Learning is not a spectator sport

August 9, 2014

12.1.0.2 security grrr…

Filed under: Uncategorized — connormcdonald @ 9:25 am

One of my favourite security "tricks" used to be the following:

SQL> [create|alter] user MY_USER identified by values 'impossible';

Looks odd, but by setting the encrypted value of someone’s password to something that it is impossible to encrypt to, means you’ll never be able to connect as that account.  (Think schema’s owning objects etc).

I hear you ask: "Why not just lock the account?"

Well…in my opinion, that’s a security hole.  Let’s say Oracle publishes a security bug concerning (say) the MDSYS schema.  As a hacker, I’d like to know if a database has the MDSYS schema.  All I need do is:

SQL> connect MDSYS/nonsense

Why is that a security hole ?  Because I wont get "Invalid username or password".  I’ll get "ORA-28000: the account is locked" and voila…Now I know that the MDSYS user is present in that database.

Setting a user password to a impossible encrypted value, means a hacker will never know if the user account exists at all, because the error returned is the familiar "ORA-01017: invalid username/password; logon denied"

But looked what’s happened in 12.1.0.2 :-(

SQL> create user MY_USER identified by values 'impossible';
create user MY_USER identified by values 'impossible'
*
ERROR at line 1:
ORA-02153: invalid VALUES password string
 

A backward step in my opinion…

About these ads

1 Comment »

  1. This should work :)
    CREATE USER my_user IDENTIFIED BY VALUES ‘S:000000000000000000000000000000000000000000000000000000000000;0000000000000000′;

    Comment by Kombajn zbożowy — August 9, 2014 @ 8:05 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The WordPress Classic Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 80 other followers

%d bloggers like this: