Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Mailing Lists -> Oracle-L -> RE: Risk of knowing password hash value (Was: OEM permissions)
Very Nice. I didn't know how the 2 values were used within the hashing
algorithm.
I would have thought it was a little more complex.
-----Original Message-----
Sent: Tuesday, December 23, 2003 4:45 PM
To: Multiple recipients of list ORACLE-L
Actually, the concatenated string of userid and password is hashed. So if that is same, you got yourself the same hashed password.
Consider this:
SQL> create user ABC identified by DEF;
User created.
SQL> create user ABCD identified by EF;
User created.
SQL> select password from dba_users where username in ('ABC','ABCD');
PASSWORD
They have the same password hash, even though the password is different. It's a trick we use in auditing for security holes in the database.
HTH. Arup
> No. Two different users with the same password would have different hash
> values.
>
> So you would have to loop through a "dictionary list" for each user within
> your local database. Once you got a match, then you could logon to the
> target database with that user/password combo.
>
> -----------------------------------------
> Alan Davey
> Senior Analyst/Project Leader
> Oracle 9i OCA; 3/4 OCP
> w) 973.267.5990 x458
> w) 212.295.3458
>
>
>
> -----Original Message-----
> Sent: Tuesday, December 23, 2003 3:29 PM
> To: Multiple recipients of list ORACLE-L
>
>
> Not really... you could easily compile a list of passwords and their
> associated hashes. Once this is done, it's just a simple matter of
matching
> the hashes.
>
> -----Original Message-----
> Jared Still
> Sent: Tuesday, December 23, 2003 1:24 PM
> To: Multiple recipients of list ORACLE-L
>
>
> As long Oracle can manage to keep its modified DES algorithm
> secret, this should make it somewhat difficult to crack passwords
> in the manner that can be done with unix passwords.
>
> It could still be done, but the time required would make
> it just too time consuming IMO.
>
> Jared
>
>
> On Tue, 2003-12-23 at 09:44, Stephen.Lee_at_DTAG.Com wrote:
> >
> > When I brought the issue up, I didn't know if one could in fact
> maliciously
> > use that info. And, as I originally stated, it was something I had not
> > tried. But paranoia (healthy, I think) dictates there's gotta be a way.
> > When one looks at the Unix password world which brought about the
> necessity
> > for a shadow file, and the evils of the old NIS where ypcat was
available,
> > you have to wonder why allowing access to the encrypted passwords for
Unix
> > is considered a dumb thing to do, but somehow in Oracle it would be an
OK
> > thing to do. I'm inclined to say that Oracle restricted access to the
> views
> > and underlying tables for reasons more substantial than just to
frustrate
> > non-privileged users. And, if I'm not mistaken, the specs on the views
> are
> > "subject to change without notice". I have enough to do without trying
to
> > stay on top of every stinkin' view in Oracle in every stinkin' release
and
> > how one might use that view in naughty ways.
> >
> > For what it's worth, after haggling and fussing, we were able to
> compromise
> > on this. We haven't tried to tear each of these apart to see how it
might
> > be abused. If any of you have some warnings to provide, please do!
> >
> > -- Must run this as SYS
> >
> > create role DBARTISAN_USER_ROLE;
> >
> > grant SELECT on SYS.V_$PROCESS to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$SESSION to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$LATCH to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$LATCHNAME to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$LATCHHOLDER to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$LOCK to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$SESSTAT to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$MYSTAT to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$SYSSTAT to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$STATNAME to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$ACCESS to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$FILESTAT to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$ROLLNAME to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$ROLLSTAT to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$SGA to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$PARAMETER to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$ROWCACHE to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$LIBRARYCACHE to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$INSTANCE to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$DISPATCHER to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$SQLAREA to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$SQLTEXT to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$SQLTEXT_WITH_NEWLINES to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$OPEN_CURSOR to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$PQ_SYSSTAT to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$SGASTAT to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$SHARED_SERVER to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$DATAFILE to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$TABLESPACE to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.V_$SESS_IO to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.ALL_OBJECTS to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.DBA_ROLLBACK_SEGS to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.PRODUCT_COMPONENT_VERSION to DBARTISAN_USER_ROLE;
> > grant SELECT on SYS.DBA_EXTENTS to DBARTISAN_USER_ROLE;
> >
> > grant DBARTISAN_USER_ROLE to USER_WE_DONT_LIKE;
> >
> > --
> > Please see the official ORACLE-L FAQ: http://www.orafaq.net
> > --
> > Author: <Stephen.Lee_at_DTAG.Com
> > INET: Stephen.Lee_at_DTAG.Com
> >
> > Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> > San Diego, California -- Mailing list and web hosting services
> > ---------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ORACLE-L
> > (or the name of mailing list you want to be removed from). You may
> > also send the HELP command for other information (like subscribing).
> >
>
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Jared Still
> INET: jkstill_at_cybcon.com
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Norris, Gregory T [ITS]
> INET: gregory.t.norris_at_mail.sprint.com
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>
>
> "This information in this e-mail is intended solely for the addressee and
> may contain information which is confidential or privileged. Access to
this
> e-mail by anyone else is unauthorized. If you are not the intended
> recipient, or believe that you have received this communication in error,
> please do not print, copy, retransmit, disseminate, or otherwise use the
> information. Also, please notify the sender that you have received this
> e-mail in error, and delete the copy you received."
>
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Davey, Alan
> INET: Alan.Davey_at_encodasystems.com
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>
-- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Arup Nanda INET: orarup_at_hotmail.com Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). "This information in this e-mail is intended solely for the addressee and may contain information which is confidential or privileged. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please notify the sender that you have received this e-mail in error, and delete the copy you received." -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Davey, Alan INET: Alan.Davey_at_encodasystems.com Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Tue Dec 23 2003 - 16:09:26 CST