Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Security issue with Oracle 8i
On Tue, 30 Apr 2002 15:50:31 GMT in <3CCEBD46.6D215379_at_exesolutions.com>,
dmorgan_at_exesolutions.com said something similar to:
: Philip Chee wrote:
: > : > Um, I'm a unix sysadmin and this wouldn't be enough to stop me. : > Assuming I have the time and energy - I do wish someone would invent : > the 28 hour day especially when deadlines loom.
One that immediately comes to mind:
Wait for someone who knows the password to connect, and attach a debugging tool like truss to their SQL*Plus process before they finish typing the password.
There's also the possibility of fishing the encrypted password out of the datafile and mounting a dictionary attack against it, as well as a whole host of other things (such as re-linking one or more of the binaries involved in the authentication process with some trojaned code or a backdoor).
: And why,
: having been confronted with a request for a password, you would have
: any reason to
: believe a workaround was possible.
Because root can make the system do *anything* the hardware is capable of.
-- Mike Delaney <mdelan_at_computer.org> "...Microsoft follows standards. In much the same manner that fish follow migrating caribou." "Now I have this image in my mind of a fish embracing and extending a caribou." -- Paul Tomblin and Christian Bauernfeind in the SDMReceived on Tue Apr 30 2002 - 19:40:18 CDT