Friday, April 12, 2019
Home / Security / Exploits / Oracle Database – Stealth password cracking exploit

Oracle Database – Stealth password cracking exploit

A exploit has been found in Oracles login system, this exploit will allow attackers to crack users apssword and gain access to sensitive information without authorization.

The emergence has been named the “Oracle stealth password cracking vulnerability,” by the researcher who found it, and the exploits root is a session key the Oracle Database 11g Releases 1 and 2 sends to users each time they try to log, according to a study released Thursday by Threatpost.  This key leaks data about a cryptography key used to hash the plain text data.  The hash, in turn, can be cracked using off-the-shelf hardware, free software, and a variety of attack methods.

Proof-of-concept (POC) code exploiting the weakness can crack an eight-character alphabetic password in roughly five hours utilizing standard CPUs.

Oracle’s repair for the fault is essentially a new but incompatible variant of the protocol that leaves the current version still open to attack.

“Oracle has been very quiet about the fault,” says Alex Rothacker, manager of security research for AppSec’s TeamSHATTER. “The only comment from them was a paragraph about a new protocol fixing some security issues. They haven’t said anything that made people aware to update the database and all of the database clients.”.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Amazon hacked – hacker leaks 80,000 login credentials

A hacker going by the name 0x2Taylor has said to have breached the servers of …