Re: Funny sort of question re sys password

• From: Pete Finnigan <oracle_list@xxxxxxxxxxxxxxxxxxxxxxxxx>
• To: oracle-l@xxxxxxxxxxxxx
• Date: Wed, 10 Mar 2004 14:46:39 +0000

Hi Nuno,

some comments in line..:-)

<snipped>
>
>I'd class most of those under the umbrella of "social engineering": 
>indirect aquisition of knowledge through exploitation of other weaknesses
>in security.  But yes, it is possible that way.  
>
You are right for those ideas that involve finding passwords through
various means could be social engineering But what i was really thinking
of was running various commands as a non DBA user and changing the SYS
password and then having access as SYS - those methods are not social
engineering but hacking. I am trying to be vague as its not a good idea
to show people in a public forum how to hack.

>> If you look at my site http://www.petefinnigan.com/orasec.htm there are
>
>Ta, I'll definitely look this up.
>
>
>> Your Sun guy is easy though, he is just connecting as root and logging
>> on as "/ as sysdba" - i guess.
>
>This doesn't count: it assumes root password knowledge which would break 
>ALL security in the system, not just Oracle's.   

exactly but that is what i assume he meant as his method - or do you
know he has another way not involving root, oracle or dba group? If so
probably he has exploit code for a vulnerability that is not patched. If
he is the sysadmin and he has an exploit and its not patched then
someone should be considering his loyalty to your company.

>Also, logging in as the 
>install user would achieve the same. Or any user authorised to dba
>group, I suppose.  

taken as read.

>But all that assumes a breakdown in other than Oracle's 
>security to start with.  That is not an Oracle inherent security
problem.
>
>I was more concerned with obvious security breaches such as unencrypted 
>passwords ending up in log files or file headers, or unencrypted comms 
>eaves-dropping.  Guess those are not that easy with 9i, they used to be 
>the order of the day with earlier versions.
>

Unfortunately it is easy still, not for connections but for changing
passwords at least. For instance I did:

SQL> alter user scott identified by tiger;

User altered.

and the SQL*Net trace shows:

[10-MAR-2004 12:52:40:567] nsprecv: 74 65 72 20 75 73 65 72  |ter.user|
[10-MAR-2004 12:52:40:567] nsprecv: 20 73 63 6F 74 74 20 69  |.scott.i|
[10-MAR-2004 12:52:40:567] nsprecv: 64 65 6E 74 69 66 69 65  |dentifie|
[10-MAR-2004 12:52:40:567] nsprecv: 64 20 62 79 20 74 69 67  |d.by.tig|
[10-MAR-2004 12:52:40:567] nsprecv: 65 72 01 00 00 00 01 00  |er......|

but if i use the password function in SQL*Plus

SQL> password dbsnmp
Changing password for dbsnmp
New password: ******
Retype new password: ******
Password changed
SQL> 
in the trace i get

[10-MAR-2004 12:53:33:132] nsprecv: 64 62 73 6E 6D 70 10 00  |dbsnmp..|
[10-MAR-2004 12:53:33:132] nsprecv: 00 00 10 41 55 54 48 5F  |...AUTH_|
[10-MAR-2004 12:53:33:132] nsprecv: 4E 45 57 50 41 53 53 57  |NEWPASSW|
[10-MAR-2004 12:53:33:132] nsprecv: 4F 52 44 20 00 00 00 20  |ORD.....|
[10-MAR-2004 12:53:33:132] nsprecv: 38 39 44 46 45 31 46 36  |89DFE1F6|
[10-MAR-2004 12:53:33:132] nsprecv: 37 34 43 38 34 36 45 30  |74C846E0|
[10-MAR-2004 12:53:33:132] nsprecv: 45 39 34 39 43 36 36 30  |E949C660|
[10-MAR-2004 12:53:33:132] nsprecv: 33 32 33 31 39 32 31 35  |32319215|

The hash shown is not the password.

So SQL*Net still transmits clear text passwords. ASO would fix that.

kind regards

Pete 
-- 
Pete Finnigan
email:pete@xxxxxxxxxxxxxxxx
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to:  oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------

• Follow-Ups:
  • Re: Funny sort of question re sys password
    • From: Mladen Gogala

• References:
  • Funny sort of question re sys password
    • From: Nuno Souto
  • Re: Funny sort of question re sys password
    • From: Pete Finnigan
  • Re: Funny sort of question re sys password
    • From: Nuno Souto

Other related posts:

• » Funny sort of question re sys password
• » RE: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » RE: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » RE: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » RE: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password

1. Home
2. oracle-l
3. Archive
4. 03-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---