[dbsec] Re: prevent remote user enumeration?

  • From: Richard Miles <richard.k.miles@xxxxxxxxxxxxxx>
  • To: dbsec@xxxxxxxxxxxxx
  • Date: Thu, 8 Apr 2010 09:22:32 -0500


It's bad news. I'm looking at oracle.com to see if there is a patch
available, but no lucky until the moment.

If anyone knows of a patch please let me know.

Thank you.

On Thu, Apr 8, 2010 at 5:11 AM, Zed Qyves <zqyves.spamtrap@xxxxxxxxx> wrote:

> Hello,
> From what I saw about the ora-userenum.exe:
> 1) it is part of the Oracle Assessment Kit collection of tools for auditing
> oracle databases
> 2) it does not need credentials to connect to the db, hence the removal of
> select from all_users regarding public didn't do you any good
> 3) it is run as   ora-userenum <host> <port> <sid> <userlistfile>. the last
> param is a file containing a list of users to check for their existence.
> Going through the source it is apparent that it initiates a login sequence
> to the db with each of those users and depending on some tns packet
> properties it receives back from the database server it deduces whether it
> is a valid username or not.
> You can have a copy of OAK (including source code) from
> http://www.databasesecurity.com/dbsec/OAK.zip.
> Basically there is nothing you can do about it at the db level other than
> to make sure that you don't give your users usernames that exist in this
> file :) .
> Best regards,
> ./ZQ

Other related posts: