Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "A sample package to manipulate LDAP"] [Next entry: "Oracle security checklist"]

Some details of listener password exploits

Laurent Schneider has made an interesting post on his blog today titled "encrypted listener password" where he talks about the differences between 9i and 10g listener passwords. he talks about how he used grep to locate the encrypted listener password and then uses that with the old style set password command to authenticate to the listener and stop the listener. This is because a bug has existed for a long time in the listener whereby an encrypted password can be used as though it were a clear text one. This is a known bug and has been fixed (sorry canot remember the exact version where it was fixed). Laurent demonstrates that this method no longer works in 10g. He then talks about local authentication in 10g where you can log in locally and stop the listener. As he also points out Alex posted on my Oracle security forum that its possible to bypass local authentication and that a strong listener password should be set in 10g also and the undocumented LOCAL_OS_AUTHENTICATION listener parameter should be used to disable local authenticaton.

This is an interesting example of listener authentication woes. The local authentication in 10g is suseptible to attack and the previous 9i authentication is also weak. Use a strong password for the listener and protect the listener.ora file to ensure that the password hash is not leaked. Also set ADMIN_RESTRICTIONS on for all listeners. Ensure that listener traffic comes from known and trusted hosts and also use listener logging to enable any potential attack to be logged and audited. Use encrypted network traffic as well.