Researchers to Demonstrate Database Man-in-the-Middle Attacks at Black Hat

Two researchers from Trustwave will demonstrate how to use man-in-the-middle attacks against Oracle databases to steal user credentials and take over sessions at Black Hat Europe next week.

Two researchers from Trustwave will demonstrate how a man-in-the-middle attack on Oracle databases can be leveraged to swipe user credentials and hijack sessions at the upcoming Black Hat Europe security conference.

Armed with a new proof-of-concept tool, Trustwave Director of Security Research Steve Ocepek and Security Consultant Wendel Henrique will demonstrate how attackers can steal credentials by downgrading authentication mechanisms as well as take over existing user sessions.

"We're highlighting the dangers of man-in-the-middle by showing attacks that go beyond what most people are familiar with," Ocepek told eWEEK. "Wendel's downgrade attacks can fool a client into giving up weak hash values and even Windows hashes, just by changing a few bytes of data. And the thicknet tool completely takes over, and allows arbitrary SQL injection. These are not common attacks, but they (creatively) exploit a known problem with plaintext data."

As database users perform legitimate queries, information is often transmitted in clear text, easily readable by attackers with access to the data, the researchers explained.

"What we're recommending is the use of encryption more frequently, something that's built into the protocol from the beginning, just making it that much harder for an attacker to manipulate these packets," Ocepek said. "We're also again trying to beat the drum of shutting down some of these methods of doing man-in-the-middle attacks. It's just far too easy right now."

Using their thicknet tool, Ocepek and Henrique plan to demonstrate how to gain unauthorized access to Oracle and launch both types of attacks. The tool will be available after the show, Ocepek said.

"(The attacks can) be done remotely; it depends on where the client is," he explained. "So let's say that you are at a hotspot, you're at a coffee shop, and somebody's got the laptop on and they're connecting to a database remotely. That would be a case where absolutely you could do that as well."

The duo only focused their research on Oracle due to its large presence in the market and because it is "very rare to find Oracle encryption turned on," Ocepek said.

"Because man-in-the-middle attacks have been around so long, we've gotten to the point of acceptance here," he added. "But attacks like these highlight the fact that we might have underestimated the potential of these attacks."

The conference will be held April 12-15 in Barcelona, Spain, with briefings April 14 and 15.