Re: Exciting Oracle News :: Oracle DB Worm Code Published :: Oracle Passwords Crack in Mere Minutes

Joel,

The point of that little script was for handling accounts where a password complexity function was not in place in the default profile years ago. If a piece of code manages to connect to a database instance with an unprivileged account, the next logical step is for the code (or its author, or script-kiddie executing it) to attempt to escalate privileges. The easiest way to do that (aside from CDC or dbms_scheduler security holes) is to retrieve the list of usernames selected from all_users and attempt to connect as those users. Yes, if the malicious user has access to the password hashes and recent cracking tools, its pretty much game over.

refer to Pete Finnegin's text: Oracle Security Step-by-Step, 2nd Edition, page 57 - "Action 2.3.1".

Paul

That routine found 12 accounts in an internal database where a password complexity function was not allowed, due to the "amount of inconvenience to the developers".

I wasn't trying to say that its anything other than what it was - it certainly is not sufficient. It did identify accounts that were not covered by Pete's tools. Received on Fri Nov 04 2005 - 17:28:19 CST