Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Risk of knowing password hash value (Was: OEM permissions)

Risk of knowing password hash value (Was: OEM permissions)

From: Yong Huang <yong321_at_yahoo.com>
Date: Mon, 22 Dec 2003 08:29:34 -0800
Message-ID: <F001.005DAA63.20031222082934@fatcity.com> 





Hi, Gregory,



I only have access to Oracle 9.2 on my laptop. Here's my test. I have ORCL and
AUX1 databases, the latter created by RMAN DUPLICATE some time ago. I logon
AUX1 as SYSTEM. Set SYSTEM password hash value to the same as in ORCL. Create
link L to ORCL without password. Selecting from a table in ORCL @L (i.e. select
* from yongtest_at_l) throws ORA-1017 invalid username/password.



Alternatively, I logon as SYS and create a procedure owned by SYSTEM, with one
line execute imediate('select count(*) from yongtest_at_l'). When I execute
system.<this procedure> as SYS, I get ORA-1005 null password given. (I could
use DBMS_SYS_SQL but using the execute immediate trick obviates the need to
remember the syntax in that undocumented package).



If I use connect to current_user to create the link, I always get ORA-28030
Server encountered problems accessing LDAP directory service.



Could you try on your databases and show how you do it? As I said, this may be
a security problem. I'm just too ignorant of it and can't reproduce it for now.



Yong Huang



Norris, Gregory T [ITS] wrote:



There's no reason I can see that he couldn't create the dblink first, and then 
reset the password using the encrypted value.  Alternately, the dblink could be



created using the DBMS_SYS_SQL package... no knowledge of the current password 
required.


	create database link foo
	   connect to current_user
	   using 'bar';

__________________________________




Do you Yahoo!?


New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/


-- 



Please see the official ORACLE-L FAQ: http://www.orafaq.net


-- 



Author: Yong Huang


  INET: yong321_at_yahoo.com


Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------


To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Mon Dec 22 2003 - 10:29:34 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US