[dbsec] Re: prevent remote user enumeration?
- From: Richard Miles <richard.k.miles@xxxxxxxxxxxxxx>
- To: dbsec@xxxxxxxxxxxxx
- Date: Thu, 8 Apr 2010 09:22:32 -0500
Hello,
It's bad news. I'm looking at oracle.com to see if there is a patch
available, but no lucky until the moment.
If anyone knows of a patch please let me know.
Thank you.
On Thu, Apr 8, 2010 at 5:11 AM, Zed Qyves <zqyves.spamtrap@xxxxxxxxx> wrote:
> Hello,
>
> From what I saw about the ora-userenum.exe:
> 1) it is part of the Oracle Assessment Kit collection of tools for auditing
> oracle databases
> 2) it does not need credentials to connect to the db, hence the removal of
> select from all_users regarding public didn't do you any good
> 3) it is run as ora-userenum <host> <port> <sid> <userlistfile>. the last
> param is a file containing a list of users to check for their existence.
> Going through the source it is apparent that it initiates a login sequence
> to the db with each of those users and depending on some tns packet
> properties it receives back from the database server it deduces whether it
> is a valid username or not.
>
> You can have a copy of OAK (including source code) from
> http://www.databasesecurity.com/dbsec/OAK.zip.
>
> Basically there is nothing you can do about it at the db level other than
> to make sure that you don't give your users usernames that exist in this
> file :) .
>
> Best regards,
>
> ./ZQ
>
>
Other related posts:
