Date: Mon, 31 Aug 1998 18:28:26 +0300
From: Yaron Yanay <yarony@yarony.il.eu.org>
To: BUGTRAQ@netspace.org
Subject: Hole in Oracle Server/Developer 2000 - authentication protocol.
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--1149512200-660231030-904030551=:2225
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.3.96.980825105102.2225I@vipe.technion.ac.il>
Hello ,
I have found out a hole in Oracle Server/Developer 2000 Forms 4.5
(SQL-NET) password authentication protocol.
I tried to find the author with no luck. (I checked www.oracle.com , and
altavista) . It would be nice if there would be "about" window in the
runtime binary. Anyway the "hole" won't let remote access to your machine
so it isn't that serious.
Description of the problem:
The Oracle Web Server has a tool (Developer 2000). The program has an
option for password access to database. The passwords pass over the
SQL-NET.
We (at haifa uni.) run the Oracle server on a unix machine ,and the users
connect to the oracle server using their runtime -"developer 2000-forms
4.5" exec file (called: F45RUN32.EXE) to connect to the server.
They are using password to access the database.
Running a sniffer on the SQL-NET port, shows that:
1) when the username is valid the password is sent encrypted
2) When the username is not valid the password sent in _clear_ , i.e. if
you enter a valid password ,but you misspell your username , the password
will appear in the sniffer as clear text.
3) When the user name is valid the password is sent encrypted , _but_ if
the password is wrong , it sent _again_ in _clean_
So the protocol is:
1) sending username
2) if username is invalid:
a) send password in clear text
if username is valid:
b) send encrypted password.
if password is incorrect:
send the password again in _clear text_
I hope this will be fixed soon by the company (if anyone knows how to
notify them, please do).
Yours,
Yaron.
--
Yaron Yanay. email:yarony@yarony.il.eu.org , http://yarony.il.eu.org
Chief Teaching Assistant - Computer Security (236350) - Technion CS Department
Unix Security Supervisor - Computer Center - Haifa University - Israel
--1149512200-660231030-904030551=:2225--
