4.4. Account Enumeration and Brute Force
As you saw earlier, when a user attempts to authenticate to the database server, it issues a challenge — a session key with which to encrypt the password. This only happens if the account actually exists and so it is possible to enumerate accounts in a database server. For example, let's say we wanted to determine whether an account called "HELPDESK" exists. For this we can simply attempt to log on to the server — if the server issues you a challenge, then the account exists. If no challenge is issued, then the account does not exist. While this is only an informational issue it leaks enough information to make brute-force login attempts on accounts other than SYS and SYSTEM more feasible by way of letting the attacker know whether the account exists or not. Brute-force login attempts can be defeated with account lockout and by ensuring that strong passwords are used — see the chapter on "Securing Oracle" in the Database Hacker's Handbook for more information on how to enable this. In lab tests with an optimized brute-force tool, it's possible to perform c. 10 login attempts per second.
4.4.1. Long Username Buffer Overflows
In February 2003, Mark Litchfield discovered that all versions of Oracle (9iR2 and earlier) on all OSes were vulnerable to a buffer overflow flaw in the authentication process. By passing an overly long username when logging on, the username is copied to a stack-based buffer that overflows, overwriting critical program ...
Get The Oracle® Hacker's Handbook: Hacking and Defending Oracle now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
