COMMAND
Oracle (authentication protocol)
SYSTEMS AFFECTED
Oracle Server/Developer 2000
PROBLEM
Yaron Yanay found out a hole in Oracle Server/Developer 2000 Forms
4.5 (SQL-NET) password authentication protocol. The Oracle Web
Server has a tool (Developer 2000). The program has an option for
password access to database. The passwords pass over the SQL-NET.
In tested enviroment Oracle server was on a unix machine, and the
users connect to the oracle server using their runtime -"developer
2000-forms 4.5" exec file (called: F45RUN32.EXE) to connect to the
server. They are using password to access the database. Running
a sniffer on the SQL-NET port, shows that:
1) when the username is valid the password is sent encrypted
2) When the username is not valid the password sent in _clear_
i.e. if you enter a valid password ,but you misspell your
username , the password will appear in the sniffer as clear
text.
3) When the user name is valid the password is sent encrypted,
_but_ if the password is wrong , it sent _again_ in _clean_
So the protocol is:
1) sending username
2) if username is invalid:
a) send password in clear text
if username is valid:
b) send encrypted password.
if password is incorrect:
send the password again in _clear text_
SOLUTION
This behaviour is exactly as defined in "Understanding SQL*Net"
Oracle documentation part number A42484-1. The reason given, is
when talking with older SQL*Net servers the password was passed in
the clear. Newer SQL*Net servers understand encrypted passwords.
Properly configured SQL*Net networks done by a trained DBA will
never leave unencrypted password transmission enabled in the
Oracle Network Manager software. The reason why the password is
sent in clear text is to support "operating system authenticated
logins". Usually the password is "/" in this case. Configure
their Oracle installations to not support plaintext passwords.