Archive for Juni, 2007

Oracle CPUs and problems on some platforms

Donnerstag, Juni 14th, 2007

During our security training we found an interesting forum entry (CPU Oct 2006 Problem) in Oracle Metalink. It seems that a portscan with nmap on AIX 5.2, OAS CPUOCT06 causes a denial of service problem on port 443 (HTTPS). It’s not clear if this problem affects all platforms because nobody answered the forum entry.
Normally it is a good idea to apply CPUs as soon but sometimes new bugs are introduced. Often these problems are specific to a special platform. Another example of a bug which was introduced by the CPUOct2006, CPUJan2007 and CPUApr2007 was a rman problem on Windows 32 bit (Rman fails to restore in with CPU patch installed on Windows platform).

Before applying a patch on a production system you should always perform tests.

Oracle Password Sniffer THC Orakel

Montag, Juni 4th, 2007
Last week VonJeek from the hacker group THC posted a nice tool and whitepaper
about Oracle Password Security. VonJeek describes how to attack the Oracle password
from sniffed network traffic (USERNAME, SESSION_ENCRYPTED and PASSWORD_ENCRYPTED).
At the moment the THC website is not available.
THC presents a crypto paper analyzing the database authentication mechansim
used by oracle. THC further releases practical tools to sniff and crack the
password of an oracle database within seconds.
It is a nice paper and THC-Orakel is a nice tool, even if some of the statements
in the paper are not correct (e.g. page 10: "a password must start with a character"
no it can also start with a number or page 13: "The cracking of Oracle passwords
entered a new era after publication of the Oracle password hashing algorithm on
18 October 2005 by the SANS institute" -  JoshWright from SANS only collected
public available information like the Oracle Password algorithm and created a summary
paper. The Oracle password algorithm and oracle password tools like checkpwd were
available since years, e.g. here).
THC Orakel