Bugtraq mailing list archives
Re: DoS against Oracle Webserver 2.1 with PL/SQL stored procedures
From: matth () mcr com (Matthew G. Harrigan)
Date: Wed, 23 Jul 1997 14:14:50 -0700
At 07:22 AM 7/23/97 -0400, you wrote:
you can pull most text files from the Operating System). I say this because as
an administrator, I found that all our users chose to have a database password
the same as a machine password. Guess what? Oracle has it's passwords in plain
text!
Also, the sqlnet client program accepts command-line parameters for username, and password. If I recall correctly, its something like: sqlnet user/password@INSTANCE_NAME so, in order to gain unauthorized access to the database, all one has to do is grep through the machines proc list. On another note, Im not sure which version of oracle this is applicable to (I believe it is 7X), and I dont recall seeing this bug posted before, but the database authentication mechanism appears to do a regular expression on the account name for /^sys/ before authenticating it, and upon a match, assigning system level access to that account. I.E. - If your account name is sysdood or sysenor, oracle assumes you are infact system, and logs you in as such. Once again, I have not thoroughly tested this, and remember it in passing from penetration tests sometime back, so it should be tested & verified long before it is fretted about. Matt <bold> Matthew G. Harrigan </bold>CIO, Microcosm Computer Resources http://www.mcr.com matth () mcr com 415-333-1062
Current thread:
- DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Simon Josefsson (Jul 22)
- Re: DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Stefan Rompf (Jul 23)
- CPSR 7: IRIX WWW Server Corinne Posse Releases (Jul 23)
- Re: CPSR 7: IRIX WWW Server J.A. Gutierrez (Jul 23)
- SGI Security Advisory 19970701-01-PX - talkd Vulnerability SGI Security Coordinator (Jul 23)
- <Possible follow-ups>
- Re: DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Ross Potts (Jul 23)
- Re: DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Simon Josefsson (Jul 23)
- Re: DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Matthew G. Harrigan (Jul 23)