lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <49012C157722E1469846B703E66F6778022755E8@Petunia.il.imperva.com>
Date: Sun, 19 Oct 2008 08:40:42 +0200
From: "Amichai Shulman" <shulman@...erva.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: CVE-2008-2625: Oracle DBMS - Proxy Authentication
	Vulnerability


Oracle DBMS - Proxy Authentication Vulnerability



Background


Oracle is a widely-deployed Database Management System (DBMS) that
supports a variety of applications. Many multi-tier applications are
designed to use proxy authentication, restricting a middle tier to
establish the database connection on behalf of the users. The standard
authentication mechanism requires the client, the middle tier in this
case, to provide valid credentials in order to authenticate and connect
to the DBMS. User sessions are then created through the proxy
connection. Oracle TNS protocol messages are used for session setup,
authentication and data transfer. 


Scope


Imperva's Application Defense Center (ADC) conducts extensive research
on enterprise applications and databases. During its research, the team
has identified a vulnerability in Oracle's proxy authentication and
access control mechanism. 


Findings


While proxy authentication is enabled for a user account through a proxy
account, it is possible to create a separate connection using the
original user account without authenticating the connection. 


Details


Oracle supports a proxy authentication mode which a user establishes a
session through a proxy and the proxy establishes a session on the
user's behalf to the database. These sessions are created using the
Oracle TNS protocol level messages and do not require additional
authentication. This scenario is recommended by Oracle for multi-tier
environments. 

While the user sessions are open through the proxy connection, an
attacker can create a new connection to the database impersonating the
original user without supplying a password. The attacker executes the
attack by opening a TNS connection to the database server and sending a
manipulated authentication message with the login mode flags set to
proxy login and the session ID and serial number of the original session
opened through the proxy account. 


Vulnerability ID


Proposed CVE Candidate (as of October 14, 2008): CVE-2008-2625 


Tested Versions


Vulnerable
Oracle 8i (8.1.7.x.x)
Oracle 9i (9.2.0.7)
Oracle 10g Release 1 (10.1.0.4.2)
Oracle 10g Release 2 (10.2.0.1.0) 


Vendor's Status


Vendor notified on December 13, 2005. Patch released by vendor on
October 14, 2008. 


Workaround



*	Always require password authentication, even for proxy
connections 
*	Alternatively, disable proxy authentication mode and enforce
this policy by configuring the SecureSphere Database Security Gateway to
alert when users are granted proxy access 
*	The SecureSphere Database Security Gateway can also enforce all
proxy account connections to the database originate from the proxy
server IP address


Discovered by:


Amichai Shulman - Imperva Co-Founder, CTO and Head of Imperva's
Application Defense Center (ADC). 


Disclaimer


The information within this advisory is subject to change without
notice. Use of this information constitutes acceptance for use in an AS
IS condition. Any use of this information is at the user's own risk.
There are no warranties, implied or expressed, with regard to this
information. In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information.

Copyright (c) 2007 Imperva, Inc.
Redistribution of this alert electronically is allowed as long as it is
not edited in any way. To reprint this alert, in whole or in part, in
any medium other than electronic medium, adc@...erva.com for permission.

 
Amichai Shulman
CTO
 
125 Menachem Begin St.
Tel Aviv 67010
Israel

(972) 3-6840103 Office
(972) 54-5885083 Mobile
(972) 3-6840200 Fax
shulman@...erva.com

Download Scuba by Imperva
FREE Database Assessment Scanner
www.imperva.com/scuba <blocked::http://www.imperva.com/scubam> 
 

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