Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Security issue with Oracle 8i

Re: Security issue with Oracle 8i

From: Mike Delaney <mdelan_at_computer.org>
Date: Tue, 30 Apr 2002 19:40:18 -0500
Message-ID: <slrnacuebi.mmv.mdelan@wallace.lusars.net> 





On Tue, 30 Apr 2002 15:50:31 GMT in <3CCEBD46.6D215379_at_exesolutions.com>,
dmorgan_at_exesolutions.com said something similar to:


:  Philip Chee wrote:


: >
: > Um, I'm a unix sysadmin and this wouldn't be enough to stop me.
: > Assuming I have the time and energy - I do wish someone would invent
: > the 28 hour day especially when deadlines loom.




:  

:  I would really appreciate knowing how you would approach this (in 

:  general). 




One that immediately comes to mind:



Wait for someone who knows the password to connect, and attach a
debugging tool like truss to their SQL*Plus process before they
finish typing the password.



There's also the possibility of fishing the encrypted password out
of the datafile and mounting a dictionary attack against it, as well
as a whole host of other things (such as re-linking one or more of 
the binaries involved in the authentication process with some trojaned 
code or a backdoor).



:  And why,

:  having been confronted with a request for a password, you would have 

:  any reason to

:  believe a workaround was possible.




Because root can make the system do *anything* the hardware is capable of.


-- 
Mike Delaney <mdelan_at_computer.org>
"...Microsoft follows standards.  In much the same manner that fish follow 
migrating caribou." "Now I have this image in my mind of a fish embracing and
extending a caribou." -- Paul Tomblin and Christian Bauernfeind in the SDM 


Received on Tue Apr 30 2002 - 19:40:18 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US