ERIC_CH_at_000005A341 52 41 43 54 45 52 533d
20 27 2e 2c 27 20 4e ARACTERS = ’.,’ N000005B34c 53 5f 43 41 4c 45
4e44 41 52 3d 20 27 47 52 LS_CALEN DAR= ’GR000005C345 47 4f 52 49 41
4e 2720 4e 4c 53 5f 44 41 54 EGORIAN’NLS_DAT000005D345 5f 46 4f 52 4d
41 543d 20 27 44 44 2d 4d 4f E_FORMAT = ’DD-MO000005E338 4e 2d 52 52
27 20 4e4c 53 5f 44 41 54 45 5f 8N-RR’ N LS_DATE_000005F34c 41 4e 47
55 41 47 453d 20 27 41 4d 45 52 49 LANGUAGE = ’AMERI0000060343 41 4e
27 20 20 4e 4c53 5f 53 4f 52 54 3d 20 CAN’NL S_SORT=0000061327 42 49
4e 41 52 59 2700 00 00 00 00 00’BINARY’ ......2.3 Key exchange: the
information flowThe complete identification and authentication process
from client to server takesplaces in the following steps:PC client:•
Sends username as client’s public value. The username can be seen at
offset00000372-00000374 and has the value SYS.Oracle server:• Looks up
username’s private value.7
Page 8
• Generates a session key.• Sends session key encrypted with
username’s private value. The session keyencrypted with SYS’s private
value is called AUTH SESSKEY and has gotthe value 4392143B0807935D
(offset 00000257-00000277).PC client:• Calculates the session key by
decrypting the value of the encrypted sessionkey using the username’s
private value.Now, both the server and the client know the value of
the session key andcan encrypt communication using (derivations of)
this value. The first thing theclient does is sending the password,
encrypted with the session key. This variableis called AUTH PASSWORD
and has the value CADCFF8B51AE5A17 (offset00000435-00000456).2.4 Key
exchange: assumptions madeSince key values are identified, assumptions
about the algorithm used for exchang-ing the session key and the
password can be made. Also, an assumption can bemade concerning the
keys used.1. Key to exchange the session key: using a username and a
password, theOracle password hash is an obvious candidate; the Oracle
server knows thevalue, the client can calculate the value for any
given username/passwordcombination.2. Algorithm: since 8 byte - 64
bits - values are used, an obvious candidate forthe algorithm is DES.
3. Key to exchange password: Oracle stated that secret information is
exchangedby combining a shared secret, known only to the client and
the server. There-fore, the assumption is made that the session key -
the decrypted value ofAUTH SESSKEY - is used for encrypting passwords.
2.5 Key exchange: verificationWe will verify these assumptions by
calculating the session key followed by calcu-lating the password://
1, CLIENT SIDE CALCULATIONHASH = ORACLEHASH(USERNAME, PASSWORD)// 2,
CLIENT SIDE CALCULATIONSESSION = DES_DECRYPT(SESSION_ENCRYPTED,
HASH)// 3, CLIENT SIDE CALCULATIONGUESSED_PASSWORD =
DES_DECRYPT(PASSWORD_ENCRYPTED, SESSION)If the value of GUESSED
PASSWORD equals PASSWORD the guess is success-ful. To verify the
assumption, the following input data is used:8
Page 9
USERNAME = SYSPASSWORD = H4X0RSESSION_ENCRYPTED = 0x4392143B0807935D
(= AUTH_SESSKEY)PASSWORD_ENCRYPTED = 0xCADCFF8B51AE5A17 (=
AUTH_PASSWORD)The calculation:HASH = ORACLEHASH(SYS, H4X0R)=
0xC648972D2BE43FA4SESSION = DES_DECRYPT(0x4392143B0807935D,
0xC648972D2BE43FA4)= 0xF06BBCAE024A2B2BGUESSED_PASSWORD =
DES_DECRYPT(CADCFF8B51AE5A17, 0xF06BBCAE024A2B2B)=
0x4834583052000000The result, GUESSED PASSWORD, is padded with zeros.
To get the actual pass-word, all trailing zeros can be dropped
resulting in 0x48, 0x34, 0x58, 0x30, 0x52.Converted to ASCII, the
value of the result is H4X0R: the guess is successful.Given the 64-bit
limit of the session key, we investigate what will happen ifan
encrypted password with length N > 8 is sent over the network. This
dataobviously does not fit in an 8 character (64-bit) array.
Observations show that theprocess stays in place: the only difference
is the length of the encrypted passworddata which is transmitted over
the network. This length will be a multiple of eightcharacters. A
logon using user SYS and password H4X0RH4X0R shows the fol-lowing
values:USERNAME = SYSPASSWORD = H4X0RH4X0RSESSION_ENCRYPTED =
0x64BAFAB43AD56EE5 (= AUTH_SESSKEY)PASSWORD_ENCRYPTED[] =
{0x0D41AD693A7B92D5, 0x6B0CCA9485935942} (= AUTH_PASSWORD)Analysis
shows that PASSWORD[N] is XORed with PASSWORD ENCRY PTED[N−1] where N
> 0. Another calculation:HASH = ORACLEHASH(SYS, H4X0RH4X0R)=
0x11FBDF0625C06252SESSION = DES_DECRYPT(0x64BAFAB43AD56EE5,
0x11FBDF0625C06252)= 0xDA688F9F780AF080GUESSED_PASSWORD[0] =
DES_DECRYPT(PASSWORD_ENCRYPTED[0], SESSION)=
DES_DECRYPT(0x0D41AD693A7B92D5, 0xDA688F9F780AF080)=
0x4834583052483458 (in ASCII: "H4X0RH4X")// an attacker can verify the
guess here already!GUESSED_PASSWORD[1] =
DES_DECRYPT(PASSWORD_ENCRYPTED[1], SESSION)=
DES_DECRYPT(0x6B0CCA9485935942, 0xDA688F9F780AF080)=
0x3D33AD693A7B92D5// the XORGUESSED_PASSWORD[1] = GUESSED_PASSWORD[1]
XOR PASSWORD_ENCRYPTED[0]= 0x3D33AD693A7B92D5 XOR 0x0D41AD693A7B92D5=
0x3052000000000000 (in ASCII: "0R")GUESSED_PASSWORD =
GUESSED_PASSWORD[0] + GUESSED_PASSWORD[1]= 0x4834583052483458 +
0x3052000000000000ASCII(GUESSED_PASSWORD) = H4X0RH4X0R2.6 Attacking:
theoryThe assumption made earlier appears to be correct. Before
verification, the keyspaceof the session key SESSION had the fixed
size of 264. Using the knowledge of the9
Page 10
mechanism used, complexity can be reduced in a number of cases. Let’s
take an-other look at the algorithm:HASH = ORACLEHASH(USERNAME,
PASSWORD)SESSION = DES_DECRYPT(SESSION_ENCRYPTED, HASH)PASSWORD =
DES_DECRYPT(PASSWORD_ENCRYPTED, SESSION)The weakness of the mechanism
used is the implementation of the shared se-crets. the value of
private key is predictable since the the mechanism of generatinga hash
is available in the public domain. As a result, the keyspace can be
reducedfrom a fixed value of 264to a value directly related to the
password length:• The keyspace of all passwords generated from
character set C with lengthN is CNwhich is variable;• Using the Oracle
password hashing algorithm, this will result in CNpass-word hashes;•
Using these hashes, all candidate session keys for this keyspace can
be cal-culated. The result will consist of CNcandidate session keys.If
the length of the password used is ≤ N, one of the candidate session
keyswill match the real session key. So, as long as CN< 264the
keyspace is reduced.Specifically, a small value of N reduces the
keyspace significantly.Field observations show that most Oracle
accounts use the basic Oracle char-acter set for composing passwords.
This set consists of [A-Z][0-9]#$ where apassword must start with an
alpha character, resulting in a 26 out of 39 ratio forvalid passwords
(23). Therefore, the keyspace for password length N =23· 39N.This
keyspace is smaller than 264until N = 64 · log 239= 12. So using
theseparameters, the attack is superior as long as N ≤ 12. A
illustration visualizing thisinformation van be found in figure 2.The
curve on other Oracle key foldins is expected to show similar
characteris-tics; only the brute force key space will presumably be
2128keeping the this attacksuperior until N = 128 · log239= 24.10
Page 11
Figure 2: keyspaces2.7 Attacking: in the fieldTo perform a successful
attack, the values of USERNAME, SESSION ENCRYPTEDand PASSWORD
ENCRYPTED must be sniffed first. Acquiring this data is pos-sible
everywhere on the path in between the client and the database
server:Points of attack from left to right. Required information might
be tapped:• In a client’s subnet by sniffing directly in a shared, or
unsecured wirelessenvironment (inside or outside attacker).• In a
client’s subnet by an ARP poisoning attack[11] - using for e.g.
