Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Risk of knowing password hash value (Was: OEM permissions)

Re: Risk of knowing password hash value (Was: OEM permissions)

From: Jared Still <jkstill_at_cybcon.com>
Date: Mon, 22 Dec 2003 15:09:24 -0800
Message-ID: <F001.005DAA92.20031222150924@fatcity.com>


Environment:

DB1: RH 8.0 with Oracle EE 9.2.0.4

DB2: Win2k SP3 with Oracle EE 9.2.0.1

SYSTEM user on each database initially have different passwords.

It goes something like this:

DB1:

select password from dba_users where username = 'SYSTEM';

Let's say the result is 'AC424SDK4398'

DB2:

Logon to DB2 as SYSTEM.

alter user SYSTEM identified by values 'AC424SDK4398'; create database link systemlink using 'DB1';

Logout, and log back on to DB2 as SYSTEM.

select count(*) from v$session_at_systemlink;

Works for me in this environment. DB2 is compromised.

HTH Jared

On Mon, 2003-12-22 at 08:29, Yong Huang wrote:

> Hi, Gregory,
>
> I only have access to Oracle 9.2 on my laptop. Here's my test. I have ORCL and
> AUX1 databases, the latter created by RMAN DUPLICATE some time ago. I logon
> AUX1 as SYSTEM. Set SYSTEM password hash value to the same as in ORCL. Create
> link L to ORCL without password. Selecting from a table in ORCL @L (i.e. select
> * from yongtest_at_l) throws ORA-1017 invalid username/password.
>
> Alternatively, I logon as SYS and create a procedure owned by SYSTEM, with one
> line execute imediate('select count(*) from yongtest_at_l'). When I execute
> system.<this procedure> as SYS, I get ORA-1005 null password given. (I could
> use DBMS_SYS_SQL but using the execute immediate trick obviates the need to
> remember the syntax in that undocumented package).
>
> If I use connect to current_user to create the link, I always get ORA-28030
> Server encountered problems accessing LDAP directory service.
>
> Could you try on your databases and show how you do it? As I said, this may be
> a security problem. I'm just too ignorant of it and can't reproduce it for now.
>
> Yong Huang
>
> Norris, Gregory T [ITS] wrote:
>
> There's no reason I can see that he couldn't create the dblink first, and then
> reset the password using the encrypted value. Alternately, the dblink could be
>
> created using the DBMS_SYS_SQL package... no knowledge of the current password
> required.
>
> create database link foo
> connect to current_user
> using 'bar';
>
> __________________________________
> Do you Yahoo!?
> New Yahoo! Photos - easier uploading and sharing.
> http://photos.yahoo.com/
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Yong Huang
> INET: yong321_at_yahoo.com
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: jkstill_at_cybcon.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Mon Dec 22 2003 - 17:09:24 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US