Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: An Assessment of the Oracle Password Hashing Algorithm SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
An Assessment of the Oracle Password Hashing Algorithm
Handler Joshua Wright and Dr. Carlos Cid from the Information Security Group at the Royal Holloway, University of London have published a paper describing the inner workings and vulnerabilities in the Oracle password hashing algorithm. A copy of the paper is available through the SANS Reading Room at http://www.sans.org/rr/special/index.php?id=oracle_pass.

The authors findings indicates that the password hashing algorithm is weak, and subject to a number of attacks. If an attacker is able to obtain Oracle password hash information from a compromised system, hrough traffic sniffing, SQL injection or other attack vectors, they will likely be able to recover plaintext passwords with few resources, even when strong passwords are selected. The paper also recommendsseveral actions Oracle DBA's can take to help mitigate this threat.

The SANS Institute contacted the Oracle product security team about these findings on 7/12/2005. Subsequent requests for clarification on what Oracle plans to do to address these vulnerabilities have gone unanswered. Oracle customers are encouraged to communicate their desire to resolve these vulnerabilities through the appropriate channels. I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3699 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!