Vuln Dev
Oracle 11g password algorithm revealed Sep 22 2007 07:45PM
pete petefinnigan com
Hi All,

I have been posting a few entries to my blog over the last few weeks on Oracle 11g Security and have been looking at the new SHA-1 password algorithm used in Oracle 11g.

The password algorithm is simple and very easy to guess once you realise that the sha1 verifier stored in the database is 80 bits too long. Its also obvious from other testing I documented on my blog that a salt is indeed used. Once these facts are known the algoritm can be guessed. The algorithm is simply SHA1(pwd||salt) = 160 bit verifier||salt (stored in sys.user$spare4.

To create a simple function to test a verifier you simply need to do:

SYS.USER$.SPARE4 = SHA1("pwd guess" || substr(sys.user$.spare4,43,10)) || substr(sys.user$.spare4,43,10)

I have created a simple PL/SQL test program that can be used to verify passwords hashed with the new SHA1 verifier. The code is:

SQL> get c:\11g_notes\sha1.sql

1 set feed on

2 set head on

3 set arraysize 1

4 set space 1

5 set verify off

6 set pages 25

7 set lines 80

8 set termout on

9 set serveroutput on size 1000000

10 undefine user_to_find

11 undefine pwd_guess

12 accept user_to_find char prompt 'NAME OF USER TO CHECK [system]: ' default system

13 accept pwd_guess char prompt 'PWD to test [manager]: ' default manager


15 lv_pwd_raw RAW(128);

16 lv_enc_raw RAW(2048);

17 lv_hash_found varchar2(300);

18 cursor c_main(cp_user in varchar2) is

19 select substr(spare4,3,40) hash,

20 substr(spare4,43,20) salt,

21 spare4

22 from sys.user$

23 where name=cp_user;

24 lv_user c_main%rowtype;


26 open c_main(upper('&&user_to_find'));

27 fetch c_main into lv_user;

28 close c_main;

29 lv_pwd_raw:= utl_raw.cast_to_raw('&&pwd_guess')||hextoraw(lv_user.salt);

30 lv_enc_raw := sys.dbms_crypto.hash(lv_pwd_raw, 3);

31 lv_hash_found:=utl_raw.cast_to_varchar2(lv_enc_raw);

32 if lv_enc_raw = lv_user.hash then

33 dbms_output.put_line('PWD found');

34 else

35 dbms_output.put_line('PWD not found');

36 end if;

37* END;


More details can be found on my blog



[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus