Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Adding some random characters to Oracle password

Re: Adding some random characters to Oracle password

From: Howard J. Rogers <hjr_at_dizwell.com>
Date: Mon, 1 Nov 2004 21:56:31 +1100
Message-ID: <4186164e$0$32443$afc38c87@news.optusnet.com.au>


OK, one quick test later.

Knock up a silly application in MS Access that links to the EMP table. When you query it in V$SESSION, it is listed as program MSACCESS.EXE.

Drop to the operating system and rename c:\program files\etc\etc\etc\MSACCESS.EXE HJR.EXE.

Re-run the silly MS Access app: V$SESSION now sees it as program HJR.EXE.

Pete's right in other words: if the application is instrumented to reveal its name, then merely renaming the executable doesn't do anything. But if it the application is "oracle blind", and doesn't know/care to reveal its identity via dbms_application_info, then a simple rename will fool the system.

Regarding the original paper, that's not an issue, since both SQL*Plus and iSQL*Plus instrument properly. But ODBC applications certainly don't.

Regards
HJR "Pete Finnigan" <plsql_at_petefinnigan.com> wrote in message news:sh6rgeB2afhBRxpy_at_peterfinnigan.demon.co.uk...
> >Excellent question. You realise it will require some testing and research
>>won't you!? (In other words, I'll get back to you on that one!!).
>>But it will appear as a new paragraph at the end of the existing paper,
>>because it's such a good issue to address.
>>
>>It is because people ask good questions that we (together) learn good
>>stuff.
>>
>>Regards
>>HJR
> Hi Howard,
>
> I answered this question over a year ago in relation to SQL*Plus in my
> newsletter http://www.petefinnigan.com/news_letter_001.pdf - In there I
> renamed the SQL*Plus binary on the client and on the server and the
> values in v$session did not change. In other words Oracle networking
> still knew it was SQL*Plus even though the binary is now called
> "hacker". I guess this is because SQL*Plus identifies itself internally
> to the network stack. I don't know if the same will work if you use a
> third party application unless that application uses
> dbms_application_info to set up values.
>
> hth
>
> Kind regards
>
> Pete
> --
> Pete Finnigan (email:pete_at_petefinnigan.com)
> Web site: http://www.petefinnigan.com - Oracle security audit specialists
> Oracle security blog:
> http://www.petefinnigan.com/weblog/entries/index.html
> Book:Oracle security step-by-step Guide - see http://store.sans.org for
> details.
Received on Mon Nov 01 2004 - 04:56:31 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US