During an internal penetration test we discovered an Oracle database of version 11g Release 2 in the client’s network. This outdated software of this database is vulnerable to an information leak during the authentication procedure. This flaw allows an attacker to steal a hash that’s signed with the client’s credentials that is being used to authenticate the client. An attacker that attempts to connect with a potential client’s username can steal this hash and perform an offline dictionary attack, also known as “stealth password brute force” attack.

Like every information leak vulnerability, it is a very interesting attack because it’s a fundamental flaw in the logical thinking of the developer. Plus, we love cracking passwords.

That made us look more into it and understand how this works in the background below the high-level description given by Hacktricks, the initial place where we found this type of attack.

Oracle Database and Communication Protocol

First we have to understand how the Oracle DB is structured. The architecture of the Oracle DB is consisted of:

• the client
• the database server, which contains
  • the TNS listener
  • the database instance and
  • the database’s files and the actual data

https://www.oracletutorial.com/oracle-administration/oracle-database-architecture/

The TNS listener is the component responsible for communicating with the crucial parts of the database server, i.e. the database instance and the database itself. It uses the TNS protocol to communicate with the client and receive commands and requests such as authenticating, fingerprinting, SID discovery etc. (more about this later!).

TNS Protocol

The TNS protocol is a proprietary protocol owned by Oracle. It’s build on top of TCP/IP and other technologies such as SDP, IPX/SPX, IPC etc. In the context of Oracle databases, TNS is used over the TCP/IP protocol. A fair bit of the protocol has been reversed engineered, giving us more insight of it’s function.

Just as explained in this article, the TNS packet is consisted of a header and the payload:

0      8       16            31 
+--------------+--------------+ 
| Packet Length| Packet Chksm |  
+------+-------+--------------+   8 byte header
| Type | Rsrvd | Header Chksm |  
+------+-------+--------------+ 
|        P A Y L O A D        |
+-----------------------------+

For the purpose of our article, the important part of a packet is its type and, of course, the payload.

The packet type declares the purpose of the packet, i.e. whether the packet’s purpose is to transfer data, to refuse or accept a connection, to demand a resend of the last packet received etc. The packet types are:

1. Connect
2. Accept
3. ACK
4. Refuse
5. Redirect