Thursday, 28 December 2006

ALTER SESSION BUG DEMONSTRATION

Hey all,
If you would like to see a demonstration of how to GRANT DBA TO PUBLIC as a low privileged user, I have written a short paper which shows you exactly how to do so. It is based on imperva's bug finding and a demonstration I have seen by Alex Kornbrust. You can read the paper here www.orasec.com
Paul

Monday, 25 December 2006

Oracle Password security

On the 27th of November a posting to the DBSEC list at freelists showed
how to gain a users password from a combination of their password hash and a packet capture of their authentication.
http://www.freelists.org/archives/dbsec/11-2006/msg00005.html

There are a significant amount of DBA's in the field who rely on the fact that a high security complex password will make
their Oracle DB secure. Current thinking about rainbow tables
has been that simple passwords on known user names are
beatable but complex passwords with special characters are safe. This is not the case.

There have been a number of ways of gaining access to the password hashes.
Not least of these is the DBSNMP account. Also orapwd utility and many files at the operating system level that are unsecured by default
give access to the hashes.

Having to think about defending against some one with the DBA's
legitimate password is going to be a big change for a lot of peoples
security strategies.

This is going to require closer attention to securing SYS.USER$ table and network communications meaning that privileged SQL*PLUS connections will
now require SSH.

In short, the hashes in user$ should now be regarded as being plain text
when devising a defense plan.