Oracle Password Storage and verification process analysis and defense suggestions

Oracle Password Storage and verification process analysis and defense suggestions

Oracle is currently the largest database product in the market. Compared with other database products, it has the largest number of vulnerabilities among similar products and is still growing. As a result, we can predict that database security issues will also exist for a long time.

When talking about database security, Database Password security is a concern of users. The professional statement is the security of the database authentication process. The Database Password is the key to protecting the core data in the database. Once the Database Password is stolen, attackers may intrude into the database and the entire network.

An attacker uses two methods to verify the identity of a Database: one is to bypass the database authentication process, and the other is to break the database authentication process. This article focuses on the latter's active attack methods. Anhua gold and the database Attack and Defense Laboratory combined with the characteristics of Oracle Database to discuss the methods for attacking the Oracle Identity Authentication process, and put forward defense suggestions for these attacks.

Oracle Database Authentication Bypass

Use Oracle's default password and Oracle password features to crack the password

Attackers can obtain brute-force cracking methods for Oracle passwords. Apart from common permutation groups and dictionary cracking methods, Oracle has some Default usernames and passwords, such as DBSNMP and DBSNMP, a smart Proxy account. This is the default username and password most likely to be forgotten in Oracle. This is because the password of the intelligent proxy needs to be modified in two different places. First, you must modify the password of the DBSNMP user in the database, next, you need to change the password again in the snmp_rw.ora file.

In addition, the Oracle login package contains information about the number of database passwords, which is caused by the encryption protocol between the database server and the client. There is a keyword segment AUTH_PASSWORD in the database login information package. This field is sent out after the client encrypts the password. The length of this parameter is closely related to the length of the original password. Taking Oracle 11g as an example, the length of AUTH_PASSWORD is 96 characters, indicating that the plaintext length of the password should be between 16 and 30 characters (the maximum length of the Oracle password is 30 characters ).

The length of AUTH_PASSWORD is 64 characters, indicating that the plaintext length of the password should be between 1 and 15 characters.

This feature is not exclusive to the 11g version. All oracle versions have similar features. Determine the number of passwords by using the AUTH_PASSWORD number in the package, which effectively reduces the cost of brute-force cracking.

Obtain a password from an Oracle local file

Although some optimizations can be made, the essence of brute-force cracking still relies on a large number of access links for testing. In addition to brute force cracking, there are also simpler methods to obtain passwords. If you can access the file system of the host where the database is located, you can obtain the database password information through some files that should be deleted by Oracle. For example, the password of SYSMAN among the four database users is written to the file in the form of ciphertext, but the key is also written to the same document. For example, the sysman password and key are stored in emoms. properties in C: \ app \ lsc \ product \ 11.2.0 \ dbhome_1 \ SYSMAN \ config. Open emoms. propeties

The position of the red line in the figure:

Oracle. sysman. eml. mntr. emdRepPwd records the sysman password, and oracle. sysman. eml. mntr. emdRepPwdSeed records the key of the password.

At the same time, the ciphertext and the key can be obtained by using the DES encryptor.

If multiple accounts in the database management use a unified password, the SYS/SYSTEM password will be leaked directly.

There are still some files that will expose the password information in the cfgtoologs folder of the Oracle Home Directory.

Use Oracle encryption principles to crack passwords

In addition to the above two methods for obtaining passwords, there is also a more direct way, this method is to crack the ciphertext in the Oracle communication protocol by understanding the Oracle key transmission process. (The following uses Oracle 9i as an example to describe this method. The 10 and 11 principles are similar, but they are more complicated)

First, use an Oracle logon package to describe the entire process. First, the client sends SERVICE_NAME to the server.

If this sending process does not register the service with Listener, Listener generates an error and terminates all the processes. If the user name is successfully verified, the client sends a data packet containing the user name to the server. The server extracts the hash value of the user name from the database after determining that the user name exists, the server uses this hash value to generate a password.

This password is generated when the server calls the slgdt () function in the orageneric library. The slgdt () function is used to obtain the system time again. It combines minutes, hours, seconds, and milliseconds to form an 8-Byte "text" for encryption ". The first four digits of the text are obtained by the exclusive or operation of the last four digits of the hash corresponding to the user name in minutes and hours, the last four digits of the text are obtained by the exclusive or operation of the first four digits of the hash corresponding to the user name in seconds and milliseconds.

The encryption process uses the kzsrenc () function in the oracommon library to encrypt the text. By using the lncgks () function, the kzsrenc () function basically completes the DES key generation, and finally outputs the DES ciphertext in ecb mode using the function incecb (). The generated ciphertext here is the password. Then, call the kzsrenc () function again and use the hash value of the user's password to encrypt the password. In this way, the call result is AUTH_SESSKEY, which is then sent to the client.

 

 

After receiving the AUTH_SESSKEY, the client decrypts it and obtains the password again. You can use the lncupw () function in the oracore library to create a copy of your own password hash value. Then, you can call the kzsrdec () function to use the hash value as the key to decrypt the AUTH_SESSKEY. After this process is completed successfully, a password is generated.

This password uses kzsrenp () as the key to encrypt plaintext and case-sensitive characters. The kzsrenp () function generates the DES key and encrypts the user password in CBC mode. Next, the ciphertext is sent back to the server in the form of AUTH_PASSWORD.

The server calls the function kzsrdep () in the oracommon library and decrypts the AUTH_PASSWORD using the key and password. At this time, the server has a copy of the plaintext password, then, the server creates a hash value for the password and compares it with the hash value in the database. If the matching succeeds, the user completes the authentication.

Clear the principles here, you can find AUTH_SESSKEY and AUTH_PASSWORD on the network according to Oracle's ideas, then use brute force cracking to crack the hash value, and finally use the hash value to decrypt AUTH_SESSKEY to obtain the password.

Attackers can obtain database passwords to defend against these attacks. From the perspective of attack methods, the first method depends on the default password or weak password. The second method is configuration file leakage. The third method is to obtain the hash value through cracking.

Based on years of experience of Anhua gold and Defense lab experts, the following three points help reinforce Oracle password security and address the threat of attackers to bypass Oracle verification.

Oracle Authentication reinforcement suggestions

Regularly change the account password

Some default users will exist after the database is created, such as the smart Proxy account DBSNMP mentioned in this article. You must change the password of these accounts on a regular basis. The key should follow the Oracle recommendations, and theoretically the more complex the password is, the more secure it is.

Lock unnecessary users to lock system files

For example, the file system in this article exposes the SYSMAN password. This account is used to manage EM accounts. If you do not need EM in your environment, please lock this account, lock some configuration files that may leak passwords to prevent local file systems from being infiltrated into the database.

Increase the database version by using non-fixed hash values

Because the hash value corresponding to a fixed user name is fixed in the database before 10 Gb, only the time function is used for adjustment, which makes it possible for attackers to perform brute force cracking on the hash value of the database. We recommend that you upgrade the database to the 11g version. The random value of AUTH_VFR_DATA is introduced in the 11g version, and more complex adjustments are made to generate the AUTH_SESSKEY, which helps prevent the password from being decrypted through the leaked transmission information.

We believe that the above three points can effectively prevent attackers from obtaining database passwords.