THC presents a crypto paper analyzing the database authentication mechansimused by oracle. THC further releases practical tools to sniff and crack thepassword of an oracle database within seconds.
One of the network authentication modes used by Oracle databases uses a weakkey exchange mechanism. This mechanism is still used on the newest databaseversions using Oracle's JAVA drivers. Also, for native Oracle drivers anattack is known to downgrade the authentication mode to the vulnerableversion. The orakelsniffert article documents the mechanism used by the weakauthentication mode, the complexity and impact of the attack and an exampleof an attack in the field. A Windows based cracker and a simple JAVA basedclient application are included to verify the results. Also, a supportingcrypto utility is released.
http://www.thc.org/thc-orakel/
No comments:
Post a Comment