Oracle clear text passwords (#NISR2122004D)

From: NGSSoftware Insight Security Research (nisr_at_nextgenss.com)
Date: 12/23/04

  • Next message: NGSSoftware Insight Security Research: "Oracle ISQLPlus file access vulnerability (#NISR2122004E)"
    To: <bugtraq@securityfocus.com>, <ntbugtraq@listserv.ntbugtraq.com>, <vulnwatch@vulnwatch.org>
    Date: Thu, 23 Dec 2004 16:34:40 -0000
    
    

    NGSSoftware Insight Security Research Advisory

    Name: Oracle 10g clear text passwords
    Systems Affected: Oracle 10g on all operating systems
    Severity: Medium Risk
    Vendor URL: http://www.oracle.com/
    Author: David Litchfield [ davidl at ngssoftware.com ]
    Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
    Date of Public Advisory: 23rd December 2004
    Advisory number: #NISR2122004D
    Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004D.txt

    Description
    ***********
    The 10g Oracle database server may have passwords in clear text in world
    readable files.

    Details
    *******
    The password for the SYSMAN account (a DBA) can be found in
    $ORACLE_HOME/hostname_sid/sysman/config/emoms.properties. This file is world
    readable.

    Also, on installing Oracle 10g if the installer supplies the same password
    for the SYS, SYSTEM, DBSNMP and SYSMAN accounts and that password has an
    exclamation mark in it (e.g. f00bar!!) then an error occurs in the DB
    install when the passwords are set for SYSMAN and DBSNMP. This error is
    logged to the "postDBCreation.log" logging the password.

    alter user SYSMAN identified by f00bar!! account unlock
    ERROR at line 1:
    ORA-00922: missing or invalid option

    alter user DBSNMP identified by f00bar!! account unlock
    ERROR at line 1:
    ORA-00922: missing or invalid option

    This file is world readable giving attackers access to what the passwords
    are for these powerful accounts. Please note that no error is generated for
    SYS or SYSTEM and these accounts are assigned the password f00bar!!. The
    other accounts are given their default passwords.

    Fix Information
    ***************
    A patch (#68) was released for this problem by Oracle. See
    http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
    (http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
    your Oracle servers are vulnerable to this.

    About NGSSoftware
    *****************
    NGSSoftware design, research and develop intelligent, advanced application
    security assessment scanners. Based in the United Kingdom, NGSSoftware have
    offices in the South of London and the East Coast of Scotland. NGSSoftware's
    sister company NGSConsulting, offers best of breed security consulting
    services, specialising in application, host and network security
    assessments.

    http://www.ngssoftware.com/

    Telephone +44 208 401 0070
    Fax +44 208 401 0076

    enquiries@ngssoftware.com


  • Next message: NGSSoftware Insight Security Research: "Oracle ISQLPlus file access vulnerability (#NISR2122004E)"

    Relevant Pages

    • Oracle 8 - revealing clear text passwords from the SGA
      ... Oracle 8 - revealing clear text passwords from the SGA ... needs to have been set to the same directory as the trace file location ... SQL> select name,value ...
      (Pen-Test)
    • Re: changing pswds of standard accounts
      ... We have a directive to change *all* passwords every 150 days, ... Here are the accounts in question, ... will provided you haven't hard coded it into shell scripts and the like. ... Puget Sound Oracle Users Group ...
      (comp.databases.oracle.server)
    • Re: Exciting Oracle News :: Oracle DB Worm Code Published :: Oracle Passwords Crack in Mere Minutes
      ... Note the cross-posts on the original. ... And yes, there are dangers. ... or making sure they have non-default passwords. ... Perhaps Oracle should put a warning on the install: ...
      (comp.databases.oracle.server)
    • RE: Oracle Bruteforce
      ... You need to know the IP and Port where the Oracle DB server is running ... I'd be interested in tools/techniques for testing "default" oracle passwords from remote ... Download FREE whitepaper on how a managed service can ...
      (Pen-Test)
    • Oracle clear text passwords (#NISR2122004D)
      ... NGSSoftware Insight Security Research Advisory ... Oracle 10g on all operating systems ... The 10g Oracle database server may have passwords in clear text in world ... are for these powerful accounts. ...
      (NT-Bugtraq)