Two researchers from Trustwave will demonstrate how to use man-in-the-middle attacks against Oracle databases to steal user credentials and take over sessions at Black Hat Europe next week.
Two researchers from Trustwave will demonstrate how a
man-in-the-middle attack on Oracle databases can be leveraged to swipe
user credentials and hijack sessions at the upcoming Black Hat Europe security conference.
Armed with a new proof-of-concept tool, Trustwave Director of
Security Research Steve Ocepek and Security Consultant Wendel Henrique
will demonstrate how attackers can steal credentials
by downgrading authentication mechanisms as well as take over existing user sessions.
"We're highlighting the dangers of man-in-the-middle by showing
attacks that go beyond what most people are familiar with," Ocepek told
eWEEK. "Wendel's downgrade attacks can fool a client into giving up
weak hash values and even Windows hashes, just by changing a few bytes
of data. And the thicknet tool completely takes over, and allows arbitrary SQL injection
. These are not common attacks, but they (creatively) exploit a known problem with plaintext data."
As database users perform legitimate queries, information is often
transmitted in clear text, easily readable by attackers with access to
the data, the researchers explained.
"What we're recommending is the use of encryption more frequently,
something that's built into the protocol from the beginning, just
making it that much harder for an attacker to manipulate these
packets," Ocepek said. "We're also again trying to beat the drum of
shutting down some of these methods of doing man-in-the-middle attacks.
It's just far too easy right now."
Using their thicknet tool, Ocepek and Henrique plan to demonstrate
how to gain unauthorized access to Oracle and launch both types of
attacks. The tool will be available after the show, Ocepek said.
"(The attacks can) be done remotely; it depends on where the
client is," he explained. "So let's say that you are at a hotspot,
you're at a coffee shop, and somebody's got the laptop on and they're
connecting to a database remotely. That would be a case where
absolutely you could do that as well."
The duo only focused their research on Oracle due to its large presence
in the market and because it is "very rare to find Oracle encryption turned on," Ocepek said.
"Because man-in-the-middle attacks have been around so long, we've
gotten to the point of acceptance here," he added. "But attacks like
these highlight the fact that we might have underestimated the
potential of these attacks."
The conference will be held April 12-15 in Barcelona, Spain, with briefings April 14 and 15.