subject:"RE\: Risk of knowing password hash value \(Was\: OEM permissions\)"

Re: Risk of knowing password hash value (Was: OEM permissions)

2003-12-23 Thread Rachel Carmichael

9.2.0.2 on Sun Solaris... and yes, I got the same encrypted password


--- Michael Thomas [EMAIL PROTECTED] wrote:
 Hi,
 
 Okay. I'm almost a believer of this as a problem. How
 about 9.2.0.4 on RH9.3.
 
 1) What does anyone/everyone get for my this query (my
 results shown):
 
 connect system/[EMAIL PROTECTED];
 alter user scott identified by tiger;
 --
 select password
 from dba_users
 where username = 'SCOTT';
 
 PASSWORD
 
 F894844C34402B67
 
 2) If you all get the same, then I'm concerned.
 
 Regards,
 
 Mike Thomas
 
 --- Yong Huang [EMAIL PROTECTED] wrote:
  Jared,
  
  I see you log out and log back in as SYSTEM to DB2.
  But how do you know the
  password for SYSTEM to log back in with after you
  change it?
  
  What if you don't log out? When I tried that (i.e.
  not logging out), I got
  ORA-1017.
  
  Yong Huang
  
  --- Jared Still [EMAIL PROTECTED] wrote:
   Environment:
   
   DB1: RH 8.0 with Oracle EE 9.2.0.4
   
   DB2: Win2k SP3 with Oracle EE 9.2.0.1
   
   SYSTEM user on each database initially have
  different passwords.
   
 
 
 __
 Do you Yahoo!?
 Protect your identity with Yahoo! Mail AddressGuard
 http://antispam.yahoo.com/whatsnewfree
 -- 
 Please see the official ORACLE-L FAQ: http://www.orafaq.net
 -- 
 Author: Michael Thomas
   INET: [EMAIL PROTECTED]
 
 Fat City Network Services-- 858-538-5051 http://www.fatcity.com
 San Diego, California-- Mailing list and web hosting services
 -
 To REMOVE yourself from this mailing list, send an E-Mail message
 to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
 the message BODY, include a line containing: UNSUB ORACLE-L
 (or the name of mailing list you want to be removed from).  You may
 also send the HELP command for other information (like subscribing).


__
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Rachel Carmichael
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: Risk of knowing password hash value (Was: OEM permissions)

2003-12-23 Thread Scott Canaan

This is what I got, Oracle 8.1.7.4 on Sun Solaris (I dropped the user):

Connected to:
Oracle8i Enterprise Edition Release 8.1.7.4.0 - Production
With the Partitioning option
JServer Release 8.1.7.4.0 - Production

SQL create user scott identified by tiger;

User created.

SQL select password
  2  from dba_users
  3  where username = 'SCOTT'; 

PASSWORD
--
F894844C34402B67

SQL

Scott Canaan ([EMAIL PROTECTED])
(585) 475-7886
Life is like a sewer, what you get out of it depends on what you put
into it. - Tom Lehrer.


-Original Message-
rahul sharma
Sent: Tuesday, December 23, 2003 1:14 AM
To: Multiple recipients of list ORACLE-L

8.1.7 on win2000

SQL select password
  2  from dba_users
  3  where username = 'SCOTT';

PASSWORD
--
F894844C34402B67




- Original Message - 
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
Sent: Tuesday, December 23, 2003 11:44 AM


 Hi,
 
 Okay. I'm almost a believer of this as a problem. How
 about 9.2.0.4 on RH9.3.
 
 1) What does anyone/everyone get for my this query (my
 results shown):
 
 connect system/[EMAIL PROTECTED];
 alter user scott identified by tiger;
 --
 select password
 from dba_users
 where username = 'SCOTT';
 
 PASSWORD
 
 F894844C34402B67
 
 2) If you all get the same, then I'm concerned.
 
 Regards,
 
 Mike Thomas
 
 --- Yong Huang [EMAIL PROTECTED] wrote:
  Jared,
  
  I see you log out and log back in as SYSTEM to DB2.
  But how do you know the
  password for SYSTEM to log back in with after you
  change it?
  
  What if you don't log out? When I tried that (i.e.
  not logging out), I got
  ORA-1017.
  
  Yong Huang
  
  --- Jared Still [EMAIL PROTECTED] wrote:
   Environment:
   
   DB1: RH 8.0 with Oracle EE 9.2.0.4
   
   DB2: Win2k SP3 with Oracle EE 9.2.0.1
   
   SYSTEM user on each database initially have
  different passwords.
   
 
 
 __
 Do you Yahoo!?
 Protect your identity with Yahoo! Mail AddressGuard
 http://antispam.yahoo.com/whatsnewfree
 -- 
 Please see the official ORACLE-L FAQ: http://www.orafaq.net
 -- 
 Author: Michael Thomas
   INET: [EMAIL PROTECTED]
 
 Fat City Network Services-- 858-538-5051 http://www.fatcity.com
 San Diego, California-- Mailing list and web hosting services
 -
 To REMOVE yourself from this mailing list, send an E-Mail message
 to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
 the message BODY, include a line containing: UNSUB ORACLE-L
 (or the name of mailing list you want to be removed from).  You may
 also send the HELP command for other information (like subscribing).
 

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: rahul sharma
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Scott Canaan
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: Risk of knowing password hash value (Was: OEM permissions)

2003-12-23 Thread Jamadagni, Rajendra

[EMAIL PROTECTED] . oraenv
ORACLE_SID = [OLDNCS1] ? DEVL
[EMAIL PROTECTED] sys

SQL*Plus: Release 9.2.0.2.0 - Production on Tue Dec 23 08:30:45 2003
Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.2.0 - 64bit Production
With the Partitioning, Real Application Clusters, OLAP and Oracle Data Mining options
JServer Release 9.2.0.2.0 - Production

08:30:51 SQL alter user scott identified by tiger;
User altered.
08:31:01 SQL select password from dba_users where username = 'SCOTT';
PASSWORD
--
F894844C34402B67

9202 on AIX5L.


So much for 40 bit one way encryption ...
Raj

Rajendra dot Jamadagni at nospamespn dot com
All Views expressed in this email are strictly personal.
QOTD: Any clod can have facts, having an opinion is an art !
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jamadagni, Rajendra
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: Risk of knowing password hash value (Was: OEM permissions)

2003-12-23 Thread Norris, Gregory T [ITS]

Same here...

SQL select password from dba_users where username = 'SCOTT';

PASSWORD
--
F894844C34402B67

-Original Message-
Michael Thomas
Sent: Monday, December 22, 2003 10:44 PM
To: Multiple recipients of list ORACLE-L


Hi,

Okay. I'm almost a believer of this as a problem. How
about 9.2.0.4 on RH9.3.

1) What does anyone/everyone get for my this query (my
results shown):

connect system/[EMAIL PROTECTED];
alter user scott identified by tiger;
--
select password
from dba_users
where username = 'SCOTT';

PASSWORD

F894844C34402B67

2) If you all get the same, then I'm concerned.

Regards,

Mike Thomas
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Norris, Gregory T [ITS]
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: Risk of knowing password hash value (Was: OEM permissions)

2003-12-23 Thread Stephen.Lee


When I brought the issue up, I didn't know if one could in fact maliciously
use that info.  And, as I originally stated, it was something I had not
tried.  But paranoia (healthy, I think) dictates there's gotta be a way.
When one looks at the Unix password world which brought about the necessity
for a shadow file, and the evils of the old NIS where ypcat was available,
you have to wonder why allowing access to the encrypted passwords for Unix
is considered a dumb thing to do, but somehow in Oracle it would be an OK
thing to do.  I'm inclined to say that Oracle restricted access to the views
and underlying tables for reasons more substantial than just to frustrate
non-privileged users.  And, if I'm not mistaken, the specs on the views are
subject to change without notice.  I have enough to do without trying to
stay on top of every stinkin' view in Oracle in every stinkin' release and
how one might use that view in naughty ways.