Cain[12]- by any device in the same OSI layer 2 domain[13] (every
device connectedto the network).• At the local router by for example
monitoring the router’s uplink or tunnel-ing traffic to other
places[14] by a person capable of configuring networkequipment (local
IT administrator/hacker).• At an ISP router, for instance by
monitoring the router’s uplink or tunnelingtraffic to other places by
a person capable of configuring network equipment(ISP administrator/
hacker).• At an ASP router, for example by monitoring the router’s
uplink or tunnelingtraffic to other places by a person capable of
configuring network equipment(ASP administrator/hacker).11
Page 12
Figure 3: points of attack for sniffing data• In the server’s subnet
by an ARP poisoning attack any device in the sameOSI layer 2 domain
(every device connected to the network).Using this information, is it
feasible that an attacker can gain unauthoprised accessto the database
and the corporate data?2.8 Proof of conceptTo check the feasibility of
this attack, a proof of concept application was devel-oped. Running on
a Pentium 4 - 3.2 GHz PC, the non-optimized application cantest over
500.000 passwords per second. Table 1 shows the time required for
crack-ing passwords with length N using the basic Oracle character set
and by trying allpossible session keys. For probability P, value 0.5
is set (meaning that fully ran-dom passwords are used):For a password
with length N = 8, the size of the keyspace is 3.57·1012. Thisis more
than 5 million times smaller than the original 264. It is likely that
cracking arandom password will take about 41 days. The use of nonrandom
passwords - likewords from the dictionary or permutations of
dictionary words - might speed upthe process even more; the keyspace
of the entire Oxford English Dictionary[15] is’just’ about 5.9 ·
107which, at 500.000 tries/second, can be fully checked within
2minutes. Using a cluster of 50 PCs, cracking of any password with
length N = 8can be done within a day.12
Page 13
Nkeyspace (23· 39N) P = 0.5hoursdays12.60 · 1011.30 · 1010.000.0021.01
· 1025.07 · 1020.000.0033.95 · 1041.98 · 1040.000.0041.54 · 1057.71 ·
1050.000.0056.01 · 1073.01 · 1070.020.0062.35 · 1091.17 ·
1090.650.0379.15 · 10104.57 · 101025.411.0683.57 · 10121.78 ·
1012991.1141.3091.39 · 10136.96 · 101338653.401610.5610 5.43 ·
10152.71 · 10151507482.6162811.7811 2.12 · 10171.06 ·
101758791821.732449659.2412 8.25 · 10184.13 ·
10182292881047.3395536710.3113 3.22 · 10201.61 ·
102089422360845.833725931701.9114 1.26 · 10226.28 ·
10213487472072987.36 145311336374.47Table 1: time required for
attack2.9 LimitationsAll published information was gathered using an
out-of-the-box Oracle 8i databaseserver. More recent Oracle database
versions show other behavior out-of-the-boxwhen using native Oracle
drivers. However, we have found this attack to be ap-plicable to all
Oracle database versions providing non-Oracle and/or non-nativedrivers
are used to set up a connection. For example, the Oracle JDBC
ThinDriver[16] including version 10g Release 2 forces Oracle 9i and
10g databases tofall back to the mechanism as described in this paper.
Note that this driver is com-monly used in Java based application
servers environments like IBM WebSphere[17],Apache TomCat[18] and BEA
WebLogic[19] for connecting to Oracle databases.It is also known that
it’s possbile to downgrade the Oracle native authenticationtype by
actively injecting packets on the network[20].This attack is therefore
not limited to the investigated Oracle 8i version, but,within
limitations, also applies to other Oracle versions up to and including
10g.3 ConclusionThe cracking of Oracle passwords entered a new era
after publication of the Oraclepassword hashing algorithm on 18
October 2005 by the SANS institute. A newthreat was introduced.
Fortunately, the critical first step of retrieving passwordhashes from
a database can be prevented in simple ways by hardening the
databaseserver and applying strict schemes for access control, which
under normal circum-stances would have been implemented anyway.In this
article a new way of attacking Oracle is introduced using passive techniques.
