Bugtraq mailing list archives

Hole in Oracle Server/Developer 2000 - authentication protocol.

From: yarony () yarony il eu org (Yaron Yanay)
Date: Mon, 31 Aug 1998 18:28:26 +0300


  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime () docserver cac washington edu for more info.

--1149512200-660231030-904030551=:2225
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.3.96.980825105102.2225I () vipe technion ac il>

Hello ,
        I have found out a hole in Oracle Server/Developer 2000 Forms 4.5
(SQL-NET) password authentication protocol.

I tried to find the author with no luck. (I checked www.oracle.com , and
altavista) . It would be nice if there would be "about" window in the
runtime binary. Anyway the "hole" won't let remote access to your machine
so it isn't that serious.

Description of the problem:

The Oracle Web Server has a tool (Developer 2000). The program has an
option for password access to database. The passwords pass over the
SQL-NET.

We (at haifa uni.) run the Oracle server on a unix machine ,and the users
connect to the oracle server using their runtime -"developer 2000-forms
4.5" exec file (called: F45RUN32.EXE) to connect to the server.
They are using password to access the database.

Running a sniffer on the SQL-NET port, shows that:

1) when the username is valid the password is sent encrypted

2) When the username is not valid the password sent in _clear_ , i.e. if
you enter a valid password ,but you misspell your username , the password
will appear in the sniffer as clear text.

3) When the user name is valid the password is sent encrypted , _but_ if
the password is wrong , it sent _again_ in _clean_

So the protocol is:

1) sending username
2) if username is invalid:
        a) send password in clear text
   if username is valid:
        b) send encrypted password.
           if password is incorrect:
                send the password again in _clear text_

I hope this will be fixed soon by the company (if anyone knows how to
notify them, please do).

Yours,
        Yaron.
--
Yaron Yanay. email:yarony () yarony il eu org , http://yarony.il.eu.org
Chief Teaching Assistant - Computer Security (236350) - Technion CS Department
Unix Security Supervisor - Computer Center - Haifa University - Israel



--1149512200-660231030-904030551=:2225--

Current thread:

Re: FreeBSD's RST validation, (continued)
- - - Re: FreeBSD's RST validation Tristan Horn (Aug 30)
    - port scanning. (fwd) Darren Reed (Aug 31)
    - Re: FreeBSD's RST validation Andrey Alekseyev (Aug 31)
    - Re: FreeBSD's RST validation Diane Bruce (Aug 30)
    - Re: FreeBSD's RST validation Oliver Friedrichs (Aug 31)
    - SEYON vulnerability in TurboLinux 2.0 Scott Stone (Aug 30)
    - Re: buffer overflow in nslookup? www.devoid.net (Aug 30)
    - Re: buffer overflow in nslookup? Benjamin J Stassart (Aug 30)
    - Re: buffer overflow in nslookup? Theo de Raadt (Aug 31)
    - Re: buffer overflow in nslookup? Uwe Ohse (Aug 31)
    - Hole in Oracle Server/Developer 2000 - authentication protocol. Yaron Yanay (Aug 31)
    - Re: buffer overflow in nslookup? Willy TARREAU (Aug 31)
- PTL Advisory: NetManage ZPOP v1.0 ekiM (Aug 25)
- Administrivia Aleph One (Aug 25)
- SV: Serious Security Hole in Hotmail Jonathan James (Aug 25)