COMMAND

    Oracle (authentication protocol)

SYSTEMS AFFECTED

    Oracle Server/Developer 2000

PROBLEM

    Yaron Yanay found out a hole in Oracle Server/Developer 2000 Forms
    4.5 (SQL-NET)  password authentication  protocol.   The Oracle Web
    Server has a tool (Developer 2000). The program has an option  for
    password access to database. The passwords pass over the SQL-NET.

    In tested enviroment Oracle server was on a unix machine, and  the
    users connect to the oracle server using their runtime -"developer
    2000-forms 4.5" exec file (called: F45RUN32.EXE) to connect to the
    server.  They are using password to access the database.   Running
    a sniffer on the SQL-NET port, shows that:

        1) when the username is valid the password is sent encrypted
        2) When the username is not valid the password sent in _clear_
           i.e. if you enter a  valid password ,but you misspell  your
           username , the password will appear in the sniffer as clear
           text.
        3) When the user name is valid the password is sent encrypted,
           _but_ if the password is wrong , it sent _again_ in _clean_

    So the protocol is:

        1) sending username
        2) if username is invalid:
                a) send password in clear text
           if username is valid:
                b) send encrypted password.
                   if password is incorrect:
                        send the password again in _clear text_

SOLUTION

    This behaviour  is exactly  as defined  in "Understanding SQL*Net"
    Oracle documentation part number  A42484-1.  The reason  given, is
    when talking with older SQL*Net servers the password was passed in
    the clear.  Newer SQL*Net servers understand encrypted  passwords.
    Properly configured SQL*Net  networks done by  a trained DBA  will
    never  leave  unencrypted  password  transmission  enabled  in the
    Oracle Network Manager software.   The reason why the password  is
    sent in clear text  is to support "operating  system authenticated
    logins".   Usually the  password is  "/" in  this case.  Configure
    their Oracle installations to not support plaintext passwords.