The vulnerability ended up patched, but that is not the end of the problem as more details are available on vulnerabilities in the authentication protocol of Oracle’s database originally discovered in 2010.
Esteban Martinez Fayó a researcher from security specialist AppSec, said while Oracle closed the original hole with the 184.108.40.206 patch set, which introduced the new version 12 of the protocol in mid-2011, there has been no fix for versions 11.1 and 11.2 of the database because the update never went into any of Oracle’s regular “critical patch updates.”
The researcher said during the ekoparty Security Conference in Buenos Aires unless administrators activate the new protocol manually, the database will continue to use the vulnerable version 11.2 protocol.
When a log-in attempt occurs, the database server initially sends a session key and the salt value of the password hash, Fayó said. Attackers only require the name of a user and that of a database file; they can then abort communication with the server and launch a brute-force attack on the password offline. This method does not cause any failed log-in attempts to record in the log files.
According to the researcher, the undisclosed security hole allows attackers to make a connection between the user’s session key and password hash. Fayó said the random salt value should make brute-force attacks on this hash very difficult because it doesn’t allow attackers to use rainbow tables.
He said although an attacker can’t use these tables in this attack, the hacker could crack the passwords using special hardware, such as GPUs, and hybrid dictionaries.
The researcher noted it is also possible to use cloud services. To crack a password, attackers will try out random character combinations until they find one that matches the hash of a given value. Once they have a match, it is highly likely they have found the right password.