Re: Risk of knowing password hash value (Was: OEM permissions)

Yes, I misunderstood.

Once I change the password, I can no longer connect to the account.

My hasty little test was missing an important condition: I should have pretended I didn't know the password to the other database, which would prevent me from logging back on exploiting the db link.

Wonder if there's a way around it though?

I spent a few minutes looking for a way around that problem, and couldn't find one. Oracle may have covered the bases on this, they've had a few years to perfect it.

Jared

On Mon, 2003-12-22 at 21:19, Yong Huang wrote:
> Hey, you're working late!
>
> OK. I think you misunderstood. I know you take SYSTEM as an example user. Let's
> say it's SCOTT who has select_catalog_role. If you login to your own database
> as SCOTT and change his password hash value, you don't know the clear text
> password any more. How can you log out and log back in as SCOTT? That's why I
> ask if you can use the link without logging out after changing the password?
>
> Yong
>
> --- Jared Still <jkstill_at_cybcon.com> wrote:
> > It doesn't matter which account I logged into DB2 with, as
> > long as that account has privileges to read DBA_USERS.
> >
> > SYSTEM was used simply because it was the only account
> > on the database that could be logged into remotely, so
> > my test could be run without switching between machines.
> >
> > If I had granted SELECT_CATALOG_ROLE to scott, I could
> > have logged in as SCOTT and done the same.
> >
> > Jared
> >
> > On Mon, 2003-12-22 at 20:19, Yong Huang wrote:
> > > Jared,
> > >
> > > I see you log out and log back in as SYSTEM to DB2. But how do you know the
> > > password for SYSTEM to log back in with after you change it?
> > >
> > > What if you don't log out? When I tried that (i.e. not logging out), I got
> > > ORA-1017.
> > >
> > > Yong Huang
> > >
> > > --- Jared Still <jkstill_at_cybcon.com> wrote:
> > > > Environment:
> > > >
> > > > DB1: RH 8.0 with Oracle EE 9.2.0.4
> > > >
> > > > DB2: Win2k SP3 with Oracle EE 9.2.0.1
> > > >
> > > > SYSTEM user on each database initially have different passwords.
> > > >
> > > > It goes something like this:
> > > >
> > > > DB1:
> > > >
> > > > select password from dba_users where username = 'SYSTEM';
> > > >
> > > > Let's say the result is 'AC424SDK4398'
> > > >
> > > > DB2:
> > > >
> > > > Logon to DB2 as SYSTEM.
> > > >
> > > > alter user SYSTEM identified by values 'AC424SDK4398';
> > > > create database link systemlink using 'DB1';
> > > >
> > > > Logout, and log back on to DB2 as SYSTEM.
> > > >
> > > > select count(*) from v$session_at_systemlink;
> > > >
> > > > Works for me in this environment. DB2 is compromised.
> > > >
> > > > HTH
> > > >
> > > > Jared
> > > >
> > > >
> > > >
> > > > On Mon, 2003-12-22 at 08:29, Yong Huang wrote:
> > > >
> > > > > Hi, Gregory,
> > > > >
> > > > > I only have access to Oracle 9.2 on my laptop. Here's my test. I have
> > ORCL
> > > > and
> > > > > AUX1 databases, the latter created by RMAN DUPLICATE some time ago. I
> > logon
> > > > > AUX1 as SYSTEM. Set SYSTEM password hash value to the same as in ORCL.
> > > > Create
> > > > > link L to ORCL without password. Selecting from a table in ORCL @L
> > (i.e.
> > > > select
> > > > > * from yongtest_at_l) throws ORA-1017 invalid username/password.
> > > > >
> > > > > Alternatively, I logon as SYS and create a procedure owned by SYSTEM,
> > with
> > > > one
> > > > > line execute imediate('select count(*) from yongtest_at_l'). When I
> > execute
> > > > > system.<this procedure> as SYS, I get ORA-1005 null password given. (I
> > > > could
> > > > > use DBMS_SYS_SQL but using the execute immediate trick obviates the
> > need to
> > > > > remember the syntax in that undocumented package).
> > > > >
> > > > > If I use connect to current_user to create the link, I always get
> > ORA-28030
> > > > > Server encountered problems accessing LDAP directory service.
> > > > >
> > > > > Could you try on your databases and show how you do it? As I said, this
> > may
> > > > be
> > > > > a security problem. I'm just too ignorant of it and can't reproduce it
> > for
> > > > now.
> > > > >
> > > > > Yong Huang
> > > > >
> > > > > Norris, Gregory T [ITS] wrote:
> > > > >
> > > > > There's no reason I can see that he couldn't create the dblink first,
> > and
> > > > then
> > > > > reset the password using the encrypted value. Alternately, the dblink
> > > > could be
> > > > >
> > > > > created using the DBMS_SYS_SQL package... no knowledge of the current
> > > > password
> > > > > required.
> > > > >
> > > > > create database link foo
> > > > > connect to current_user
> > > > > using 'bar';
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > New Yahoo! Photos - easier uploading and sharing.
> > > http://photos.yahoo.com/
> > >
> >
> >
>
>
> __________________________________
> Do you Yahoo!?
> New Yahoo! Photos - easier uploading and sharing.
> http://photos.yahoo.com/
>

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: jkstill_at_cybcon.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).