Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Security issue with Oracle 8i

Re: Security issue with Oracle 8i

From: Philip Chee <philip_at_aleytys.pc.my>
Date: Wed, 01 May 2002 13:50:23 GMT
Message-ID: <1020261023.6058snx@aleytys.pc.my> 





In article <slrnacuebi.mmv.mdelan_at_wallace.lusars.net> mdelan_at_computer.org writes:


>On Tue, 30 Apr 2002 15:50:31 GMT in <3CCEBD46.6D215379_at_exesolutions.com>,

>dmorgan_at_exesolutions.com said something similar to:

>:  Philip Chee wrote:




>: > Um, I'm a unix sysadmin and this wouldn't be enough to stop me.

>: > Assuming I have the time and energy - I do wish someone would invent

>: > the 28 hour day especially when deadlines loom.




>:  I would really appreciate knowing how you would approach this (in 

>:  general). 




I'm persistent.  I read the docs, I read the READMEs, I have been
known to run strings (unix utility) on Oracle (Financial) binaries
to see what actual SQL they are actually running [1].  And these
days there's the Great Ghod Ghoogle to invoke.



[1]  Our old Oracle Financials box was decommissioned for Y2K
reasons but recently someone wanted to run an old report on the old
system to get some historical data.  It didn't return any data
naturally since the report was trying to find data for 2095 AD.  Ran
strings on the binary.  Used a hex editor to change "YY" to "RR".
By Gosh it worked.  Note:  I wouldn't recommend this procedure on a
production system!



>:  And why, having been confronted with a request for a password, you

>:  would have any reason to believe a workaround was possible.




Because I'm also an Oracle person? and I read this newsgroup?



>One that immediately comes to mind:




>Wait for someone who knows the password to connect, and attach a

>debugging tool like truss to their SQL*Plus process before they

>finish typing the password.




That's hard work.  I prefer social engineering.



"Hi I'm the VP (IS).  I need all your Oracle passords to carry out
this security audit I'm doing on your department"



Philip


---=====================================================================---


 Philip Chee:  Tasek Corporation Berhad, P.O.Box 254, 30908 Ipoh, MALAYSIA
  e-mail:  philip_at_aleytys.pc.my  Voice:+60.5.291.1011  Fax:+60.5.291.9932
   Guard us from the she-wolf and the wolf, and guard us from the thief,

                  oh Night, and so be good for us to pass.



-- 
 þ 20516.39 þ File Not Found. Loading something that looks similar.


Received on Wed May 01 2002 - 08:50:23 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US