I found it strange that Oracle went to the trouble of removing passwords from the dba_users table, but gives the troublesome accounts like dbsnmp access to the sys.user$ table. It's good to know they have fixed this is 12. It has been longp assed time since passwords have needed to be longer than eight characters. Length and complexity are both important, however when passwords become very long and complicated they become extremely difficult to enter correctly or to remember. This may in users keeping their password's written on a cheat sheet. The long complicated password may have guarded against cracking, but provided no protection against surreptitious entry using the cheat sheet. That is why pass phrases may be better than over complex passwords. Phrases such as "Hear6Parrotsskwawk." are better than "X%2+<935()pw0ncD*?V" Seth, you used the term complex. That term needs to defined. Both the above passwords use lower case letters, upper case letters, digits, and special characters. Both may use any of those at a particular position in the password, however , one need not spell out or even purposely misspell out a phrase. The second style of password has this freedom. It therefore allows for more permutations than the first. However the first password is enterable by a human. Let's say a site has 100 databases to look after, and I want to use Enterprise manager. Let's also say that passwords need to be changed every six months. Changing the dbsnmp password for 100 databases and entering those passwords into Grid Control is time consuming. However long passwords of the first style can be used. The dbsnnp password is usuallynot entered each time, so it is possible to have a 30 byte password composed of any permutation lower case letters, upper case letters, digits, and special characters allowed by Oracle. Now it isn't as safe as having 100 different passwords, but is it safe enough to be reused at all? As you add databases the prospect of different passwords everywhere becomes difficult in practice. If not at 100 databases than perhaps at 1000 or 10000. In these cases databases may be assigned to a group, and members of a group would share the password. However not every database would have a different password. Ian MacGregor -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Seth Miller Sent: Wednesday, July 16, 2014 3:15 PM To: De DBA Cc: Oracle-L Freelists Subject: Re: Interesting Hack Tony, We can safely give Oracle credit on this. They've done a very good job in making sure the passwords are well encrypted while stored in the database. The table that stores this data is only visible to users that need access to it. In fact, 12c has revoked access to user$ (among other sensitive tables) from the "SELECT ANY DICTIONARY" role to which DBSNMP is still granted. "For better security, the SELECT ANY DICTIONARY system privilege no longer permits you to query the SYS schema system tables DEFAULT_PWD$, ENC$, LINK$,USER$, USER_HISTORY$, CDB_LOCAL_ADMINAUTH$, and XS$VERIFIERS." <http://docs.oracle.com/cd/E16655_01/network.121/e17607/release_changes.htm#DBSEG672> One way hashed passwords will always be brute force crackable given a system that has already been compromised and a weak password. This is precisely why passwords should NEVER be reused anywhere, ever, under any circumstances, no matter what, given any situation, under any scenario...ever. And, they should be something <http://arstechnica.com/security/2012/08/passwords-under-assault/> that will never be in a "Rainbow Table". I could post the user$.spare4 of all of my databases and the shadow file of all of my servers on the internet and sleep well knowing they will never be cracked. If any DBA or sysadmin can't do the same, <insert offensive sarcastic statement here>. Seth Miller On Fri, Jul 11, 2014 at 12:21 AM, De DBA <dedba@xxxxxxxxxx> wrote: Ah, I see.. and am flabbergasted. Your original post had me think that the entire value in the SPARE4 column was the result of the sha1 hash, but it actually is the hash, plus the unencrypted salt concatenated to it! So your pseudo-code becomes: if sha1(sha1(password) || bin(substr(spare4, 43, 20)))||substr(spare4, 43, 20) == spare4 then cracked! Amazing. What bright light could have imagined that this constitutes security? Even I, simple DBA, can imagine that if you give a cracker the actual key, they may get in... Thanks, Tony On 11/07/14 14:29, Seth Miller wrote: Actually, your second one is really close but you have to change the salt to binary before adding it to the hash. perl -mDigest::SHA -e 'use Digest::SHA qw/sha1 sha1_hex/; $a=Digest::SHA->new(1); $a->add( $ARGV[0]); $a->add( pack "H*", "3A2BACEE5639367A6F9A" ); print uc( $a->hexdigest ), "\n";' 1TestTestTest 7E41F29D8CF37C3753C1BC0FFD4474805C473E8D You're quite right about