Re: DoS against Oracle Webserver 2.1 with PL/SQL stored procedures

[matth () mcr com (Matthew G. Harrigan)]

At 07:22 AM 7/23/97 -0400, you wrote:


> you can pull most text files from the Operating System).  I say this because as

> an administrator, I found that all our users chose to have a database password

> the same as a machine password.  Guess what?  Oracle has it's passwords in plain

> text!


Also, the sqlnet client program accepts command-line parameters for username,

and password. If I recall correctly, its something like:


sqlnet user/password@INSTANCE_NAME


so, in order to gain unauthorized access to the database, all one has to do

is grep through the machines proc list.


On another note, Im not sure which version of oracle this is applicable to (I believe

it is 7X), and I dont recall seeing this bug posted before, but the database authentication mechanism appears to do a 
regular expression on the account name for /^sys/ before authenticating it, and upon a match, assigning system level 
access to that account.

I.E. - If your account name is sysdood or sysenor, oracle assumes you are infact

system, and logs you in as such.

Once again, I have not thoroughly tested this, and remember it in passing from

penetration tests sometime back, so it should be tested & verified long before it

is fretted about.


Matt






<bold>

Matthew G. Harrigan

</bold>CIO, Microcosm Computer Resources

http://www.mcr.com

matth () mcr com

415-333-1062