Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "It seems Dizwell has gone, come back (maybe) and gone again"] [Next entry: "A good blog to watch for Oracle internals and hard to find info"]

Stealing Oracle passwords from the wire

I see that David Litchfield has posted a note on freelists titled "Re: Sniffing Oracle authentications" that describes the Oracle authentication mechanism and the fact that if you know the Oracle password hash then its possible to sniff the session key and wait for the encrypted password to be sent to the server. This means that even 30 character passwords using the complete keyspace are vulnerable to attack. David includes a C program to demonstrate this.

This is a detailed discussion by David of the issue that was first covered by Ian Redfern in a paper titled "Oracle Protocol" that was up on the Logica site for a while before being pulled but the web archive has a copy. The example Perl program linked in this paper was there on the web archive for quite some time but this has now gone as well. The Perl program gave an example of how this protocol worked and hinted at this issue. I found the link via Peter K's blog where he also mentions that Paul Wright now has an Oracle security blog. I have added a link to his blog in my Oracle blogs aggregator.