Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> password hash and db link is a risk (was OEM permissions)

password hash and db link is a risk (was OEM permissions)

From: Pete Finnigan <oracle_list_at_peterfinnigan.demon.co.uk>
Date: Wed, 24 Dec 2003 06:24:38 -0800
Message-ID: <F001.005DB010.20031224062438@fatcity.com>


Hi

There are risks with knowing the password hash for any user not just system. Unfortunately reading it from dba_users is not the only way to get it. There are a number of other options as well that i won't go into here.

As Arup pointed out the password hash is calculated from the username and password and hence it is possible to get the same hash from different username / password combos. I have written about this fact previously and also this is how most of the PL/SQL alter user password crackers work, see http://home.earthlink.net/~adamshalon/oracle_password _cracker - there is also a more sofisticated one written by some Russian guys, i cannot remember the link off hand at the moment - but if anyone wants it i can find it. PL/SQL crackers using alter user commands are not much use for cracking passwords though as the performance is dire. BUT if done offline and with a reasonable size dictionary even this method can be used to find weak passwords. Brute forcing would not be an option with these tools though unless the password was weak or short.

It is not possible to reverse the clear text password from the hash as the algorithm is not reversible. Oracle uses a password algorithm and it has not been made public as they wish it to remain secret. Some of the commercial oracle security audit tools include a real password cracker that do perform as they are probably written in C such as AppDetective from www.appsecinc.com and use this algorithm, so these could be used for dictionary attacks on known hashes or brute force attacks.

The hack shown by Yong and Jared doesn't work as Jared pointed out the password is cached and you need to log back in and for that you need the password. BUT I have been able to exploit this issue of a current user database link, a known hash and not known password using a different approach. In the interests of not revealing how to hack Oracle on a public forum i won't go into details. I am also working on a second method to exploit a known hash and a current user link. I will report what i have found to Oracle secalert after I have written it up.

The bottom line is protect the password hashes as although it is not easy to exploit a known hash it is easier to crack a known hash given time.

kind regards

Pete
--

Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

--

Please see the official ORACLE-L FAQ: http://www.orafaq.net
--

Author: Pete Finnigan
  INET: oracle_list_at_peterfinnigan.demon.co.uk

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Wed Dec 24 2003 - 08:24:38 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US