Oracle suffered with serious vulnerability in the authentication protocol used by some Oracle databases. This Flaw enable a remote attacker to brute-force a token provided by the server prior to authentication and determine a user's password.





A researcher - Esteban Martinez Fayo, a researcher with AppSec tomorrow will demonstrate a proof-of-concept attack.





Martinez Fayo and his team first reported the bugs to Oracle in May 2010. Oracle fixed it in mid-2011 via the 11.2.0.3 patch set, issuing a new version of the protocol. "But they never fixed the current version, so the current 11.1 and 11.2 versions are still vulnerable," Martinez Fayo says, and Oracle has no plans to fix the flaws for version 11.1.

The first step in the authentication process when a client contacts the database server is for the server to send a session key back to the client, along with a salt. The vulnerability enables an attacker to link a specific session key with a specific password hash.





There are no overt signs when an outsider has targeted the weakness, and attackers aren't required to have "man-in-the-middle" control of a network to exploit it. "Once the attacker has a Session Key and a Salt (which is also sent by the server along with the session key), the attacker can perform a brute force attack on the session key by trying millions of passwords per second until the correct one is found. This is very similar to a SHA-1 password hash cracking. Rainbow tables can' t be used because there is a Salt used for password hash generation, but advanced hardware can be used, like GPUs combined with advanced techniques like Dictionary hybrid attacks, which can make the cracking process much more efficient."





"I developed a proof-of-concept tool that shows that it is possible to crack an 8 characters long lower case alphabetic password in approximately 5 hours using standard CPUs."





Because the vulnerability is in a widely deployed product and is easy to exploit, Fayo said he considers it to be quite dangerous.