Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "David Litchfield announces Open Software Database forensics toolkit"] [Next entry: "Valid node checking as a simple free firewall for the database"]

Another new paper on Oracle password cracking



Alex has posted today about a new tool from THC in a post titled "Oracle password sniffer THC Orakel". As Alex points out there are a few mistakes in the paper. The most glaring is that the SANS paper by Josh Wright and Carlos Cid did not reveal the Oracle password algorithm first. The first release was in 1993 in a paper by Bob Baldwin the original author. The proper algorithm was released on August 11th by a poster to comp.databases.oracle.server and then a whole swath of C based tools appeared. In terms of sniffing AUTH_SESSION and AUTH_PASSWORD and attacking the password this has also been shown a number of times by Laszlo Toth, David Litchfield and more. The papers by Laszlo are the most interesting as he doesnt stop at release 8i and Java drivers. Also Laszlo and David show how to downgrade a session in their papers. The first person (probably) was Ian Redfern to document the authentication protocol in a long since disapeared paper. There is a copy on Paul Wrights site though.

There are also some great tools with the paper - OrakleCrypt and OrakleSniffert and a Java Oracle client. Download the zip and you get the paper as well. Have a look!