For what it's worth, after haggling and fussing, we were able to compromise
on this.  We haven't tried to tear each of these apart to see how it might
be abused.  If any of you have some warnings to provide, please do!

-- Must run this as SYS

create role DBARTISAN_USER_ROLE;

grant SELECT on SYS.V_$PROCESS to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$SESSION to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$LATCH to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$LATCHNAME to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$LATCHHOLDER to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$LOCK to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$SESSTAT to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$MYSTAT to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$SYSSTAT to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$STATNAME to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$ACCESS to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$FILESTAT to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$ROLLNAME to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$ROLLSTAT to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$SGA to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$PARAMETER to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$ROWCACHE to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$LIBRARYCACHE to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$INSTANCE to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$DISPATCHER to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$SQLAREA to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$SQLTEXT to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$SQLTEXT_WITH_NEWLINES to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$OPEN_CURSOR to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$PQ_SYSSTAT to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$SGASTAT to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$SHARED_SERVER to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$DATAFILE to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$TABLESPACE to DBARTISAN_USER_ROLE;
grant SELECT on SYS.V_$SESS_IO to DBARTISAN_USER_ROLE;
grant SELECT on SYS.ALL_OBJECTS to DBARTISAN_USER_ROLE;
grant SELECT on SYS.DBA_ROLLBACK_SEGS to DBARTISAN_USER_ROLE;
grant SELECT on SYS.PRODUCT_COMPONENT_VERSION to DBARTISAN_USER_ROLE;
grant SELECT on SYS.DBA_EXTENTS to DBARTISAN_USER_ROLE;

grant DBARTISAN_USER_ROLE to USER_WE_DONT_LIKE;

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: [EMAIL PROTECTED]
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: Risk of knowing password hash value (Was: OEM permissions)

2003-12-23 Thread Jared Still

As long Oracle can manage to keep its modified DES algorithm
secret, this should make it somewhat difficult to crack passwords
in the manner that can be done with unix passwords.

It could still be done, but the time required would make
it just too time consuming IMO.  

Jared


On Tue, 2003-12-23 at 09:44, [EMAIL PROTECTED] wrote:
 
 When I brought the issue up, I didn't know if one could in fact maliciously
 use that info.  And, as I originally stated, it was something I had not
 tried.  But paranoia (healthy, I think) dictates there's gotta be a way.
 When one looks at the Unix password world which brought about the necessity
 for a shadow file, and the evils of the old NIS where ypcat was available,
 you have to wonder why allowing access to the encrypted passwords for Unix
 is considered a dumb thing to do, but somehow in Oracle it would be an OK
 thing to do.  I'm inclined to say that Oracle restricted access to the views
 and underlying tables for reasons more substantial than just to frustrate
 non-privileged users.  And, if I'm not mistaken, the specs on the views are
 subject to change without notice.  I have enough to do without trying to
 stay on top of every stinkin' view in Oracle in every stinkin' release and
 how one might use that view in naughty ways.
 
 For what it's worth, after haggling and fussing, we were able to compromise
 on this.  We haven't tried to tear each of these apart to see how it might
 be abused.  If any of you have some warnings to provide, please do!
 
 -- Must run this as SYS
 
 create role DBARTISAN_USER_ROLE;
 
 grant SELECT on SYS.V_$PROCESS to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SESSION to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LATCH to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LATCHNAME to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LATCHHOLDER to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LOCK to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SESSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$MYSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SYSSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$STATNAME to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$ACCESS to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$FILESTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$ROLLNAME to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$ROLLSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SGA to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$PARAMETER to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$ROWCACHE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LIBRARYCACHE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$INSTANCE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$DISPATCHER to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SQLAREA to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SQLTEXT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SQLTEXT_WITH_NEWLINES to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$OPEN_CURSOR to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$PQ_SYSSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SGASTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SHARED_SERVER to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$DATAFILE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$TABLESPACE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SESS_IO to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.ALL_OBJECTS to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.DBA_ROLLBACK_SEGS to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.PRODUCT_COMPONENT_VERSION to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.DBA_EXTENTS to DBARTISAN_USER_ROLE;
 
 grant DBARTISAN_USER_ROLE to USER_WE_DONT_LIKE;
 
 -- 
 Please see the official ORACLE-L FAQ: http://www.orafaq.net
 -- 
 Author: [EMAIL PROTECTED]
   INET: [EMAIL PROTECTED]
 
 Fat City Network Services-- 858-538-5051 http://www.fatcity.com
 San Diego, California-- Mailing list and web hosting services
 -
 To REMOVE yourself from this mailing list, send an E-Mail message
 to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
 the message BODY, include a line containing: UNSUB ORACLE-L
 (or the name of mailing list you want to be removed from).  You may
 also send the HELP command for other information (like subscribing).
 


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

RE: Risk of knowing password hash value (Was: OEM permissions)

2003-12-23 Thread Norris, Gregory T [ITS]

Not really... you could easily compile a list of passwords and their associated 
hashes.  Once this is done, it's just a simple matter of matching the hashes.

-Original Message-
Jared Still
Sent: Tuesday, December 23, 2003 1:24 PM
To: Multiple recipients of list ORACLE-L


As long Oracle can manage to keep its modified DES algorithm
secret, this should make it somewhat difficult to crack passwords
in the manner that can be done with unix passwords.

It could still be done, but the time required would make
it just too time consuming IMO.  

Jared


On Tue, 2003-12-23 at 09:44, [EMAIL PROTECTED] wrote:
 
 When I brought the issue up, I didn't know if one could in fact maliciously
 use that info.  And, as I originally stated, it was something I had not
 tried.  But paranoia (healthy, I think) dictates there's gotta be a way.
 When one looks at the Unix password world which brought about the necessity
 for a shadow file, and the evils of the old NIS where ypcat was available,
 you have to wonder why allowing access to the encrypted passwords for Unix
 is considered a dumb thing to do, but somehow in Oracle it would be an OK
 thing to do.  I'm inclined to say that Oracle restricted access to the views
 and underlying tables for reasons more substantial than just to frustrate
 non-privileged users.  And, if I'm not mistaken, the specs on the views are
 subject to change without notice.  I have enough to do without trying to
 stay on top of every stinkin' view in Oracle in every stinkin' release and
 how one might use that view in naughty ways.
 
 For what it's worth, after haggling and fussing, we were able to compromise
 on this.  We haven't tried to tear each of these apart to see how it might
 be abused.  If any of you have some warnings to provide, please do!
 
