January 25, 2007

ُSniffing RDBMS authentications : Oracle Case

Back to the date I was trying to learn basic concepts of Oracle , I`ve always been curious about process of authentications and they way Oracle take care of them . My background about authentication mechanism in MS-SQL , MySQL and DB2 was not much useful since Oracle was using it`s own proprietary remote auth. mechanisms . Other RDBMS systems had their specific mechanisms too , but non of them were as complex as Oracle`s implementation. As you may already know , MS-SQL simply foil hash of used password into TDS protocol and send it over network . since TDS is a clear-text protocol , all you`ve to to do is to grab hash values out of auth. packets , decode it and feed your password-cracker with hex value . In MySQL case , all you`ve to do is extraxt SHA/MS5 hash valuse out of packets sent while authentication between MySQL and client. again , the hard part is cracking hash which is not what I`m going to talk about. CAIN is one of tens of tools out there for playing with MS-SQL or MySQL. Finally in DB2 case , we`re dealing only with simple tricks . DB2 does not truly transfer any hash value , but encode whole packets transmitted while authentication process with EBCDIC standard rather than ASCII encode. This simple trick wasted many hours of my time , trying to figure out what are these values DB2 send in middle of authentication . After I finally discovered it`s simply just another encoding , used in middle of ASCII encodes I was like a dumb looking at hex values of clear-text username and password in packet ! I`m not sure how many people have been tricked this way , but Litchfield demystified it very well on chapter 6 of "The Database Hacker`s Handbook" . Of course I could not wait more than two years in middle of my tests , so somebody publish a book about the topic !
Back to our subject , we see that sniffing RDBMS authentications and dumping user/passwords from network traffic , in most of cases is just about identifying clear-text or hash value of passwords . In Oracle however , this process is a bit more complex due to mechanism used . While playing with Oracle and trying to figure out how it transmit passwords over network , I noticed that Oracle strangely switch connections to a high-port and continue the process there . again nothing was in clear-text nor in a usual manner . checking public resources & Oracle documentations could not help since Oracle seems decided not to release any information about it . After multiple tries to query public lists for answer nothing leaked out , until DBSec mailing list have been founded y NGSoftware researchers lead by D.Litchfield again . I shoot my old spam to this new list again , and wow , after a while I had finally the answer . David`s answer is clear enough so I`m not going to rewrite it here ,but any questions are welcome . What he replayed me is actually part of his upcoming book which will be available at end of this month . This post to mailing list later have been mentioned in NGSSoftware`s new paper about Oracle Passwords and now seems it`s the only FAQ about the topic over net , so I decided to mention it here again .
Of course this is not the ultimate answer ( while solving the mystery ) but provided information and PoC , is enough for developing first brand new Oracle password sniffer which is my plan to do in future. Referring to my past blog post , Oracle servers are considered as heart of most of targets we may face with in a assessment or penetration-test . While playing with a server running any version of Oracle , you can be sure that even a strictly limited user will lead to full compromise of server and informations , and that`s because we`ve called Oracle "Enteprise-Bug" before this ;)
Btw , Litchfield`s new book on Oracle security will be out in few days . have you pre-ordered it ? :)

[updated 01 February 2007]

I noticed that this topic has been covered some where else , before D.Litchfield discuss it in details. Pete Finnigan has updated his blog and there you can find more about the first real discussion about this topic. how ever in the old paper mentioned by Finnigan there are no details focused on password stealing . seems this has been an old known flaw in oracle protocol which was researched more in depth by Litchfield.

1 comment: