Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle 0-day bug to get SYSDBA access to the database"] [Next entry: "Would you like a job in Oracle security - Limited is hiring"]

10g and 11g password leak during install, honeypots and databases exposed to the internet

David has been busy. He posted a vulnerability he has found in 10gR2 and 11gR1 during the week to the bugtraq security mailing list. The post is titled Oracle 11g/10g Installation Vulnerability. This is an interesting issue that is time based. David found that the database has the default passwords for SYS and SYSTEM for a short period until later in the install when they are changed to the chosen values. The time window available is based on the features chosen. David mentions some times in his blog but these are meaningless really as they are on his machine / OS / database feature combinations. Of course everyones hardware / software setups are different but there is still an issue as the database could be compromised during an installation. What David doesnt mention is why? - My guess from this description without testing (I dont have enough time to do an install, too much work to do, hence not much blogging recently!) is that this occurs when you choose a seed database. This would be logical and would explain how the users could have their defaults. I have always recommended to all clients that they don't use the DBCA and instead create a database from first principals using the create database command. This presumably would not have this issue.

In looking at Davids post I noticed another entry in his blog titled Database Tripwires.... This has the same mix up between fine grained audit and fine grained access control as the Oracle Hackers handbook, I guess this time its a slip up..:-). The interesting idea is in the next paragraph below that one that suggests the use of a view that calls a function to use it as a select trigger. If you set up a function that does the work of a trigger - i.e. records something or sends a message and then ensure that the function is called every time a view is selected from then this simulates a select trigger. I like this idea.

Finally David sent me an advanced copy of his database survey earlier in the week that shows how many databases are exposed directly to the internet. This is a very interesting paper and shows that the numbers are up overall from the first survey done 2 years ago, this is a bad trend i guess, the number of databases (SQL and Oracle) exposed to the internet without a firewall is growing. The paper shows that the number of Oracle servers has dropped and the increase therefore SQL Server has taken the brunt of the increase. Why? maybe because of the proliferation of free SQL Server installs on desktops? - maybe because Visual Express also gives away SQL Server, maybe because Microsoft have updated their free database, whereas Oracle have not. Robert McMillan also has seen a copy of David's paper and hase written about it in a new item called Researcher: Half a million database servers have no firewall - Two years after first Database Exposure Survey, the situation's worse than ever. David should release the paper on his database security web site.