 -- Must run this as SYS
 
 create role DBARTISAN_USER_ROLE;
 
 grant SELECT on SYS.V_$PROCESS to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SESSION to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LATCH to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LATCHNAME to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LATCHHOLDER to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LOCK to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SESSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$MYSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SYSSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$STATNAME to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$ACCESS to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$FILESTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$ROLLNAME to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$ROLLSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SGA to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$PARAMETER to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$ROWCACHE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LIBRARYCACHE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$INSTANCE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$DISPATCHER to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SQLAREA to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SQLTEXT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SQLTEXT_WITH_NEWLINES to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$OPEN_CURSOR to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$PQ_SYSSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SGASTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SHARED_SERVER to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$DATAFILE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$TABLESPACE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SESS_IO to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.ALL_OBJECTS to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.DBA_ROLLBACK_SEGS to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.PRODUCT_COMPONENT_VERSION to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.DBA_EXTENTS to DBARTISAN_USER_ROLE;
 
 grant DBARTISAN_USER_ROLE to USER_WE_DONT_LIKE;
 
 -- 
 Please see the official ORACLE-L FAQ: http://www.orafaq.net
 -- 
 Author: [EMAIL PROTECTED]
   INET: [EMAIL PROTECTED]
 
 Fat City Network Services-- 858-538-5051 http://www.fatcity.com
 San Diego, California-- Mailing list and web hosting services
 -
 To REMOVE yourself from this mailing list, send an E-Mail message
 to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
 the message BODY, include a line containing: UNSUB ORACLE-L
 (or the name of mailing list you want to be removed from).  You may
 also send the HELP command for other information (like subscribing).
 


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of

RE: Risk of knowing password hash value (Was: OEM permissions)

2003-12-23 Thread Davey, Alan

No.  Two different users with the same password would have different hash
values. 

So you would have to loop through a dictionary list for each user within
your local database.  Once you got a match, then you could logon to the
target database with that user/password combo.  

-
Alan Davey
Senior Analyst/Project Leader
Oracle 9i OCA; 3/4 OCP
w) 973.267.5990 x458
w) 212.295.3458



-Original Message-
Sent: Tuesday, December 23, 2003 3:29 PM
To: Multiple recipients of list ORACLE-L


Not really... you could easily compile a list of passwords and their
associated hashes.  Once this is done, it's just a simple matter of matching
the hashes.

-Original Message-
Jared Still
Sent: Tuesday, December 23, 2003 1:24 PM
To: Multiple recipients of list ORACLE-L


As long Oracle can manage to keep its modified DES algorithm
secret, this should make it somewhat difficult to crack passwords
in the manner that can be done with unix passwords.

It could still be done, but the time required would make
it just too time consuming IMO.  

Jared


On Tue, 2003-12-23 at 09:44, [EMAIL PROTECTED] wrote:
 
 When I brought the issue up, I didn't know if one could in fact
maliciously
 use that info.  And, as I originally stated, it was something I had not
 tried.  But paranoia (healthy, I think) dictates there's gotta be a way.
 When one looks at the Unix password world which brought about the
necessity
 for a shadow file, and the evils of the old NIS where ypcat was available,
 you have to wonder why allowing access to the encrypted passwords for Unix
 is considered a dumb thing to do, but somehow in Oracle it would be an OK
 thing to do.  I'm inclined to say that Oracle restricted access to the
views
 and underlying tables for reasons more substantial than just to frustrate
 non-privileged users.  And, if I'm not mistaken, the specs on the views
are
 subject to change without notice.  I have enough to do without trying to
 stay on top of every stinkin' view in Oracle in every stinkin' release and
 how one might use that view in naughty ways.
 
 For what it's worth, after haggling and fussing, we were able to
compromise
 on this.  We haven't tried to tear each of these apart to see how it might
 be abused.  If any of you have some warnings to provide, please do!
 
 -- Must run this as SYS
 
 create role DBARTISAN_USER_ROLE;
 
 grant SELECT on SYS.V_$PROCESS to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SESSION to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LATCH to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LATCHNAME to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LATCHHOLDER to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LOCK to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SESSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$MYSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SYSSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$STATNAME to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$ACCESS to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$FILESTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$ROLLNAME to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$ROLLSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SGA to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$PARAMETER to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$ROWCACHE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LIBRARYCACHE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$INSTANCE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$DISPATCHER to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SQLAREA to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SQLTEXT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SQLTEXT_WITH_NEWLINES to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$OPEN_CURSOR to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$PQ_SYSSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SGASTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SHARED_SERVER to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$DATAFILE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$TABLESPACE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SESS_IO to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.ALL_OBJECTS to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.DBA_ROLLBACK_SEGS to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.PRODUCT_COMPONENT_VERSION to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.DBA_EXTENTS to DBARTISAN_USER_ROLE;
 
 grant DBARTISAN_USER_ROLE to USER_WE_DONT_LIKE;
 
 -- 
 Please see the official ORACLE-L FAQ: http://www.orafaq.net
 -- 
 Author: [EMAIL PROTECTED]
   INET: [EMAIL PROTECTED]
 
 Fat City Network Services-- 858-538-5051 http://www.fatcity.com
 San Diego, California-- Mailing list and web hosting services
 -
 To REMOVE yourself from this mailing list, send an E-Mail message
 to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
 the message BODY, include a line containing: UNSUB ORACLE-L
 (or the name of mailing list you want to be

RE: Risk of knowing password hash value (Was: OEM permissions)

2003-12-23 Thread Norris, Gregory T [ITS]

Ah, you're right... the username is taken into account when the password is hashed.  
Quite a few applications have forced usernames, however, so I'm still a bit uneasy.  
It's clearly not as bad as I thought, however.

-Original Message-
Davey, Alan
Sent: Tuesday, December 23, 2003 2:59 PM
To: Multiple recipients of list ORACLE-L


No.  Two different users with the same password would have different hash
values. 

So you would have to loop through a dictionary list for each user within
your local database.  Once you got a match, then you could logon to the
target database with that user/password combo.  

-
Alan Davey
Senior Analyst/Project Leader
Oracle 9i OCA; 3/4 OCP
w) 973.267.5990 x458
w) 212.295.3458



-Original Message-
Sent: Tuesday, December 23, 2003 3:29 PM
To: Multiple recipients of list ORACLE-L


Not really... you could easily compile a list of passwords and their
associated hashes.  Once this is done, it's just a simple matter of matching
the hashes.

-Original Message-
Jared Still
Sent: Tuesday, December 23, 2003 1:24 PM
To: Multiple recipients of list ORACLE-L


As long Oracle can manage to keep its modified DES algorithm
secret, this should make it somewhat difficult to crack passwords
in the manner that can be done with unix passwords.

It could still be done, but the time required would make
it just too time consuming IMO.  

Jared


On Tue, 2003-12-23 at 09:44, [EMAIL PROTECTED] wrote:
 
 When I brought the issue up, I didn't know if one could in fact
maliciously
 use that info.  And, as I originally stated, it was something I had not
 tried.  But paranoia (healthy, I think) dictates there's gotta be a way.
 When one looks at the Unix password world which brought about the
necessity
 for a shadow file, and the evils of the old NIS where ypcat was available,
 you have to wonder why allowing access to the encrypted passwords for Unix
 is considered a dumb thing to do, but somehow in Oracle it would be an OK
 thing to do.  I'm inclined to say that Oracle restricted access to the
views
 and underlying tables for reasons more substantial than just to frustrate
 non-privileged users.  And, if I'm not mistaken, the specs on the views
are
 subject to change without notice.  I have enough to do without trying to
 stay on top of every stinkin' view in Oracle in every stinkin' release and
 how one might use that view in naughty ways.
 
 For what it's worth, after haggling and fussing, we were able to
compromise
 on this.  We haven't tried to tear each of these apart to see how it might
 be abused.  If any of you have some warnings to provide, please do!
 
 -- Must run this as SYS
 
 create role DBARTISAN_USER_ROLE;
 
 grant SELECT on SYS.V_$PROCESS to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SESSION to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LATCH to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LATCHNAME to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LATCHHOLDER to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LOCK to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SESSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$MYSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SYSSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$STATNAME to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$ACCESS to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$FILESTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$ROLLNAME to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$ROLLSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SGA to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$PARAMETER to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$ROWCACHE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$LIBRARYCACHE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$INSTANCE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$DISPATCHER to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SQLAREA to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SQLTEXT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SQLTEXT_WITH_NEWLINES to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$OPEN_CURSOR to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$PQ_SYSSTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SGASTAT to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SHARED_SERVER to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$DATAFILE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$TABLESPACE to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.V_$SESS_IO to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.ALL_OBJECTS to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.DBA_ROLLBACK_SEGS to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.PRODUCT_COMPONENT_VERSION to DBARTISAN_USER_ROLE;
 grant SELECT on SYS.DBA_EXTENTS to DBARTISAN_USER_ROLE;
 
 grant DBARTISAN_USER_ROLE to USER_WE_DONT_LIKE;
 
 -- 
 Please see the official ORACLE-L FAQ: http://www.orafaq.net
 -- 
 Author: [EMAIL PROTECTED]
   INET: [EMAIL PROTECTED]
 
 Fat City Network Services-- 858-538-5051 http://www.fatcity.com
 San Diego, California--

Re: Risk of knowing password hash value (Was: OEM permissions)

2003-12-23 Thread Arup Nanda

Actually, the concatenated string of userid and password is hashed. So if
that is same, you got yourself the same hashed password.

Consider this:

SQL create user ABC identified by DEF;

User created.

SQL create user ABCD identified by EF;

User created.

SQL select password from dba_users where username in ('ABC','ABCD');

PASSWORD
--
016811C1486D026B
016811C1486D026B

They have the same password hash, even though the password is different.
It's a trick we use in auditing for security holes in the database.

HTH.

Arup



- Original Message - 
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
Sent: Tuesday, December 23, 2003 3:59 PM


 No.  Two different users with the same password would have different hash
 values.

 So you would have to loop through a dictionary list for each user within
 your local database.  Once you got a match, then you could logon to the
 target database with that user/password combo.

 -
 Alan Davey
 Senior Analyst/Project Leader
 Oracle 9i OCA; 3/4 OCP
 w) 973.267.5990 x458
 w) 212.295.3458



 -Original Message-
 Sent: Tuesday, December 23, 2003 3:29 PM
 To: Multiple recipients of list ORACLE-L


 Not really... you could easily compile a list of passwords and their
 associated hashes.  Once this is done, it's just a simple matter of
matching
 the hashes.

 -Original Message-
 Jared Still
 Sent: Tuesday, December 23, 2003 1:24 PM
 To: Multiple recipients of list ORACLE-L


 As long Oracle can manage to keep its modified DES algorithm
 secret, this should make it somewhat difficult to crack passwords
 in the manner that can be done with unix passwords.

 It could still be done, but the time required would make
 it just too time consuming IMO.

 Jared


 On Tue, 2003-12-23 at 09:44, [EMAIL PROTECTED] wrote:
 
  When I brought the issue up, I didn't know if one could in fact
 maliciously
  use that info.  And, as I originally stated, it was something I had not
  tried.  But paranoia (healthy, I think) dictates there's gotta be a way.
  When one looks at the Unix password world which brought about the
 necessity
  for a shadow file, and the evils of the old NIS where ypcat was
available,
  you have to wonder why allowing access to the encrypted passwords for
Unix
  is considered a dumb thing to do, but somehow in Oracle it would be an
OK
  thing to do.  I'm inclined to say that Oracle restricted access to the
 views
  and underlying tables for reasons more substantial than just to
frustrate
  non-privileged users.  And, if I'm not mistaken, the specs on the views
 are
  subject to change without notice.  I have enough to do without trying
to
  stay on top of every stinkin' view in Oracle in every stinkin' release
and
  how one might use that view in naughty ways.
 
  For what it's worth, after haggling and fussing, we were able to
 compromise
  on this.  We haven't tried to tear each of these apart to see how it
might
  be abused.  If any of you have some warnings to provide, please do!
 
  -- Must run this as SYS
 
  create role DBARTISAN_USER_ROLE;
 
  grant SELECT on SYS.V_$PROCESS to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SESSION to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LATCH to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LATCHNAME to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LATCHHOLDER to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LOCK to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SESSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$MYSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SYSSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$STATNAME to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$ACCESS to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$FILESTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$ROLLNAME to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$ROLLSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SGA to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$PARAMETER to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$ROWCACHE to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LIBRARYCACHE to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$INSTANCE to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$DISPATCHER to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SQLAREA to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SQLTEXT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SQLTEXT_WITH_NEWLINES to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$OPEN_CURSOR to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$PQ_SYSSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SGASTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SHARED_SERVER to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$DATAFILE to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$TABLESPACE to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SESS_IO to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.ALL_OBJECTS to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.DBA_ROLLBACK_SEGS to

RE: Risk of knowing password hash value (Was: OEM permissions)

2003-12-23 Thread Jared Still

You could conceivably do this, much like lopht or crack.

It would take a rather large password database, and a 
cracker with some intelligence.  This is the same reason
that unix now uses shadow passwords.

Jared

On Tue, 2003-12-23 at 12:29, Norris, Gregory T [ITS] wrote:
 Not really... you could easily compile a list of passwords and their associated 
 hashes.  Once this is done, it's just a simple matter of matching the hashes.
 
 -Original Message-
 Jared Still
 Sent: Tuesday, December 23, 2003 1:24 PM
 To: Multiple recipients of list ORACLE-L
 
 
 As long Oracle can manage to keep its modified DES algorithm
 secret, this should make it somewhat difficult to crack passwords
 in the manner that can be done with unix passwords.
 
 It could still be done, but the time required would make
 it just too time consuming IMO.  
 
 Jared
 
 
 On Tue, 2003-12-23 at 09:44, [EMAIL PROTECTED] wrote:
  
  When I brought the issue up, I didn't know if one could in fact maliciously
  use that info.  And, as I originally stated, it was something I had not
  tried.  But paranoia (healthy, I think) dictates there's gotta be a way.
  When one looks at the Unix password world which brought about the necessity
  for a shadow file, and the evils of the old NIS where ypcat was available,
  you have to wonder why allowing access to the encrypted passwords for Unix
  is considered a dumb thing to do, but somehow in Oracle it would be an OK
  thing to do.  I'm inclined to say that Oracle restricted access to the views
  and underlying tables for reasons more substantial than just to frustrate
  non-privileged users.  And, if I'm not mistaken, the specs on the views are
  subject to change without notice.  I have enough to do without trying to
  stay on top of every stinkin' view in Oracle in every stinkin' release and
  how one might use that view in naughty ways.
  
  For what it's worth, after haggling and fussing, we were able to compromise
  on this.  We haven't tried to tear each of these apart to see how it might
  be abused.  If any of you have some warnings to provide, please do!
  
  -- Must run this as SYS
  
  create role DBARTISAN_USER_ROLE;
  
  grant SELECT on SYS.V_$PROCESS to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SESSION to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LATCH to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LATCHNAME to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LATCHHOLDER to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LOCK to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SESSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$MYSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SYSSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$STATNAME to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$ACCESS to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$FILESTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$ROLLNAME to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$ROLLSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SGA to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$PARAMETER to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$ROWCACHE to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LIBRARYCACHE to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$INSTANCE to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$DISPATCHER to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SQLAREA to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SQLTEXT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SQLTEXT_WITH_NEWLINES to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$OPEN_CURSOR to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$PQ_SYSSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SGASTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SHARED_SERVER to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$DATAFILE to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$TABLESPACE to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SESS_IO to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.ALL_OBJECTS to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.DBA_ROLLBACK_SEGS to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.PRODUCT_COMPONENT_VERSION to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.DBA_EXTENTS to DBARTISAN_USER_ROLE;
  
  grant DBARTISAN_USER_ROLE to USER_WE_DONT_LIKE;
  
  -- 
  Please see the official ORACLE-L FAQ: http://www.orafaq.net
  -- 
  Author: [EMAIL PROTECTED]
INET: [EMAIL PROTECTED]
  
  Fat City Network Services-- 858-538-5051 http://www.fatcity.com
  San Diego, California-- Mailing list and web hosting services
  -
  To REMOVE yourself from this mailing list, send an E-Mail message
  to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
  the message BODY, include a line containing: UNSUB ORACLE-L
  (or the name of mailing list you want to be removed from).  You may
  also send the HELP command for other information (like subscribing).
  
 
 
 -- 
 Please see the official ORACLE-L FAQ: http://www.orafaq.net

RE: Risk of knowing password hash value (Was: OEM permissions)

2003-12-23 Thread Davey, Alan

Very Nice.  I didn't know how the 2 values were used within the hashing
algorithm.

I would have thought it was a little more complex.

-
Alan Davey
Senior Analyst/Project Leader
Oracle 9i OCA; 3/4 OCP
w) 973.267.5990 x458
w) 212.295.3458



-Original Message-
Sent: Tuesday, December 23, 2003 4:45 PM
To: Multiple recipients of list ORACLE-L


Actually, the concatenated string of userid and password is hashed. So if
that is same, you got yourself the same hashed password.

Consider this:

SQL create user ABC identified by DEF;

User created.

SQL create user ABCD identified by EF;

User created.

SQL select password from dba_users where username in ('ABC','ABCD');

PASSWORD
--
016811C1486D026B
016811C1486D026B

They have the same password hash, even though the password is different.
It's a trick we use in auditing for security holes in the database.

HTH.

Arup



- Original Message - 
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
Sent: Tuesday, December 23, 2003 3:59 PM


 No.  Two different users with the same password would have different hash
 values.

 So you would have to loop through a dictionary list for each user within
 your local database.  Once you got a match, then you could logon to the
 target database with that user/password combo.

 -
 Alan Davey
 Senior Analyst/Project Leader
 Oracle 9i OCA; 3/4 OCP
 w) 973.267.5990 x458
 w) 212.295.3458



 -Original Message-
 Sent: Tuesday, December 23, 2003 3:29 PM
 To: Multiple recipients of list ORACLE-L


 Not really... you could easily compile a list of passwords and their
 associated hashes.  Once this is done, it's just a simple matter of
matching
 the hashes.

 -Original Message-
 Jared Still
 Sent: Tuesday, December 23, 2003 1:24 PM
 To: Multiple recipients of list ORACLE-L


 As long Oracle can manage to keep its modified DES algorithm
 secret, this should make it somewhat difficult to crack passwords
 in the manner that can be done with unix passwords.

 It could still be done, but the time required would make
 it just too time consuming IMO.

 Jared


 On Tue, 2003-12-23 at 09:44, [EMAIL PROTECTED] wrote:
 
  When I brought the issue up, I didn't know if one could in fact
 maliciously
  use that info.  And, as I originally stated, it was something I had not
  tried.  But paranoia (healthy, I think) dictates there's gotta be a way.
  When one looks at the Unix password world which brought about the
 necessity
  for a shadow file, and the evils of the old NIS where ypcat was
available,
  you have to wonder why allowing access to the encrypted passwords for
Unix
  is considered a dumb thing to do, but somehow in Oracle it would be an
OK
  thing to do.  I'm inclined to say that Oracle restricted access to the
 views
  and underlying tables for reasons more substantial than just to
frustrate
  non-privileged users.  And, if I'm not mistaken, the specs on the views
 are
  subject to change without notice.  I have enough to do without trying
to
  stay on top of every stinkin' view in Oracle in every stinkin' release
and
  how one might use that view in naughty ways.
 
  For what it's worth, after haggling and fussing, we were able to
 compromise
  on this.  We haven't tried to tear each of these apart to see how it
might
  be abused.  If any of you have some warnings to provide, please do!
 
  -- Must run this as SYS
 
  create role DBARTISAN_USER_ROLE;
 
  grant SELECT on SYS.V_$PROCESS to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SESSION to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LATCH to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LATCHNAME to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LATCHHOLDER to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LOCK to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SESSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$MYSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SYSSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$STATNAME to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$ACCESS to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$FILESTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$ROLLNAME to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$ROLLSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SGA to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$PARAMETER to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$ROWCACHE to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LIBRARYCACHE to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$INSTANCE to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$DISPATCHER to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SQLAREA to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SQLTEXT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SQLTEXT_WITH_NEWLINES to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$OPEN_CURSOR to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$PQ_SYSSTAT to DBARTISAN_USER_ROLE;
  grant SELECT

RE: Risk of knowing password hash value (Was: OEM permissions)

2003-12-23 Thread Bellow, Bambi

Looks like they're using VMS's algorithm.  *That's* a shocker!

-Original Message-
Sent: Tuesday, December 23, 2003 3:45 PM
To: Multiple recipients of list ORACLE-L


Actually, the concatenated string of userid and password is hashed. So if
that is same, you got yourself the same hashed password.

Consider this:

SQL create user ABC identified by DEF;

User created.

SQL create user ABCD identified by EF;

User created.

SQL select password from dba_users where username in ('ABC','ABCD');

PASSWORD
--
016811C1486D026B
016811C1486D026B

They have the same password hash, even though the password is different.
It's a trick we use in auditing for security holes in the database.

HTH.

Arup



- Original Message - 
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
Sent: Tuesday, December 23, 2003 3:59 PM


 No.  Two different users with the same password would have different hash
 values.

 So you would have to loop through a dictionary list for each user within
 your local database.  Once you got a match, then you could logon to the
 target database with that user/password combo.

 -
 Alan Davey
 Senior Analyst/Project Leader
 Oracle 9i OCA; 3/4 OCP
 w) 973.267.5990 x458
 w) 212.295.3458



 -Original Message-
 Sent: Tuesday, December 23, 2003 3:29 PM
 To: Multiple recipients of list ORACLE-L


 Not really... you could easily compile a list of passwords and their
 associated hashes.  Once this is done, it's just a simple matter of
matching
 the hashes.

 -Original Message-
 Jared Still
 Sent: Tuesday, December 23, 2003 1:24 PM
 To: Multiple recipients of list ORACLE-L


 As long Oracle can manage to keep its modified DES algorithm
 secret, this should make it somewhat difficult to crack passwords
 in the manner that can be done with unix passwords.

 It could still be done, but the time required would make
 it just too time consuming IMO.

 Jared


 On Tue, 2003-12-23 at 09:44, [EMAIL PROTECTED] wrote:
 
  When I brought the issue up, I didn't know if one could in fact
 maliciously
  use that info.  And, as I originally stated, it was something I had not
  tried.  But paranoia (healthy, I think) dictates there's gotta be a way.
  When one looks at the Unix password world which brought about the
 necessity
  for a shadow file, and the evils of the old NIS where ypcat was
available,
  you have to wonder why allowing access to the encrypted passwords for
Unix
  is considered a dumb thing to do, but somehow in Oracle it would be an
OK
  thing to do.  I'm inclined to say that Oracle restricted access to the
 views
  and underlying tables for reasons more substantial than just to
frustrate
  non-privileged users.  And, if I'm not mistaken, the specs on the views
 are
  subject to change without notice.  I have enough to do without trying
to
  stay on top of every stinkin' view in Oracle in every stinkin' release
and
  how one might use that view in naughty ways.
 
