Oracle Password Hashing Algorithm Weaknesses and Vulnerability

Press Announcement - Contact press@sans.org for further information

Joshua Wright, a researcher at SANS released details tonight of the Oracle password hashing algorithm at the SANS Network Security conference in Los Angeles. As part of his presentation, Wright demonstrated an attack tool he wrote that makes it possible to recover the plaintext password from even very strong, well written passwords within minutes.

Dr. Carlos Cid from the Royal Holloway, University of London and Joshua Wright wrote a paper titled "An Assessment of the Oracle Password Hashing Algorithm", which details how passwords are encrypted before being stored in Oracle databases. Starting tonight, the paper is available from the SANS Reading Room, Special Papers collection: http://www.sans.org/rr/special.php.

Oracle databases are widely recognized as one of the most popular repositories for the world's information. The paper discusses the previously undisclosed technique Oracle uses to store and encrypt user passwords in the database, highlighting the weaknesses in the password handling and encryption algorithm. It also examines how an attacker could exploit weaknesses in the authentication algorithm to reveal confidential password information, and examines techniques administrators can use to protect Oracle databases from attack.

In order for an attacker to abuse the weaknesses described in this paper, they need to have knowledge of the password hash for an Oracle database user. Obtaining this information can be done in a number of different ways, requiring access to the system or another attack vector (such as SQL injection, or access to the host operating system, or backup tapes, etc).

The Oracle product security team was contacted about this vulnerability on July 12, 2005.

About John Wright:Over the past 10 years, Joshua has consulted with Fortune 500 companies, federal agencies and educational institutions on issues relating to information security. He regularly presents at conferences on issues relating to wireless security, and is currently working with several wireless LAN vendors on how attackers exploit weaknesses in wireless networks and associated protocols. Joshua serves as the deputy directory of training for the SANS Institute and is the author of several papers on wireless security and intrusion analysis, and the co-author of "Securing Cisco Routers: Step-by-Step".

About SANS: SANS is the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - Internet Storm Center.