Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
![]() |
![]() |
Home -> Community -> Usenet -> c.d.o.server -> Re: Adding some random characters to Oracle password
OK, one quick test later.
Knock up a silly application in MS Access that links to the EMP table. When you query it in V$SESSION, it is listed as program MSACCESS.EXE.
Drop to the operating system and rename c:\program files\etc\etc\etc\MSACCESS.EXE HJR.EXE.
Re-run the silly MS Access app: V$SESSION now sees it as program HJR.EXE.
Pete's right in other words: if the application is instrumented to reveal its name, then merely renaming the executable doesn't do anything. But if it the application is "oracle blind", and doesn't know/care to reveal its identity via dbms_application_info, then a simple rename will fool the system.
Regarding the original paper, that's not an issue, since both SQL*Plus and iSQL*Plus instrument properly. But ODBC applications certainly don't.
Regards
HJR
"Pete Finnigan" <plsql_at_petefinnigan.com> wrote in message
news:sh6rgeB2afhBRxpy_at_peterfinnigan.demon.co.uk...
> >Excellent question. You realise it will require some testing and research
>>won't you!? (In other words, I'll get back to you on that one!!).
>>But it will appear as a new paragraph at the end of the existing paper,
>>because it's such a good issue to address.
>>
>>It is because people ask good questions that we (together) learn good
>>stuff.
>>
>>Regards
>>HJR
> Hi Howard,
>
> I answered this question over a year ago in relation to SQL*Plus in my
> newsletter http://www.petefinnigan.com/news_letter_001.pdf - In there I
> renamed the SQL*Plus binary on the client and on the server and the
> values in v$session did not change. In other words Oracle networking
> still knew it was SQL*Plus even though the binary is now called
> "hacker". I guess this is because SQL*Plus identifies itself internally
> to the network stack. I don't know if the same will work if you use a
> third party application unless that application uses
> dbms_application_info to set up values.
>
> hth
>
> Kind regards
>
> Pete
> --
> Pete Finnigan (email:pete_at_petefinnigan.com)
> Web site: http://www.petefinnigan.com - Oracle security audit specialists
> Oracle security blog:
> http://www.petefinnigan.com/weblog/entries/index.html
> Book:Oracle security step-by-step Guide - see http://store.sans.org for
> details.
Received on Mon Nov 01 2004 - 04:56:31 CST
![]() |
![]() |