I saw an article on default accounts on the database journal website titled "
Oracle 11g Security - Those Pesky Predefined Accounts" and as its a subject (
default users and default passwords) I have personally written about many times in the past both in articles (the first ones were 8 years ago when i worked at
Pentest), blogs,
default password lists and more recently even a
password cracker written in PL/SQL.
Oracle has entered the fray also since 11g with a dictionary table and view that includes a list of default accounts/passwords.
James article is good but there are some
questions and inconsistencies. James suggests:
expiration on an account after initial database creation , means that there is no password assigned on the account so connection is impossible
He suggests that default accounts that are created as part of the install do not have passwords assigned (the logical conclusion to this statement is that they would have "blank" passwords. This is absolutely not true, Oracle never creates accounts with blank passwords, no matter what the status of the account is; although to be honest I suspect he made a bad choice of words and maybe didnt actually mean this, but...?
A default installation of Oracle sets various accounts passwords and status's; the account james chose hasd an impossible password set:
SQL> col name for a10
SQL> col astatus for 99
SQL> col password for a16
SQL> col spare4 for a30
SQL> l
1 select name,astatus,password,spare4
2 from sys.user$
3* where astatus=9
SQL> /
NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
OUTLN 9 4A3BA55E08595C81 S 12EC0F0242EBFB81FCCD97CF192
68528DA474910F773814CB7D4FFFC5
BD
DIP 9 CE4A36B8E06CA59C SC95000980EF1669CAB6332D21FC
D9AD14B7CB2422FC970B9A50DBB5F0
B4
TSMSYS 9 3DF26A8B17D0F29F S:BF0B9459FC2D835A337E69D052E1
CD2BEC8533D36C0B9B6CD2F47EC2A5
95
NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
ORACLE_OCM 9 6D17CF1EB1611F94 S:5EB749D124D2B652658BF3CC867A
760165FF653E42067AD749A4BD3B5E
C0
XDB 9 88D8364765FCE6AF S:BCECCB19D5DC426F38A01971BFC1
BE73E45506E939C18B1DBC083B67EF
15
WMSYS 9 7C9BA362F8314299 S:5EECF47B56B2CFC563941433F9B7
4CAE9F220D7872A3C66CE26A9A9487
NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
C1
EXFSYS 9 66F4EF5650C20355 S:4CE5DE7874C9F28E9B7B8429600E
681E376F86129B9784B157682F7656
CA
CTXSYS 9 71E687F036AD56E5 S:5BBACFFD7987BA61F767FCE44C5B
AF45BE4CAF2C6CD01DA447AED98815
1C
XS$NULL 9 DC4FCC8CB69A6733 S:19FC9249A4EC856AE1D6034F3877
NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
93B8C9642F1A5C60C194093C8E7DD9
09
ANONYMOUS 9 anonymous
ORDSYS 9 7EFA02EC7EA6B86F S:FD3758C6CCA191255E18DE064334
D242CE29D94C72351D03E97829DC91
6F
ORDPLUGINS 9 88A2B2C183431F00 S:4A436BD7BB1F49C6F2C860E1E917
A1BA223EB24002A860C97B0B7AF94F
01
NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
SI_INFORMT 9 84B8CBCA4D477FA3 S3804242E9F82C40B8C471A5E7CE
N_SCHEMA 9B3A3612EA2707EEA03A19C44BA9E9
46
MDSYS 9 72979A94BAD2AF80 S:4D9ED94AD60E64B7D44677E20EEC
F41E5D8B71EB0FF8ADF1FEE2F2D62F
87
OLAPSYS 9 4AC23CC3B15E2208 S:8B84EDE1B66D9FF6F400633F199C
A7BF5B4532DA2B2F1E4B535D8F312A
NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
51
MDDATA 9 DF02A496267DEE66 S:324D1A84F48D3BEA3F5F3DC7D8EF
06C39A352B97AB0844105379A56276
71
HR 9 6399F3B38EDF3288 S:25E7EA60CF1ADF0AFC4A38061439
F0B9599477606230DE709962ADD5FB
0F
SPATIAL_WF 9 7117215D6BEE6E82 S:6119D4B8BCAFC9C99DB72E0D2DFA
NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
S_ADMIN_US CF522D40F5AA33597307C54F870B7F
R 81
SPATIAL_CS 9 1B290858DD14107E S:E2961CD3E5459036BD8CE4A5676B
W_ADMIN_US B09E935214FC8D76F72754EFA76455
R 73
WKSYS 9 69ED49EE1851900D S:8BC14DCA57EBF01001CA1906A1B1
A9049FF12B2E47431CEA13B7438C3C
F0
NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
WKPROXY 9 B97545C4DD2ABE54 S:1C6314C3E19A10B0ABF0CB8D8285
3444A101513782B9E07C3ED37BC12C
10
WK_TEST 9 29802572EB547DBF S:E24DCDB42CA9753525D9A3118203
E277FB26E0FF0651EE1BF03B56E1AD
8A
FLOWS_FILE 9 0B054C835B0A826B S:B9602AAF42718436DFA5EEBBB715
S 8437A3B05B7F6BF13DD01403D2290E
7F
NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
APEX_PUBLI 9 978468D2F78777DF S:B3A96760BAF7AF7AE4E8A5C73CA5
C_USER 7808C049E22C9275144DF36471ED7B
0F
FLOWS_0300 9 1B85764DE15A3916 S:1E688E6F8D574B1BE80DE2A801D0
00 93FE6657E2931B8DF646BD39CB19D2
D8
OWBSYS 9 610A3C38F301776F S:F6B79D2E4FB3E3DE36AAB8C277DF
CC858C74FFAC59CD997F1F03A79538
NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
37
SCOTT 9 F894844C34402B67 S:2228935D3E627C9EADE19D8297C8
3714A54E6E60B00C581691674BF43F
4A
OE 9 9C30855E7E0CB02D S:27FDBAF13F3B1BA9BF35AEC0D7B2
CE8E12659E9373E73B95C062C40E12
CD
IX 9 2BE6F80744E08FEB S:AC2705774CCF66F5D6193667E172
NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
F8C7D3643E8192E7C1BC6F1ECD5BE8
99
SH 9 9793B3777CD3BD1A S:837CE859F5B956516327F5932272
BC61300F6758574DE12869B3620966
AA
PM 9 72E382A52E89575A S:FE9774804908800DCB81F7160760
91C327302E77A00AA549569DC90BDE
03
NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
BI 9 FA1D2B85B70213F3 S:52412524ED76F07270CD66E88251
721711F6F0751CA57958CF71E24663
CC
32 rows selected.
SQL>
|
This shows that "ANONYMOUS" has a password of ANONYMOUS, i.e. an imposisble password not a blank password. This is actually more secure than James suggests as no guess of a password will ever succeed. You will also note that all accounts by default have a 10g password hash also set. This as I have discussed here before weakens the passwords as its simply necessary to crack the 10g password first and then move up to the case sensitive version for 11g.
If we run the password cracker we will see the expired&locked accounts all have passwords set:
SQL> @cracker-v2.0.sql
cracker: Release 1.0.4.0.0 - Beta on Mon Sep 28 15:34:20 2009
Copyright (c) 2008 PeteFinnigan.com Limited. All rights reserved.
T Username Password CR FL STA
=======================================================
U "SYS" [ORACLE1 ] DI CR OP
U "SYSTEM" [ORACLE1 ] DI CR OP
U "OUTLN" [OUTLN ] DE CR EL
U "DIP" [DIP ] DE CR EL
U "TSMSYS" [TSMSYS ] PU CR EL
U "ORACLE_OCM" [ORACLE_OCM ] PU CR EL
U "XDB" [CHANGE_ON_INSTALL ] DE CR EL
R "GLOBAL_AQ_USER_ROLE [GL-EX {GLOBAL} ] GE CR OP
U "DBSNMP" [ORACLE1 ] DI CR OP
U "WMSYS" [WMSYS ] DE CR EL
U "EXFSYS" [EXFSYS ] DE CR EL
U "CTXSYS" [CHANGE_ON_INSTALL ] DE CR EL
U "XS$NULL" [ ] -- -- EL
U "ANONYMOUS" [IMP {anonymous} ] IM CR EL
R "SPATIAL_WFS_ADMIN" [SPATIAL_WFS_ADMIN ] PU CR OP
U "ORDSYS" [ORDSYS ] DE CR EL
U "ORDPLUGINS" [ORDPLUGINS ] DE CR EL
U "SI_INFORMTN_SCHEMA" [SI_INFORMTN_SCHEMA ] DE CR EL
U "MDSYS" [MDSYS ] DE CR EL
U "OLAPSYS" [ ] -- -- EL
U "MDDATA" [MDDATA ] DE CR EL
U "HR" [CHANGE_ON_INSTALL ] DE CR EL
U "SPATIAL_WFS_ADMIN_U [SPATIAL_WFS_ADMIN_US] PU CR EL
R "WFS_USR_ROLE" [WFS_USR_ROLE ] PU CR OP
R "SPATIAL_CSW_ADMIN" [SPATIAL_CSW_ADMIN ] PU CR OP
U "SPATIAL_CSW_ADMIN_U [SPATIAL_CSW_ADMIN_US] PU CR EL
R "CSW_USR_ROLE" [CSW_USR_ROLE ] PU CR OP
U "WKSYS" [CHANGE_ON_INSTALL ] DE CR EL
U "WKPROXY" [CHANGE_ON_INSTALL ] DE CR EL
U "WK_TEST" [WK_TEST ] DE CR EL
U "SYSMAN" [ORACLE1 ] DI CR OP
U "MGMT_VIEW" [ ] -- -- OP
U "FLOWS_FILES" [ ] -- -- EL
U "APEX_PUBLIC_USER" [ ] -- -- EL
U "FLOWS_030000" [ ] -- -- EL
U "OWBSYS" [OWBSYS ] PU CR EL
R "OWB$CLIENT" [S ] BF CR OP
R "OWB_DESIGNCENTER_VI [S ] BF CR OP
U "SCOTT" [TIGER ] DE CR EL
U "OE" [CHANGE_ON_INSTALL ] DE CR EL
U "IX" [CHANGE_ON_INSTALL ] DE CR EL
U "SH" [CHANGE_ON_INSTALL ] DE CR EL
U "PM" [CHANGE_ON_INSTALL ] DE CR EL
U "BI" [CHANGE_ON_INSTALL ] DE CR EL
INFO: Number of crack attempts = [46373]
INFO: Elapsed time = [2.85 Seconds]
INFO: Cracks per second = [16270]
PL/SQL procedure successfully completed.
SQL>
|
This shows that the accounts have known default passwords. Also interestingly James says that an account that is created EXPIRED&LOCKED is different to one that is unlocked and then expired and locked. But he then doesnt show why?; there is no difference as its not possible to create an account without specifying a password unless the record is inserted into SYS.USER$ directly but a hash is still required so its the same as an account where the password is changed; again this could be a bad choice of words as he talks about changing passwords before locking and expiring to prevent someone resetting.
The article also states its best practice to lock accounts and not remove them; I disagree; if it can be shown that an account is not required, especially an account that is a built-in one; James implies from this that its better to lock HR rather than remove it?; then the accounts are better removed. Locking or stopping access to an account does not prevent use of its features, PL/SQL packages for instance. If this was the case there would be work-arounds for CPU fixed bugs in PL/SQL. A connection to an account is not always needed to attack its features.