  For what it's worth, after haggling and fussing, we were able to
 compromise
  on this.  We haven't tried to tear each of these apart to see how it
might
  be abused.  If any of you have some warnings to provide, please do!
 
  -- Must run this as SYS
 
  create role DBARTISAN_USER_ROLE;
 
  grant SELECT on SYS.V_$PROCESS to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SESSION to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LATCH to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LATCHNAME to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LATCHHOLDER to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LOCK to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SESSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$MYSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SYSSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$STATNAME to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$ACCESS to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$FILESTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$ROLLNAME to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$ROLLSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SGA to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$PARAMETER to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$ROWCACHE to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$LIBRARYCACHE to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$INSTANCE to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$DISPATCHER to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SQLAREA to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SQLTEXT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SQLTEXT_WITH_NEWLINES to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$OPEN_CURSOR to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$PQ_SYSSTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SGASTAT to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$SHARED_SERVER to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$DATAFILE to DBARTISAN_USER_ROLE;
  grant SELECT on SYS.V_$TABLESPACE to

Re: Risk of knowing password hash value (Was: OEM permissions)

2003-12-22 Thread Jared Still

Environment:

DB1: RH 8.0 with Oracle EE 9.2.0.4

DB2: Win2k SP3 with Oracle EE 9.2.0.1

SYSTEM user on each database initially have different passwords.

It goes something like this:

DB1:

select password from dba_users where username = 'SYSTEM';

Let's say the result is 'AC424SDK4398'

DB2:

Logon to DB2 as SYSTEM.

alter user SYSTEM identified by values 'AC424SDK4398';
create database link systemlink using 'DB1';

Logout, and log back on to DB2 as SYSTEM.

select count(*) from [EMAIL PROTECTED];

Works for me in this environment.  DB2 is compromised.

HTH

Jared



On Mon, 2003-12-22 at 08:29, Yong Huang wrote:

 Hi, Gregory,
 
 I only have access to Oracle 9.2 on my laptop. Here's my test. I have ORCL and
 AUX1 databases, the latter created by RMAN DUPLICATE some time ago. I logon
 AUX1 as SYSTEM. Set SYSTEM password hash value to the same as in ORCL. Create
 link L to ORCL without password. Selecting from a table in ORCL @L (i.e. select
 * from [EMAIL PROTECTED]) throws ORA-1017 invalid username/password.
 
 Alternatively, I logon as SYS and create a procedure owned by SYSTEM, with one
 line execute imediate('select count(*) from [EMAIL PROTECTED]'). When I execute
 system.this procedure as SYS, I get ORA-1005 null password given. (I could
 use DBMS_SYS_SQL but using the execute immediate trick obviates the need to
 remember the syntax in that undocumented package).
 
 If I use connect to current_user to create the link, I always get ORA-28030
 Server encountered problems accessing LDAP directory service.
 
 Could you try on your databases and show how you do it? As I said, this may be
 a security problem. I'm just too ignorant of it and can't reproduce it for now.
 
 Yong Huang
 
 Norris, Gregory T [ITS] wrote:
 
 There's no reason I can see that he couldn't create the dblink first, and then 
 reset the password using the encrypted value.  Alternately, the dblink could be
 
 created using the DBMS_SYS_SQL package... no knowledge of the current password 
 required.
 
   create database link foo
  connect to current_user
  using 'bar';
 
 __
 Do you Yahoo!?
 New Yahoo! Photos - easier uploading and sharing.
 http://photos.yahoo.com/
 -- 
 Please see the official ORACLE-L FAQ: http://www.orafaq.net
 -- 
 Author: Yong Huang
   INET: [EMAIL PROTECTED]
 
 Fat City Network Services-- 858-538-5051 http://www.fatcity.com
 San Diego, California-- Mailing list and web hosting services
 -
 To REMOVE yourself from this mailing list, send an E-Mail message
 to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
 the message BODY, include a line containing: UNSUB ORACLE-L
 (or the name of mailing list you want to be removed from).  You may
 also send the HELP command for other information (like subscribing).
 


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Re: Risk of knowing password hash value (Was: OEM permissions)

2003-12-22 Thread Yong Huang

Jared,

I see you log out and log back in as SYSTEM to DB2. But how do you know the
password for SYSTEM to log back in with after you change it?

What if you don't log out? When I tried that (i.e. not logging out), I got
ORA-1017.

Yong Huang

--- Jared Still [EMAIL PROTECTED] wrote:
 Environment:
 
 DB1: RH 8.0 with Oracle EE 9.2.0.4
 
 DB2: Win2k SP3 with Oracle EE 9.2.0.1
 
 SYSTEM user on each database initially have different passwords.
 
 It goes something like this:
 
 DB1:
 
 select password from dba_users where username = 'SYSTEM';
 
 Let's say the result is 'AC424SDK4398'
 
 DB2:
 
 Logon to DB2 as SYSTEM.
 
 alter user SYSTEM identified by values 'AC424SDK4398';
 create database link systemlink using 'DB1';
 
 Logout, and log back on to DB2 as SYSTEM.
 
 select count(*) from [EMAIL PROTECTED];
 
 Works for me in this environment.  DB2 is compromised.
 
 HTH
 
 Jared
 
 
 
 On Mon, 2003-12-22 at 08:29, Yong Huang wrote:
 
  Hi, Gregory,
  
  I only have access to Oracle 9.2 on my laptop. Here's my test. I have ORCL
 and
  AUX1 databases, the latter created by RMAN DUPLICATE some time ago. I logon
  AUX1 as SYSTEM. Set SYSTEM password hash value to the same as in ORCL.
 Create
  link L to ORCL without password. Selecting from a table in ORCL @L (i.e.
 select
  * from [EMAIL PROTECTED]) throws ORA-1017 invalid username/password.
  
  Alternatively, I logon as SYS and create a procedure owned by SYSTEM, with
 one
  line execute imediate('select count(*) from [EMAIL PROTECTED]'). When I execute
  system.this procedure as SYS, I get ORA-1005 null password given. (I
 could
  use DBMS_SYS_SQL but using the execute immediate trick obviates the need to
  remember the syntax in that undocumented package).
  
  If I use connect to current_user to create the link, I always get ORA-28030
  Server encountered problems accessing LDAP directory service.
  
  Could you try on your databases and show how you do it? As I said, this may
 be
  a security problem. I'm just too ignorant of it and can't reproduce it for
 now.
  
  Yong Huang
  
  Norris, Gregory T [ITS] wrote:
  
  There's no reason I can see that he couldn't create the dblink first, and
 then 
  reset the password using the encrypted value.  Alternately, the dblink
 could be
  
  created using the DBMS_SYS_SQL package... no knowledge of the current
 password 
  required.
  
  create database link foo
 connect to current_user
 using 'bar';

__
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Yong Huang
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Re: Risk of knowing password hash value (Was: OEM permissions)

2003-12-22 Thread Michael Thomas

Hi,

Okay. I'm almost a believer of this as a problem. How
about 9.2.0.4 on RH9.3.

1) What does anyone/everyone get for my this query (my
results shown):

connect system/[EMAIL PROTECTED];
alter user scott identified by tiger;
--
select password
from dba_users
where username = 'SCOTT';

PASSWORD

F894844C34402B67

2) If you all get the same, then I'm concerned.

Regards,

Mike Thomas

--- Yong Huang [EMAIL PROTECTED] wrote:
 Jared,
 
 I see you log out and log back in as SYSTEM to DB2.
 But how do you know the
 password for SYSTEM to log back in with after you
 change it?
 
