Re: Oracle 11g/10g Installation Vulnerability

  • From: "Don Seiler" <don@xxxxxxxxx>
  • To: david@xxxxxxxxxxxxxxxxxxxx
  • Date: Tue, 13 Nov 2007 14:26:05 -0600

Is the listener running by default during this window?


On Nov 13, 2007 1:52 PM, David Litchfield <david@xxxxxxxxxxxxxxxxxxxx> wrote:
> Hey all,
> After investigating 11g the other day I came across an interesting issue.
> During the installation of Oracle 11g and 10g all accounts, including the
> SYS and SYSTEM accounts, have their default passwords and only at the end of
> the install are the passwords changed. This means that there is a window of
> opportunity for an attacker to log into the database server during the
> install process. Depending upon "which" install options you choose
> determines the size of the window. Full details for those that are
> interested can be found here:
> - since I reported
> this to Oracle on the 3rd of November they've updated their security
> checklist document:
> db_database_20071108.pdf

Don Seiler

Other related posts: