Oracle Password Hashing vulnerability and Other Security Tips

Spring 2006 SEMOP Conference May 9th, 2006 Washtenaw Co. Community College Mike Gangler mjgangler@yahoo.com

Agenda
Password Hashing 
   History / Background Security Vulnerability Corrective Actions Current issues

Sqlnet Exposure Dbms_metadata Exposure 
Background  Corrective Actions

Create View Exposure 
Background  Corrective Actions

Q&A

developed the scripts and actions required to close the gaps. In December 2005. this exposure was presented to the GAO auditors and it was determined to be a major audit comment affecting all Oracle databases worldwide. We evaluated the exposure and determined it to be a valid risk to our company and shared with executives the exposure gaps and risks. . In January 2006. This Article included the vulnerability. An article was published in Computer World Magazine that identified an Oracle password vulnerability. Our Group with a partnership with Oracle. In November/December 2005.History/Background In October 2005. and the tools to utilize to expose the vulnerability. how to expose the vulnerability.

Database users with access to data dictionary tables or to OS data files can view the password hash values and could potentially reverse engineer the passwords based on the algorithms and procedures published in the article on the internet.Security vulnerability There has been a security vulnerability identified in Oracle databases due to weak password hashing algorithm used by Oracle software. .

encrypted with a 8modified DES encryption algorithm without real salt. .Oracle Password Algorithm Passwords can be up to 30 characters long and is converted to uppercase before the hashing starts. Oracle encrypts the concatenation of the (username||password) Sys/temp1 and system/p1 have the identical hash key. Algorithm is published widely on the internet. Oracle uses a 8-byte Hash.

Using a Pentium 4 with 3 GHz:       10 Seconds 5 Characters 5 Minutes 6 Characters 2 hours 7 characters 21 days 8 characters 57 days 9 characters 4 years 10 Characters .Oracle Password Decryption Tools on internet to brute force or dictionary attack the password hash.

Location of Oracle Password Hashes Database SYS.Password Oracle Password File Data File of the system Tablespace Full Export-Files ExportArchive Logs .USER$ .

5. Set "07_dictionary_accessiblility" to FALSE in init. Revoke system privileges : Select any Table and Select any Dictionary from non-DBA nonusers. 2. etc. Use SELECT_CATALOG_ROLE to read DBA Views. Password lengths of 8 12 characters Change password every XX days. Alter the DBA Views : DBA_USERS & USER_DB_LINKS to mask the password column.Corrective actions Changes inside the Database 1.) . 3. 7.ora file. Remove Default Passwords Password Policies (login attempts. 6. 4.

Changes at OS level 1. Remove world read permissions on password files and backup and export dump files .Corrective actions. Remove world read permissions on all database related files. 2..

Passwords in Clear text Database and Less) Server       user_db_link View (Oracle 9i Shell History files Unix Scripts Log Files Dump Files Trace Files User exports .

Passwords in Clear text (Cont) Application Server  JDBC-Config-Files JDBC-Config Trace Files DBA Client PC       DesktopDesktop-Shortcut Batch files Configuration files of Oracle Tools (Like connections.ini) Export Files Trace files Excel Macros .

user$ DBA privileges O7_DICTIONARY_ACC ESSIBILITY=TRUE No work around yet Audit Deviation Audit Deviation BMC Change Manager FILENET PEOPLESOFT Oracle Applications TIVOLI USER_DB_LINKS SELECT_ANY_DICTION Audit Deviation ARY SELECT_ANY_TABLE View old passwords Audit Deviation Using different password storage .Current issues OEM 9i SELECT_ANY_DICTION Working on deploying ARY OEM 10G agent Need sys.ts$ for 10g select on sys.

ora parameter sqlnet_authentication_services=blank or null  Any person in the dba group can connect to database using sqlplus mike as sysdba and enter any password. not the OS user.Other Vulnerabilities Setting sqlnet. all activities are registered as SYS .  After user is logged on. .  To enforce a correct userid/password set the parameter sqlnet_authentication_services=none.  Auditing difficult due to all transactions are SYS .

