Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Adding some random characters to Oracle password

Re: Adding some random characters to Oracle password

From: Howard J. Rogers <hjr_at_dizwell.com>
Date: Mon, 1 Nov 2004 21:56:31 +1100
Message-ID: <4186164e$0$32443$afc38c87@news.optusnet.com.au> 





OK, one quick test later.



Knock up a silly application in MS Access that links to the EMP table. When 
you query it in V$SESSION, it is listed as program MSACCESS.EXE.



Drop to the operating system and rename c:\program 
files\etc\etc\etc\MSACCESS.EXE HJR.EXE.



Re-run the silly MS Access app: V$SESSION now sees it as program HJR.EXE.



Pete's right in other words: if the application is instrumented to reveal 
its name, then merely renaming the executable doesn't do anything. But if it 
the application is "oracle blind", and doesn't know/care to reveal its 
identity via dbms_application_info, then a simple rename will fool the 
system.



Regarding the original paper, that's not an issue, since both SQL*Plus and 
iSQL*Plus instrument properly. But ODBC applications certainly don't.



Regards


HJR



"Pete Finnigan" <plsql_at_petefinnigan.com> wrote in message 
news:sh6rgeB2afhBRxpy_at_peterfinnigan.demon.co.uk...


> >Excellent question. You realise it will require some testing and research

>>won't you!? (In other words, I'll get back to you on that one!!).

>>But it will appear as a new paragraph at the end of the existing paper,

>>because it's such a good issue to address.

>>

>>It is because people ask good questions that we (together) learn good 

>>stuff.

>>

>>Regards

>>HJR


> Hi Howard,

>

> I answered this question over a year ago in relation to SQL*Plus in my

> newsletter http://www.petefinnigan.com/news_letter_001.pdf - In there I

> renamed the SQL*Plus binary on the client and on the server and the

> values in v$session did not change. In other words Oracle networking

> still knew it was SQL*Plus even though the binary is now called

> "hacker". I guess this is because SQL*Plus identifies itself internally

> to the network stack. I don't know if the same will work if you use a

> third party application unless that application uses

> dbms_application_info to set up values.

>

> hth

>

> Kind regards

>

> Pete

> -- 

> Pete Finnigan (email:pete_at_petefinnigan.com)

> Web site: http://www.petefinnigan.com - Oracle security audit specialists

> Oracle security blog: 

> http://www.petefinnigan.com/weblog/entries/index.html

> Book:Oracle security step-by-step Guide - see http://store.sans.org for 

> details. 

Received on Mon Nov 01 2004 - 04:56:31 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US