| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Risk of knowing password hash value (Was: OEM permissions)
Environment:
DB1: RH 8.0 with Oracle EE 9.2.0.4
DB2: Win2k SP3 with Oracle EE 9.2.0.1
SYSTEM user on each database initially have different passwords.
It goes something like this:
DB1:
select password from dba_users where username = 'SYSTEM';
Let's say the result is 'AC424SDK4398'
DB2:
Logon to DB2 as SYSTEM.
alter user SYSTEM identified by values 'AC424SDK4398'; create database link systemlink using 'DB1';
Logout, and log back on to DB2 as SYSTEM.
select count(*) from v$session_at_systemlink;
Works for me in this environment. DB2 is compromised.
HTH Jared
On Mon, 2003-12-22 at 08:29, Yong Huang wrote:
> Hi, Gregory,
>
> I only have access to Oracle 9.2 on my laptop. Here's my test. I have ORCL and
> AUX1 databases, the latter created by RMAN DUPLICATE some time ago. I logon
> AUX1 as SYSTEM. Set SYSTEM password hash value to the same as in ORCL. Create
> link L to ORCL without password. Selecting from a table in ORCL @L (i.e. select
> * from yongtest_at_l) throws ORA-1017 invalid username/password.
>
> Alternatively, I logon as SYS and create a procedure owned by SYSTEM, with one
> line execute imediate('select count(*) from yongtest_at_l'). When I execute
> system.<this procedure> as SYS, I get ORA-1005 null password given. (I could
> use DBMS_SYS_SQL but using the execute immediate trick obviates the need to
> remember the syntax in that undocumented package).
>
> If I use connect to current_user to create the link, I always get ORA-28030
> Server encountered problems accessing LDAP directory service.
>
> Could you try on your databases and show how you do it? As I said, this may be
> a security problem. I'm just too ignorant of it and can't reproduce it for now.
>
> Yong Huang
>
> Norris, Gregory T [ITS] wrote:
>
> There's no reason I can see that he couldn't create the dblink first, and then
> reset the password using the encrypted value. Alternately, the dblink could be
>
> created using the DBMS_SYS_SQL package... no knowledge of the current password
> required.
>
> create database link foo
> connect to current_user
> using 'bar';
>
> __________________________________
> Do you Yahoo!?
> New Yahoo! Photos - easier uploading and sharing.
> http://photos.yahoo.com/
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Yong Huang
> INET: yong321_at_yahoo.com
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>
-- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jared Still INET: jkstill_at_cybcon.com Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Mon Dec 22 2003 - 17:09:24 CST
 |
 |