Re: Funny sort of question re sys password
- From: Pete Finnigan <oracle_list@xxxxxxxxxxxxxxxxxxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Wed, 10 Mar 2004 12:20:44 +0000
>In article <EA29A3FCC723674293FD6286D3F0513E572673@xxxxxxxxxxxxxxxxxx>,
>David Sharples <dsharples@xxxxxxxxxxxxxxxxxxxxx> writes
>I believe you can do this by using trace files - and apparently can
>take
>a lot less :-)
Hi,
You can do this but only up to 9.2.0.3 Oracle have finally fixed this
hole. I do not believe that they released as an advisory though and i
don't think that the fix is backported.
I found this way to get passwords about three years ago and wrote about
it at the time in a posting to the pen-test mailing list on
securityfocus. There is a link to my posting on my website at
http://www.petefinnigan.com/orasec.htm - the link is called "Revealing
clear text passwords from the SGA" - basically you dump the library
cache and if someone has changed a password or added a user the password
can be read from the trace file. It depends on being able to do alter
session and being able to read the trace files and in this case it would
depend on someone changing the SYS password or at least a user who has
alter user privilege.
kind regards
Pete
--
Pete Finnigan
email:pete@xxxxxxxxxxxxxxxx
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
Other related posts:
