Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Another good paper by Howard Rogers on read-only tables"] [Next entry: "The patch set is out"]

Can application names be changed to spoof logon triggers?

I discussed the thread Adding some random characters to Oracle password some days ago here about how to secure a third party application. The entry in my web log is here. Just yesterday there has been a further interesting exchange by Howard and others about login triggers and fooling the program and module columns of v$session by renaming the binary of the application or in our case SQL*Plus.

I wrote about this issue over a year ago in my newsletter where i demonstrated that renaming the SQL*Plus binary on a windows client and also on the server failed to change the values in the module and program columns of v$session. Howard concurred this and also demonstrated that he could change the name of MS Access and trick a login trigger. Jeff also concurred that on Windows 2003 and Oracle when renaming SQL*Plus as i did the columns are changed.

This is an interesting thread as many people try and restrict tools such as SQL*Plus and application by using the module and program columns of v$session. It seems that some Oracle tools are harder to bypass in this scenario but the platform matters. Trying to do the same for other applications is useless for security as renaming will easily bypass this method.