Re: Funny sort of question re sys password

>In article <EA29A3FCC723674293FD6286D3F0513E572673_at_louis.cerebrus.com>,
>David Sharples <dsharples_at_cerebrussolutions.com> writes
>I believe you can do this by using trace files - and apparently can
>take
>a lot less :-)

Hi,

You can do this but only up to 9.2.0.3 Oracle have finally fixed this hole. I do not believe that they released as an advisory though and i don't think that the fix is backported.

I found this way to get passwords about three years ago and wrote about it at the time in a posting to the pen-test mailing list on securityfocus. There is a link to my posting on my website at http://www.petefinnigan.com/orasec.htm - the link is called "Revealing clear text passwords from the SGA" - basically you dump the library cache and if someone has changed a password or added a user the password can be read from the trace file. It depends on being able to do alter session and being able to read the trace files and in this case it would depend on someone changing the SYS password or at least a user who has alter user privilege.

kind regards

Pete

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to:  oracle-l-request_at_freelists.org
put 'unsubscribe' in the subject line.
--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------