Hole in Oracle Server/Developer 2000 - authentication protocol.

From: Yaron Yanay (yaronyat_private)
Date: Mon Aug 31 1998 - 08:28:26 PDT

Next message: Willy TARREAU: "Re: buffer overflow in nslookup?"

Previous message: Koji: "bug in minicom 1.75 ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mimeat_private for more info.

--1149512200-660231030-904030551=:2225
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.3.96.980825105102.2225Iat_private>

Hello ,
        I have found out a hole in Oracle Server/Developer 2000 Forms 4.5
(SQL-NET) password authentication protocol.

I tried to find the author with no luck. (I checked www.oracle.com , and
altavista) . It would be nice if there would be "about" window in the
runtime binary. Anyway the "hole" won't let remote access to your machine
so it isn't that serious.

Description of the problem:

The Oracle Web Server has a tool (Developer 2000). The program has an
option for password access to database. The passwords pass over the
SQL-NET.

We (at haifa uni.) run the Oracle server on a unix machine ,and the users
connect to the oracle server using their runtime -"developer 2000-forms
4.5" exec file (called: F45RUN32.EXE) to connect to the server.
They are using password to access the database.

Running a sniffer on the SQL-NET port, shows that:

1) when the username is valid the password is sent encrypted

2) When the username is not valid the password sent in _clear_ , i.e. if
you enter a valid password ,but you misspell your username , the password
will appear in the sniffer as clear text.

3) When the user name is valid the password is sent encrypted , _but_ if
the password is wrong , it sent _again_ in _clean_

So the protocol is:

1) sending username
2) if username is invalid:
        a) send password in clear text
   if username is valid:
        b) send encrypted password.
           if password is incorrect:
                send the password again in _clear text_

I hope this will be fixed soon by the company (if anyone knows how to
notify them, please do).

Yours,
        Yaron.
--
Yaron Yanay. email:yaronyat_private , http://yarony.il.eu.org
Chief Teaching Assistant - Computer Security (236350) - Technion CS Department
Unix Security Supervisor - Computer Center - Haifa University - Israel



--1149512200-660231030-904030551=:2225--

Next message: Willy TARREAU: "Re: buffer overflow in nslookup?"
Previous message: Koji: "bug in minicom 1.75 ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:13 PDT