From a database point of view, it is very difficult if not
impossible to13
Page 14
detect the passive attack: there are many possible points of access to
network traf-fic. Preventing the attack is also quite complex to
accomplish: secure tunneling orport security on switches is required
to prevent an attacker from getting requirednetwork access. To ensure
that it will stay like that, security policies of networkequipment
must be in place to keep eavesdroppers out, total control over the
pathfrom user (endpoint) to data (database) must be enforced. This is
seldom the case.All data used in this paper was gathered using an out-
-the-box Oracle 8idatabase server. More recent Oracle database
versions show other behavior out ofthe box when using native Oracle
drivers. However, this attack is also applicableto other Oracle
database versions when non-Oracle and/or non-native drivers areused to
set up a connection.For both active and passive attacks, the most
important line of defense is thepassword policy. Even if an attacker
obtains password hashes in one way or an-other, an adequate password
policy mitigates the risk of cracked accounts. Usinga non trivial 10
position password attackers might be kept out; it’s too complex tofind
the password in a reasonable amount of time.4 TimelineEnd of 2005 -
PoC codedBeginning of 2006 - Vendor contactedBeginning of 2006 -
Vendor responseSpring of 2007 - *finally* released the article ;)5
Future researchInteresting future research might include questions
such as:• How does the session variable generator of Oracle work? Is
it possible toreduce the keyspace using this knowledge?• What is the
relation between the session key and encryption keys used
forencrypting all client communication?• How can this information be
used to decrypt encrypted (DES, 3DES, AES,RC4) Oracle 8i/9i/10g
network traffic?6 Contributors6.1 AuthorvonJeek is a security
consultant for one of the largest professional services firmsin the
world. He focuses on the technical side of information security,
especiallyon network, Microsoft Windows and database security. vonJeek
has over 5 years14
Page 15
of experience in network security, ethical hacking, host based
security, intrusiondetection and developing security tools.6.2
Technical editorDJ RevMoon is head of consultancy for a global
security firm and has extensiveexperience performing network audits,
penetration tests and other professional se-curity services. He is
author of several tools including THC-amap.■15
Page 16
References[1] “An Assessment of the Oracle Password Hashing
Algorithm”, SANSInstitute,
http://www.sans.org/rr/special/index.php?id=oracle_pass[2]
“Hash function”,Wikipedia, the free encyclopedia,http://
en.wikipedia.org/wiki/Hash_function[3] “Oracle Default Password List”,
Pete Finnigan - Oracle and Oraclesecurity information,
http://www.petefinnigan.com/default/default_password_list.htm[4] “DATA
ENCRYPTION STANDARD (DES)”, FIPS PUB 46-2,
http://www.itl.nist.gov/fipspubs/fip46-2.htm[5]
“DES MODES OF OPERATION”, FIPS PUB 81,
http://www.itl.nist.gov/fipspubs/fip81.htm[6]
“ASCII”, Wikipedia, the free encyclopedia,
http://en.wikipedia.org/wiki/ASCII[7]“Exclusive
or”,Wikipedia, the free encyclopedia,
http://en.wikipedia.org/wiki/
Xor[8]“Oracle Exploits / Exploit”,Red Database Security,
http://www.red-
-security.com/exploits/oracle_exploits.html[9] “Oracle
Advanced Security Administrator’s Guide”, Oracle Corpora-tion,http://
otn.oracle.com/pls/db10g/db10g.to_pdf?pathname=network.
101%2Fb10772.pdf&remark=portal+%28Administration%29[10] “New
Directions in Cryptography”, Martin E. Hellman Home Page,
http://www-ee.stanford.edu/%cb%9chellman/publications/24.pdf[11] “ARP
spoofing”,Wikipedia, the free encyclopedia,
http://en.wikipedia.org/
wiki/ARP_poisoning[12] “Cain & Abel password recovery tool”, oxid.it -
Cain & Abel,
http://www.oxid.it/cain.html[13]“How OSI
Works”,Howstuffworks,
http://computer.howstuffworks.com/osi1.htm[14]
“Exploiting Cisco Routers: Part 1”, SecurityFocus,
http://www.securityfocus.com/infocus/173416
Page 17
[15] “Dictionary facts”, Oxford English Dictionary,
http://www.oed.com/about/facts.html[16]“SQLJ/JDBC Download
Page”,Oracle Technology Network,
http://www.oracle.com/technology/
software/tech/java/sqlj_jdbc/index.html[17] “WepSphere homepage”, IBM
WebSphere Software, http://www.ibm.com/software/websphere/[18] “Apache
Tomcat homepage”,Apache Tomcat,http://tomcat.apache.org/[19]“BEA
WebLogic Product Family”,BEA Systems,http://www.bea.com/framework.jsp?
CNT=index.htm\&FP=/content/products/weblogic/[20]“Downgrading the
Oracle native authentication”,Price WaterhouseCoopers,
http://www.pwc.com/extweb/service.nsf/docid/3AC99308583CCE398025727400391E31/$file/oraauthdg_pub.pdf17
Received on Mon Jul 23 2007 - 14:58:39 CDT