##############################################################################
#
#  Oracle 9i/10g DB Password Authentication Downgrade Weakness Vulnerability
#
#  Copyright: OS2A and it's member companies
#
#  Date Written: 2007/04/04
#
#  $Revision: 1.1 $
#
#  $Log: os2a_oracle_passwd_weakness_vuln_608133.nasl,v $
#  Revision 1.1  2007/04/05 10:08:38  schandan
#  To Production. Issue #3932
#
#  Revision 1.2  2007/04/04 06:57:41  vnkbabu
#  ------------------------------------------------------------------------
#  This program was written by OS2A and/or it's member companies and is
#  licensed under the GNU GPL license. Please see below for details. This
#  header contains information regarding licensing terms under the GPL, and
#  information regarding obtaining source code from the Author. Consequently,
#  pursuant to section 3(c) of the GPL, you must accompany the information
#  found in this header with any distribution you make of this Program.
#  ------------------------------------------------------------------------
##############################################################################


if(description)
{
 script_id(608133);
 script_bugtraq_id(22596);
 script_copyright(english:"Copyright (C) 2007 OS2A");
 script_version("$Revision: 1.1 $");
 script_category(ACT_GATHER_INFO);
 script_family(english:"Misc.");
 script_name(english:"Oracle 9i/10g DB Password Authentication Downgrade Weakness Vulnerability");
 script_summary(english:"Check for vulnerable versions of Oracle Database");
 desc["english"] = "
 Overview: This host is having Oracle 9i/10g Database Servers installed,
 which is prone to brute-force attacks.

 This vulnerability exists due to an error in Oracle native authentication
 protocols.
 
 Impact: A remote attacker could exploit this vulnerability to downgrade
 the protocol used during the challenge-response authentication process.

 Scope of impact is restricted to application level.

 Affected Software :
 Oracle9i Standard Edition
    (9.2.1, 9.2.2, 9.2.3, 9.2.6, 9.2.7. 9.2.8, 9.2.0.5, 9.2.0.3, 9.2.0.2,
     9.2.0.1, 9.2, 9.0.4, 9.0.2, 9.0.1.5, 9.0.1.4, 9.0.1.3, 9.0.1.2, 9.0.1,
     9.0.2.4, 9.0, 8.1.7)
 Oracle9i Personal Edition 
    (8.1.7, 9.0.1, 9.0.1.4, 9.1.0.5, 9.2.0.5, 9.2.0.3, 9.2.6, 9.2.7, 9.2.8,
     9.2.0.2, 9.2.0.1, 9.2, 9.0.4, 9.0.1.5,  9.0.1.4, 9.0.1, 9.0.2.4)
 Oracle9i Lite 
    (5.0.2.9.0, 5.0.2.0.0, 5.0.1.0.0, 5.0.0.0.0)
 Oracle9i Enterprise Edition 
    (9.2.0.5, 9.2.0.3, 9.2.0.2, 9.2.0.1, 9.2.0, 9.0.4, 9.0.1.5, 9.2.6, 9.2.7,
     9.2.8, 9.0.1.4, 9.0.1, 9.0.2.4, 8.1.7)
 Oracle Oracle9i Developer Edition 9.0.4
 Oracle10g Standard Edition 
    (10.1.4.2, 10.1.0.5, 10.1.0.4, 10.1.0.3.1, 10.1.0.3, 10.1.0.2, 9.0.4.0,
     10.2.1, 10.2.2, 10.2.3)
 Oracle10g Personal Edition 
    (10.1.0.4, 10.1.0.3.1, 10.1.0.3, 10.1.0.2, 9.0.4.0,  10.2.1, 10.2.2,
     10.2.3)
 Oracle10g Enterprise Edition 
    (10.1.0.4, 10.1.0.3.1, 10.1.0.3, 10.1.0.2, 9.0.4.0, 10.2.1, 10.2.2, 10.2.3)

 Affected Platform : Any platform running this software.

 Solution : No solution is available for this issue as on 5th April, 2007.
 Information regarding this issue will be updated once the solution details
 are available.
 For updates check, http://www.oracle.com/technology/software/index.html

 Recommendation :
 - Use encryption in the communication channel.
 - Use strong passwords so a brute force attack is not feasible.

 References : http://www.securityfocus.com/archive/1/460326

 CVSS Score :
        CVSS Base Score     : 3.5 (AV:R/AC:L/Au:NR/C:P/I:N/A:N/B:C)
        CVSS Temporal Score : 3.0
 Risk factor : Medium";
 script_description(english:desc["english"]);
 script_dependencies("http_version.nasl", "oracle_tnslsnr_version.nasl");
 script_require_ports("Services/oracle_tnslsnr");
 exit(0);
}

 include("http_func.inc");

 tnsPort = get_kb_item("Services/oracle_tnslsnr");
 if(!get_port_state(tnsPort)){
        exit(0);
 }

 tnsVer = get_kb_item(string("oracle_tnslsnr/", tnsPort, "/version"));
 if(tnsVer)
 {
        if(ereg(pattern:".*Version (5\.0\.([01]\.0\.0|2\.(9|0)\.0)|8\.1\.7|9"+
                        "\.(0|(0\.(1(\.[2-5])?)|0\.2(\.4)?|0\.4(\.0)?)|2(\.0"+
                        "\.[1-5])?|2\.([1-3]|[6-8]))|10\.(1\.(0\.[2-5]|0\.3" +
                        "\.1|4\.2)|2\.[1-3]))[^.0-9]", string:tnsVer))
        {
                security_warning(tnsPort);
                exit(0);
        }
 }

 #For cases where TNS listener approach do not work
 ports = make_list("80", "7780", "7778");
 foreach port (ports)
 {
        if(!get_port_state(port)){
            continue;
        }

        banner = get_http_banner(port:port);
        if("Oracle" >< banner)
        {
                if(egrep(pattern:"Server:.*Oracle.*/(5\.0\.([01]\.0\.0|2\.(9|"+
                                 "0)\.0)|8\.1\.7|9\.(0|(0\.(1(\.[2-5])?)|0\.2"+
                                 "(\.4)?|0\.4(\.0)?)|2(\.0\.[1-5])?|2\.([1-3]"+
                                 "|[6-8]))|10\.(1\.(0\.[2-5]|0\.3\.1|4\.2)|2"+
                                 "\.[1-3]))[^.0-9]",
                         string:banner)){
                        security_warning(port);
                }
 		exit(0);
        }
 }