Database Reference
In-Depth Information
Attacking the Backups
Backups tend to be plaintext and are less well secured than the production system. Even if the backups are encrypted,
there are issues with key placement, known-plaintext attacks, or physical DoS attempts. Please see this resource for
details regarding backup security:
http://www.kano.org.uk/projects/sb/secure_backups.pdf
If an attacker can get to your backups, they can restore the database from those backups and make a brute-force
password attack against their own copy of your database. If an attacker can't get to the backups, then an alternative is
to carry out the brute-force attack over the network.
Brute Force Remotely Over the Network
So the standby and backups are secured, but can an attacker still brute force their way in?
New research by Esteban Fayo has shown that attackers can brute force a password without having to fully
attempt to log on—thus avoiding an audit entry. This attack leverages a flaw in the way 05LOGON authentication is
implemented.
O5LOGON is the method used by an 11g Oracle database to authenticate a client username to the database
before access is granted to the items for which that user is authorized. Unfortunately the design of the protocol is such
that an attacker can brute force the value of a user's password remotely without logging on.
Following is the O5LOGON brute force time sequence. It describes the process that is shown graphically
in Figure 2-1 .
Attacking
client
1. Sends username
11g Server
No failed logon
attempt, i.e.,
nothing logged
2. Server Returns session_key
with known fixed padding, which
is encrypted by the user's hash.
3. Attacking
client stops
negotiation
4. Attacker brute forces the
session key using salt and
hash dictionary until they
see the known fixed
padding.
Figure 2-1. Stealth brute-force attack
 
Search WWH ::




Custom Search