Bugtraq mailing list archives
Hole in Oracle Server/Developer 2000 - authentication protocol.
From: yarony () yarony il eu org (Yaron Yanay)
Date: Mon, 31 Aug 1998 18:28:26 +0300
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime () docserver cac washington edu for more info. --1149512200-660231030-904030551=:2225 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <Pine.LNX.3.96.980825105102.2225I () vipe technion ac il> Hello , I have found out a hole in Oracle Server/Developer 2000 Forms 4.5 (SQL-NET) password authentication protocol. I tried to find the author with no luck. (I checked www.oracle.com , and altavista) . It would be nice if there would be "about" window in the runtime binary. Anyway the "hole" won't let remote access to your machine so it isn't that serious. Description of the problem: The Oracle Web Server has a tool (Developer 2000). The program has an option for password access to database. The passwords pass over the SQL-NET. We (at haifa uni.) run the Oracle server on a unix machine ,and the users connect to the oracle server using their runtime -"developer 2000-forms 4.5" exec file (called: F45RUN32.EXE) to connect to the server. They are using password to access the database. Running a sniffer on the SQL-NET port, shows that: 1) when the username is valid the password is sent encrypted 2) When the username is not valid the password sent in _clear_ , i.e. if you enter a valid password ,but you misspell your username , the password will appear in the sniffer as clear text. 3) When the user name is valid the password is sent encrypted , _but_ if the password is wrong , it sent _again_ in _clean_ So the protocol is: 1) sending username 2) if username is invalid: a) send password in clear text if username is valid: b) send encrypted password. if password is incorrect: send the password again in _clear text_ I hope this will be fixed soon by the company (if anyone knows how to notify them, please do). Yours, Yaron. -- Yaron Yanay. email:yarony () yarony il eu org , http://yarony.il.eu.org Chief Teaching Assistant - Computer Security (236350) - Technion CS Department Unix Security Supervisor - Computer Center - Haifa University - Israel --1149512200-660231030-904030551=:2225--
Current thread:
- Re: FreeBSD's RST validation, (continued)
- Re: FreeBSD's RST validation Tristan Horn (Aug 30)
- port scanning. (fwd) Darren Reed (Aug 31)
- Re: FreeBSD's RST validation Andrey Alekseyev (Aug 31)
- Re: FreeBSD's RST validation Diane Bruce (Aug 30)
- Re: FreeBSD's RST validation Oliver Friedrichs (Aug 31)
- SEYON vulnerability in TurboLinux 2.0 Scott Stone (Aug 30)
- Re: buffer overflow in nslookup? www.devoid.net (Aug 30)
- Re: buffer overflow in nslookup? Benjamin J Stassart (Aug 30)
- Re: buffer overflow in nslookup? Theo de Raadt (Aug 31)
- Re: buffer overflow in nslookup? Uwe Ohse (Aug 31)
- Hole in Oracle Server/Developer 2000 - authentication protocol. Yaron Yanay (Aug 31)
- Re: buffer overflow in nslookup? Willy TARREAU (Aug 31)