Re: [Firebird-devel] windows installer and authentication

Mon, 13 Jul 2015 08:27:30 -0700 

Hi Alex

Am 13.07.2015 um 16:06 schrieb Alex Peshkoff:
> On 07/13/2015 04:56 PM, swobje...@outlook.com wrote:
>> Hmm, is there a reason why the dba account name is hardcoded in the
>> firebird.exe
>>
>> .rdata:0047A62C aSysdba         db 'SYSDBA',0           ; DATA XREF:
>> sub_406F70+1C3o
>> length: 7, type: c, string: SYSDBA
>>
>> \Firebird-3.0.0.31896-0_Win32_Beta2\firebird.exe
> I can't say at once what for is it needed in firebird.exe module
> particular, in engine (engine12.dll) it's needed to compare - does
> current user have root-like access.
Oops...  okay...
> If your question is 'Does presence of SYSBDA hardcoded in binaries cause
> any security issues?' the answer is no. That name is explicitly
> documented for very many years, and there is no reason to hide it in any
> form.
A potential attacker needs typically two elements breaking a password 
auth mechanism.
In this case, the user with the highest granted permissions to corrupt 
and/or destory anything is kwown to
the attacker. What if the Password is extremely short, vulnerable to a 
dictionary/bruteforce scan or the password routine has a flaw and 
returns  true instead of false under some circumstances? In the past 
Oracle has had such
type of a high critical bugs more then once.

[1]
http://www.theregister.co.uk/2012/09/21/oracle_11g_db_password_flaw/

[2]
Quote:
Who can exploit the vulnerability?
Anyone who has network access to the database server can exploit the 
vulnerability, no authentication is required. The attacker only needs to 
know the Service name or SID of the database and a username that is 
authenticated using a password. For example, the highly privileged SYS 
user is a good attack target.
http://www.teamshatter.com/topics/general/team-shatter-exclusive/oracle-database-11g-stealth-password-cracking-vulnerability-in-logon-protocol-cve-2012-3137/

IMHO: DBA logins should only be permitted from a physical Computer plus 
if the userlevel is root/winadmin
(for example: allow_dba_remote_logins = no) by default.

just my 2 cents

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Reply via email to