 What if you don't log out? When I tried that (i.e.
 not logging out), I got
 ORA-1017.
 
 Yong Huang
 
 --- Jared Still [EMAIL PROTECTED] wrote:
  Environment:
  
  DB1: RH 8.0 with Oracle EE 9.2.0.4
  
  DB2: Win2k SP3 with Oracle EE 9.2.0.1
  
  SYSTEM user on each database initially have
 different passwords.
  


__
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Michael Thomas
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Re: Risk of knowing password hash value (Was: OEM permissions)

2003-12-22 Thread Jared Still


It doesn't matter which account I logged into DB2 with, as
long as that account has privileges to read DBA_USERS.

SYSTEM was used simply because it was the only account
on the database that could be logged into remotely, so
my test could be run without switching between machines.

If I had granted SELECT_CATALOG_ROLE  to scott, I could 
have logged in  as SCOTT and done the same.

Jared

PS. Forgot this in private post to Yong:  The password is
cached, I assume in the PGA.  This doesn't work without
reconnecting.  Logging out isn't strictly necessary, but
the way my shell is setup, it takes quite a few less keystrokes
to logout/logon than the type 'connect system/[EMAIL PROTECTED]'.



On Mon, 2003-12-22 at 20:19, Yong Huang wrote:
 Jared,
 
 I see you log out and log back in as SYSTEM to DB2. But how do you know the
 password for SYSTEM to log back in with after you change it?
 
 What if you don't log out? When I tried that (i.e. not logging out), I got
 ORA-1017.
 
 Yong Huang
 
 --- Jared Still [EMAIL PROTECTED] wrote:
  Environment:
  
  DB1: RH 8.0 with Oracle EE 9.2.0.4
  
  DB2: Win2k SP3 with Oracle EE 9.2.0.1
  
  SYSTEM user on each database initially have different passwords.
  
  It goes something like this:
  
  DB1:
  
  select password from dba_users where username = 'SYSTEM';
  
  Let's say the result is 'AC424SDK4398'
  
  DB2:
  
  Logon to DB2 as SYSTEM.
  
  alter user SYSTEM identified by values 'AC424SDK4398';
  create database link systemlink using 'DB1';
  
  Logout, and log back on to DB2 as SYSTEM.
  
  select count(*) from [EMAIL PROTECTED];
  
  Works for me in this environment.  DB2 is compromised.
  
  HTH
  
  Jared
  
  
  
  On Mon, 2003-12-22 at 08:29, Yong Huang wrote:
  
   Hi, Gregory,
   
   I only have access to Oracle 9.2 on my laptop. Here's my test. I have ORCL
  and
   AUX1 databases, the latter created by RMAN DUPLICATE some time ago. I logon
   AUX1 as SYSTEM. Set SYSTEM password hash value to the same as in ORCL.
  Create
   link L to ORCL without password. Selecting from a table in ORCL @L (i.e.
  select
   * from [EMAIL PROTECTED]) throws ORA-1017 invalid username/password.
   
   Alternatively, I logon as SYS and create a procedure owned by SYSTEM, with
  one
   line execute imediate('select count(*) from [EMAIL PROTECTED]'). When I execute
   system.this procedure as SYS, I get ORA-1005 null password given. (I
  could
   use DBMS_SYS_SQL but using the execute immediate trick obviates the need to
   remember the syntax in that undocumented package).
   
   If I use connect to current_user to create the link, I always get ORA-28030
   Server encountered problems accessing LDAP directory service.
   
   Could you try on your databases and show how you do it? As I said, this may
  be
   a security problem. I'm just too ignorant of it and can't reproduce it for
  now.
   
   Yong Huang
   
   Norris, Gregory T [ITS] wrote:
   
   There's no reason I can see that he couldn't create the dblink first, and
  then 
   reset the password using the encrypted value.  Alternately, the dblink
  could be
   
   created using the DBMS_SYS_SQL package... no knowledge of the current
  password 
   required.
   
 create database link foo
connect to current_user
using 'bar';
 
 __
 Do you Yahoo!?
 New Yahoo! Photos - easier uploading and sharing.
 http://photos.yahoo.com/
 -- 
 Please see the official ORACLE-L FAQ: http://www.orafaq.net
 -- 
 Author: Yong Huang
   INET: [EMAIL PROTECTED]
 
 Fat City Network Services-- 858-538-5051 http://www.fatcity.com
 San Diego, California-- Mailing list and web hosting services
 -
 To REMOVE yourself from this mailing list, send an E-Mail message
 to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
 the message BODY, include a line containing: UNSUB ORACLE-L
 (or the name of mailing list you want to be removed from).  You may
 also send the HELP command for other information (like subscribing).
 


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Re: Risk of knowing password hash value (Was: OEM permissions)

2003-12-22 Thread Jared Still

On RH 8.0 Oracle 9.2.0.4: F894844C34402B67

It is required that a password for a particular users always
hashes to the same value, regardless of platform or Oracle version. 

This has been true for as long as I have used oracle: since 7.0.13.

If not, export/import would not be able to recreate users, and
database links without a password would not work.

Good reason to protect DBA_USERS, no?

Jared



On Mon, 2003-12-22 at 20:44, Michael Thomas wrote:
 Hi,
 
 Okay. I'm almost a believer of this as a problem. How
 about 9.2.0.4 on RH9.3.
 
 1) What does anyone/everyone get for my this query (my
 results shown):
 
 connect system/[EMAIL PROTECTED];
 alter user scott identified by tiger;
 --
 select password
 from dba_users
 where username = 'SCOTT';
 
 PASSWORD
 
 F894844C34402B67
 
 2) If you all get the same, then I'm concerned.
 
 Regards,
 
 Mike Thomas
 
 --- Yong Huang [EMAIL PROTECTED] wrote:
  Jared,
  
  I see you log out and log back in as SYSTEM to DB2.
  But how do you know the
  password for SYSTEM to log back in with after you
  change it?
  
  What if you don't log out? When I tried that (i.e.
  not logging out), I got
  ORA-1017.
  
  Yong Huang
  
  --- Jared Still [EMAIL PROTECTED] wrote:
   Environment:
   
   DB1: RH 8.0 with Oracle EE 9.2.0.4
   
   DB2: Win2k SP3 with Oracle EE 9.2.0.1
   
   SYSTEM user on each database initially have
  different passwords.
   
 
 
 __
 Do you Yahoo!?
 Protect your identity with Yahoo! Mail AddressGuard
 http://antispam.yahoo.com/whatsnewfree
 -- 
 Please see the official ORACLE-L FAQ: http://www.orafaq.net
 -- 
 Author: Michael Thomas
   INET: [EMAIL PROTECTED]
 
 Fat City Network Services-- 858-538-5051 http://www.fatcity.com
 San Diego, California-- Mailing list and web hosting services
 -
 To REMOVE yourself from this mailing list, send an E-Mail message
 to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
 the message BODY, include a line containing: UNSUB ORACLE-L
 (or the name of mailing list you want to be removed from).  You may
 also send the HELP command for other information (like subscribing).
 


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Re: Risk of knowing password hash value (Was: OEM permissions)

2003-12-22 Thread Jared Still

Yes, I misunderstood.

Once I change the password, I can no longer connect to the account.

My hasty little test was missing an important condition: I should
have pretended I didn't know the password to the other database,
which would prevent me from logging back on exploiting the db link.

Wonder if there's a way around it though?