2005 .1 vulnerability Oracle s assessment of the Oracle Database Security Check List Paper November 2005 Web An Oracle White An Assessment of the Oracle Password Hashing Algorithm . Carlos Cid October 18.References Metalink #340240.Joshua Wright.

because it's executed as the "SYS" user behind the scenes. tables and users. which has been provided since Oracle Version 9i and allows users to re-create DDL definitions for the redatabase. This package has public access (Execute Only) to every user in the database.dbms_metadata The package "dbms_metadata" is a system provided package. including clear text passwords and users password hash value. . The issue with this package is that any user can get another users "user_db_link" definitions. Even a non-privileged user can see the results from non"user_db_links" and the password hash of a user.

QAC1.get_ddl ('DB_LINK'.COM" CONNECT TO "SYSMAN" IDENTIFIED BY "MANAGER12" CREATE DATABASE LINK "TEST_MIKE3.GET_DDL('DB_LINK'.dbms_metadata Example 1 select dbms_metadata.'SYSTEM') -------------------------------------------------------------------------------CREATE DATABASE LINK "TESTMIKE2. DBMS_METADATA.OBJECT_NAME.QAC1. object_name.COM" CONNECT TO "SYSMAN" IDENTIFIED BY "MANAGER12" . 'SYSTEM') from dba_objects where object_type = 'DATABASE LINK' and owner='SYSTEM' order by object_type.

GET_DDL('USER'.'SYSTEM') -------------------------------------------------------------------------------ALTER USER "SYSTEM" IDENTIFIED BY VALUES 'D4DF7931AB130E37' TEMPORARY TABLESPACE "TEMP_TS" .GET_DDL( 'USER'. DBMS_METADATA.dbms_metadata Example 2 Example #2 (Showing the password hash of the "SYSTEM" user) SELECT DBMS_METADATA. 'SYSTEM' ) FROM dual.

dbms_metadata from public force  Revoke succeeded.dbms_metadata closure Revoke "execute" from public on sys. .dbms_metadata can be executed by the public and is run by the "sys" user we suggest running the following procedures to remove public access to this package.dbms_metadata Since sys. Connect to the database as the "SYS" user SQL> revoke execute on sys.

not from within a stored object. that is. then the current user is the same as the connected user.dbms_metadata Closure 2 Create database links using the new syntax of using "Current User" CURRENT_USER option . If the database link is used directly.creates a current user database link. . The current user must be a global user with a valid account on the remote database for the link to succeed. Example: (Created as the HR user): CREATE DATABASE LINK HR CONNECT TO CURRENT_USER USING '<TNSNAME ENTRY>'.

dbms_metadata). the view "user_db_links" was used by many users as a password repository to systems that they have access to use. Allowing nonnon-application owner users to store passwords exposes other systems user ids and passwords to the world in export files and other mechanisms (i. .e. Also in the past.dbms_metadata Closure 3 Only allow application owner users to create database links.

2.com/securitytopics/se curity/holes/story/0.1.1. http://www.00.0unun-patched vulnerability which allows users with SELECT only privileges on a base table to insert/update/delete data via a specially crafted view.10801.computerworld. We tried many different "Create View" statements and were unsuccessful in recreating the security vulnerability.0.html .1.0-10. Oracle has committed to providing a security patch for this exposure.3) exists an (9.0.Create View Exposure In Oracle versions (9.110387. Oracle Metalink Note 363848.0.

10g R1) and remove the CREATE VIEW and CREATE DATABASE LINK privilege from the connect role. The Oracle Metalink note recommends creating views the option WITH CHECK OPTION . This recommendation helps against accidental modification but not against hackers .Create View Workarounds /Risk Mitigation as provided by Oracle Sanitize the connect role (9i . Enforce Users to use the "WITH CHECK OPTION" when creating updateable join views.

Q&A Contact mjgangler@yahoo.com for additional information .