this being somewhat moot. If someone has access to DBSNMP, your database is probably already compromised. But, if bad guy is not looking for data in that database but is looking for passwords because bad guy is assuming other servers have tastier treats and dummy DBA used the same DBSNMP password on all the databases... Seth On Thu, Jul 10, 2014 at 9:40 PM, De DBA <dedba@xxxxxxxxxx> wrote: Not contesting that brute-force cracking tools are plenty available, I think there may be a thought error here.. if the SPARE4 column is the SHA1 hash of two concatenated values, then how could the 2nd value be equal to the last 20 characters of that hash? In my 11.2.0.1. instance it doesn't work like that: SQL> create user test identified by "1TestTestTest"; User created. SQL> select user#, name, password, spare4, substr(spare4, 43, 20) salt from user$ where name = 'TEST'; USER#|NAME |PASSWORD |SPARE4 |SALT ==========|=========================|===================================|======================================================================|===================== 113|TEST |A02061EDD343E9BE |S:7E41F29D8CF37C3753C1BC0FFD4474805C473E8D3A2BACEE5639367A6F9A |3A2BACEE5639367A6F9A 1 row selected. # calculate hash using concatenated sha1 hex strings: $ perl -mDigest::SHA -e 'use Digest::SHA qw/ sha1_hex /; print sha1_hex( sha1_hex($ARGV[0]) . "3A2BACEE5639367A6F9A" ), "\n";' 1TestTestTest 981887b207411feee08b8e152330daabc8439c67 # calculate hash using pure sha1 values: $ perl -mDigest::SHA -e 'use Digest::SHA qw/sha1/; $a=Digest::SHA->new(1); $a->add( sha1( $ARGV[0]) ); $a->add( "3A2BACEE5639367A6F9A" ); print $a->hexdigest, "\n";' 1TestTestTest ef443979df05151e034feef43da02fb7b256997d Also, in order to user the spare4 column for cracking passwords, the cracker must first have access to the system tablespace, no? In a normal production system this would constitute a security breach in itself... Also TDE may prevent this kind of cracking, unless the cracker has already access to a DBA account, in which case knowledge of passwords is irrelevant anyway.. Cheers, Tony On 11/07/14 08:17, Seth Miller wrote: Yes, they are salted making a reverse lookup ostensibly impossible. However, the spare4 column is simply the sha1 hash of the 40 character sha1 hash of the password concatenated with a 20 character salt. How the salt was created doesn't matter. There are dozens of scripts on the internet for brute force cracking Oracle database passwords. if sha1(sha1(password) || substr(spare4, 43, 20)) == spare4 then cracked! Seth On Thu, Jul 10, 2014 at 3:33 PM, McPeak, Matt <vxsmimmcp@xxxxxxxxxx> wrote: How are they already cracked? I thought all hashed passwords were salted to avoid a simple lookup against pre-built tables. Or are you saying they’ve cracked every 8 character password for every possible salt value? From: Seth Miller [mailto:sethmiller.sm@xxxxxxxxx] Sent: Thursday, July 10, 2014 3:24 PM To: McPeak, Matt Cc: curtisbl@xxxxxxxxx; oracle@xxxxxxxxxxx; Oracle-L Subject: Re: Interesting Hack It depends on the length and complexity of the password used. Any combination of eight characters or less is sitting in a rainbow table you can download right now and is already cracked. Longer passwords without sufficient complexity will be cracked as well. If you think you have outwitted a hacker by using l33t to come up with "70rchw00d", you deserve to be hacked. #BrokenRecord Seth On Thu, Jul 10, 2014 at 2:03 PM, McPeak, Matt <vxsmimmcp@xxxxxxxxxx> wrote: The article casually mentions cracking the password hash to get the system password. I didn’t know it was that easy! From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Bobby Curtis Sent: Thursday, July 10, 2014 1:17 PM To: sethmiller.sm@xxxxxxxxx Cc: oracle@xxxxxxxxxxx; Oracle-L Subject: Re: Interesting Hack Seth, Not harsh at all. I thought it was an interesting hack as well. I think the point of this hack example was to highlight what not to do; but we are all human and don’t listen half the time. Bobby On Jul 10, 2014, at 12:36, Seth Miller <sethmiller.sm@xxxxxxxxx> wrote: That is interesting except DBSNMP does not have a default password. If your application is not using bind variables (which would prevent this simple sql injection) and you are dumb enough to set your privileged DBSNMP account password to DBSNMP, you deserve to be hacked. Am I being too harsh? Seth On Wed, Jul 9, 2014 at 7:32 PM, Dave Morgan <oracle@xxxxxxxxxxx> wrote: Granted the database security was crap to begin with but I did not know the escape to shell trick. http://www.notsosecure.com/blog/2014/07/08/abusing-oracles-create-database-link-privilege-for-fun-and-profit/ Dave -- Dave Morgan Senior Consultant, 1001111 Alberta Limited dave.morgan@xxxxxxxxxxx 403 399 2442 -- //www.freelists.org/webpage/oracle-l ��i��0���zX���+��n��{�+i�^