Oracle database authentication protocol vulnerability opens door for brute-force attack

Oracle database authentication protocol vulnerability opens door for brute-force attack

Computer Security

A serious vulnerability in the authentication protocol used by some Oracle databases is detected by a Researcher with Appsec tomorrow. The backdoor enables hackers to perform the brute force attack similar to the SHA1 password hack.

The authentication process currently used by Oracle databases - contacts the database server to get the session key back to the client, along with a salt. The vulnerability enables a hacker to link a specific session key with a  specific password hash.

The Researcher Esteban Martinez Fayo will demonstrate a proff-of-concept attack. Martinez first reported the bug in the Oracle database back in May 2010. Oracle did a great job fixing it in their next version, but left the current/previous version without the patch or other updates to get it fixed.

But they never fixed the current version, so the current 11.1 and 11.2 versions are still vulnerable. Martinez Fayo says, and Oracle has no plans to fix the flaws for version 11.1

Once the attacjer has a Session Key and a salt, the attacker can perform a brute force attack on the session key by trying millions of passwords per second until the correct on is found. This is very similar to a SHA-1 password hash cracking. Rainbow tables can't be used becayse there is a salt ussed for password hash generation, but advanced hardware can be used, like GPUs combined with advanced techniques like Dictionary hybrid attacks, which can make the cracking process much more efficient

If the vulnerability is widely deployed it is sure a one heck of the problem for IT firms and other services relying on oracle database. The oracle developers team should consider it as a dangerous backdoor which can put millions on passwords ready for the hackers to sneak upon.

Leave your comments

Post comment as a guest

0 Character restriction
Your text should be more than 5 characters
  • No comments found


Live Giveaway

Winner #Xiaomi Mi Headphone Giveaway

winner mi headphone

Sign up via our free email subscription service to receive notifications when new information is available.


Guest - Anonymous
It is made in China.

If you want to buy a power bank, I would suggest you buy Xiaomi Mi 20,000 m...
Guest - Thomas Garner
is it Indian made or Chinese and 1399 is bit high compared to below power bank under latestone
Everyone must have heard of Snapdragon, and also the exynos, but who knew mediatek has a deca-core s...
Now the true battle between power, computation and efficiency will start, as soon as the phones with...

DO Proudly Hosted Badge Blue