I spent a few minutes looking for a way around that problem, and
couldn't find one.  Oracle may have covered the bases on this, they've
had a few years to perfect it.

Jared

On Mon, 2003-12-22 at 21:19, Yong Huang wrote:
 Hey, you're working late!
 
 OK. I think you misunderstood. I know you take SYSTEM as an example user. Let's
 say it's SCOTT who has select_catalog_role. If you login to your own database
 as SCOTT and change his password hash value, you don't know the clear text
 password any more. How can you log out and log back in as SCOTT? That's why I
 ask if you can use the link without logging out after changing the password?
 
 Yong
 
 --- Jared Still [EMAIL PROTECTED] wrote:
  It doesn't matter which account I logged into DB2 with, as
  long as that account has privileges to read DBA_USERS.
  
  SYSTEM was used simply because it was the only account
  on the database that could be logged into remotely, so
  my test could be run without switching between machines.
  
  If I had granted SELECT_CATALOG_ROLE  to scott, I could 
  have logged in  as SCOTT and done the same.
  
  Jared
  
  On Mon, 2003-12-22 at 20:19, Yong Huang wrote:
   Jared,
   
   I see you log out and log back in as SYSTEM to DB2. But how do you know the
   password for SYSTEM to log back in with after you change it?
   
   What if you don't log out? When I tried that (i.e. not logging out), I got
   ORA-1017.
   
   Yong Huang
   
   --- Jared Still [EMAIL PROTECTED] wrote:
Environment:

DB1: RH 8.0 with Oracle EE 9.2.0.4

DB2: Win2k SP3 with Oracle EE 9.2.0.1

SYSTEM user on each database initially have different passwords.

It goes something like this:

DB1:

select password from dba_users where username = 'SYSTEM';

Let's say the result is 'AC424SDK4398'

DB2:

Logon to DB2 as SYSTEM.

alter user SYSTEM identified by values 'AC424SDK4398';
create database link systemlink using 'DB1';

Logout, and log back on to DB2 as SYSTEM.

select count(*) from [EMAIL PROTECTED];

Works for me in this environment.  DB2 is compromised.

HTH

Jared



On Mon, 2003-12-22 at 08:29, Yong Huang wrote:

 Hi, Gregory,
 
 I only have access to Oracle 9.2 on my laptop. Here's my test. I have
  ORCL
and
 AUX1 databases, the latter created by RMAN DUPLICATE some time ago. I
  logon
 AUX1 as SYSTEM. Set SYSTEM password hash value to the same as in ORCL.
Create
 link L to ORCL without password. Selecting from a table in ORCL @L
  (i.e.
select
 * from [EMAIL PROTECTED]) throws ORA-1017 invalid username/password.
 
 Alternatively, I logon as SYS and create a procedure owned by SYSTEM,
  with
one
 line execute imediate('select count(*) from [EMAIL PROTECTED]'). When I
  execute
 system.this procedure as SYS, I get ORA-1005 null password given. (I
could
 use DBMS_SYS_SQL but using the execute immediate trick obviates the
  need to
 remember the syntax in that undocumented package).
 
 If I use connect to current_user to create the link, I always get
  ORA-28030
 Server encountered problems accessing LDAP directory service.
 
 Could you try on your databases and show how you do it? As I said, this
  may
be
 a security problem. I'm just too ignorant of it and can't reproduce it
  for
now.
 
 Yong Huang
 
 Norris, Gregory T [ITS] wrote:
 
 There's no reason I can see that he couldn't create the dblink first,
  and
then 
 reset the password using the encrypted value.  Alternately, the dblink
could be
 
 created using the DBMS_SYS_SQL package... no knowledge of the current
password 
 required.
 
   create database link foo
  connect to current_user
  using 'bar';
   
   __
   Do you Yahoo!?
   New Yahoo! Photos - easier uploading and sharing.
   http://photos.yahoo.com/
   
  
  
 
 
 __
 Do you Yahoo!?
 New Yahoo! Photos - easier uploading and sharing.
 http://photos.yahoo.com/
 


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the

Re: Risk of knowing password hash value (Was: OEM permissions)

2003-12-22 Thread rahul sharma

8.1.7 on win2000

SQL select password
  2  from dba_users
  3  where username = 'SCOTT';

PASSWORD
--
F894844C34402B67




- Original Message - 
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
Sent: Tuesday, December 23, 2003 11:44 AM


 Hi,
 
 Okay. I'm almost a believer of this as a problem. How
 about 9.2.0.4 on RH9.3.
 
 1) What does anyone/everyone get for my this query (my
 results shown):
 
 connect system/[EMAIL PROTECTED];
 alter user scott identified by tiger;
 --
 select password
 from dba_users
 where username = 'SCOTT';
 
 PASSWORD
 
 F894844C34402B67
 
 2) If you all get the same, then I'm concerned.
 
 Regards,
 
 Mike Thomas
 
 --- Yong Huang [EMAIL PROTECTED] wrote:
  Jared,
  
  I see you log out and log back in as SYSTEM to DB2.
  But how do you know the
  password for SYSTEM to log back in with after you
  change it?
  
  What if you don't log out? When I tried that (i.e.
  not logging out), I got
  ORA-1017.
  
  Yong Huang
  
  --- Jared Still [EMAIL PROTECTED] wrote:
   Environment:
   
   DB1: RH 8.0 with Oracle EE 9.2.0.4
   
   DB2: Win2k SP3 with Oracle EE 9.2.0.1
   
   SYSTEM user on each database initially have
  different passwords.
   
 
 
 __
 Do you Yahoo!?
 Protect your identity with Yahoo! Mail AddressGuard
 http://antispam.yahoo.com/whatsnewfree
 -- 
 Please see the official ORACLE-L FAQ: http://www.orafaq.net
 -- 
 Author: Michael Thomas
   INET: [EMAIL PROTECTED]
 
 Fat City Network Services-- 858-538-5051 http://www.fatcity.com
 San Diego, California-- Mailing list and web hosting services
 -
 To REMOVE yourself from this mailing list, send an E-Mail message
 to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
 the message BODY, include a line containing: UNSUB ORACLE-L
 (or the name of mailing list you want to be removed from).  You may
 also send the HELP command for other information (like subscribing).
 

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: rahul sharma
  INET: [EMAIL PROTECTED]

Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Re: Risk of knowing password hash value (Was: OEM permissions)

RE: Risk of knowing password hash value (Was: OEM permissions)

RE: Risk of knowing password hash value (Was: OEM permissions)

RE: Risk of knowing password hash value (Was: OEM permissions)

RE: Risk of knowing password hash value (Was: OEM permissions)

RE: Risk of knowing password hash value (Was: OEM permissions)

RE: Risk of knowing password hash value (Was: OEM permissions)

RE: Risk of knowing password hash value (Was: OEM permissions)

RE: Risk of knowing password hash value (Was: OEM permissions)

Re: Risk of knowing password hash value (Was: OEM permissions)

RE: Risk of knowing password hash value (Was: OEM permissions)

RE: Risk of knowing password hash value (Was: OEM permissions)

RE: Risk of knowing password hash value (Was: OEM permissions)

Re: Risk of knowing password hash value (Was: OEM permissions)

Re: Risk of knowing password hash value (Was: OEM permissions)

Re: Risk of knowing password hash value (Was: OEM permissions)

Re: Risk of knowing password hash value (Was: OEM permissions)

Re: Risk of knowing password hash value (Was: OEM permissions)

Re: Risk of knowing password hash value (Was: OEM permissions)

Re: Risk of knowing password hash value (Was: OEM permissions)

20 matches

Site Navigation

Mail list logo

Footer information