Security – Page 2

Oracle Security: Users with Default Passwords

By matheusdba 11 de April de 2018 21 de April de 2020

Hi all!
Did you know since Oracle Database 11g we have a way to quickly identify users with default passwords?
It’s implemented in a really simple way, with a single data dictionary view: DBA_USERS_WITH_DEFPWD

You can identify these users with the query:

select * from dba_users_with_defpwd

Example of output:

USERNAME
------------------------------
DIP
MDSYS
WK_TEST
CTXSYS
OLAPSYS
OUTLN
EXFSYS
SCOTT
MDDATA
ORDPLUGINS
ORDSYS
XDB
LBACSYS
SI_INFORMTN_SCHEMA
WMSYS

You can see SCOTT listed above, because his password is TIGER, the default one. Change it with:

SQL> alter user scott identified by tiger1;

User altered.

Now if you check the view:

SQL> select * from dba_users_with_defpwd;

USERNAME
------------------------------
DIP
MDSYS
WK_TEST
CTXSYS
OLAPSYS
OUTLN
EXFSYS
MDDATA
ORDPLUGINS
ORDSYS
XDB
LBACSYS
SI_INFORMTN_SCHEMA
WMSYS

You don’t see SCOTT on the list anymore. It’s that simple!

Hope it helps to make you database more secure.
Cheers!

Database, Security, SQL | PLSQL

12c New Feature: Unused Privileges

By matheusdba 28 de March de 2018 21 de April de 2020

Did you know 12c now has a mechanism to examine which privileges are actually being used by an user, module or for the database as a whole, as opposed to merely the privileges granted?
This is a great security improvement in order give users the privileges that they need precisely without granting too much.

Here’s how is works?

1. First you have to set up a capture process using the new package DBMS_PRIVILEGE_CAPTURE.

# Example:

BEGIN 
DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( 
        name         => 'all_priv_analysis_pol', 
        description  => 'database-wide policy to analyze all privileges', 
        type         => DBMS_PRIVILEGE_CAPTURE.G_DATABASE); 
END;
/

This starts the capture process database wide. Let it run for a bit.

2. Now you can either generate a report:

# Example

BEGIN 
DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT( 
        name         => 'all_priv_analysis_pol'); 
END;
/

Or examine the new views:

DBA_USED_PRIVS 
DBA_UNUSED_PRIVS 
DBA_USED_OBJPRIVS 
DBA_UNUSED_OBJPRIVS

3. To turn off you proceed with the following:

BEGIN 
DBMS_PRIVILEGE_CAPTURE.DROP_CAPTURE( 
        name         => 'all_priv_analysis_pol'); 
END;
/

So now you ensure that you use the best practice of least privilege for users.

Cheers!

Application | Middleware | GoldenGate, Security, Weblogic

Decrypting WebLogic Datasource Password

By Jackson Costa 21 de June de 2016 21 de April de 2020

Hi Guys,

Today I bring you a script that I use to decrypt datasource passwords and also the password of AdminServer, which is very useful on a daily basis.

The script uses the encrypted password that is found within the datasource configuration files ($DOMAIN_HOME/config/jdbc/*.xml).
To decrypt the AdminServer password is used the encrypted password contained within the boot.properties ($DOMAIN_HOME/servers/AdminServer/security).

Below the script (decryptPassword.py):

#=======================================================================================
# This Script decrypt WebLogic passwords
#
# Usage:
# wlst decryptPassword.py
#
#
#=======================================================================================
import os
import weblogic.security.internal.SerializedSystemIni
import weblogic.security.internal.encryption.ClearOrEncryptedService

def decrypt(domainHomeName, encryptedPwd):
domainHomeAbsolutePath = os.path.abspath(domainHomeName)
encryptionService = weblogic.security.internal.SerializedSystemIni.getEncryptionService(domainHomeAbsolutePath)
ces = weblogic.security.internal.encryption.ClearOrEncryptedService(encryptionService)
clear = ces.decrypt(encryptedPwd)
print "RESULT:" + clear

try:
if len(sys.argv) == 3:
decrypt(sys.argv[1], sys.argv[2])
else:
print "INVALID ARGUMENTS"
print " Usage: java weblogic.WLST decryptPassword.py "
print " Example:"
print " java weblogic.WLST decryptPassword.py D:/Oracle/Middleware/user_projects/domains/base_domain {AES}819R5h3JUS9fAcPmF58p9Wb3swTJxFl0t8NInD/ykkE="
except:
print "Unexpected error: ", sys.exc_info()[0]
dumpStack()
raise

Syntax using: java weblogic.WLST decryptPassword.py $DOMAIN_HOME encrypted_password

Download script here.

For example:
[oracle@app1osbgrepora1l scripts]$ source /oracle/domains/osb_domain/bin/setDomainEnv.sh
[oracle@app1osbgrepora1l osb_domain]$ java weblogic.WLST decryptPassword.py /oracle/domains/osb_domain/ {AES}WdbfYhD1EbVXmIe62hLftef4WtNPvyRDGc1/lsyQ014=
Initializing WebLogic Scripting Tool (WLST) …
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
RESULT:OSBPASS123

That’s all for today
Jackson.

Database, Security, SQL | PLSQL

Vulnerability: Decrypting Oracle DBlink password (<11.2.0.2)

By matheusdba 15 de June de 2016 21 de April de 2020

Hi all,
It’s not a new vulnerability, but a good thing to have personal note about it. Besides the security problem, it can save you from situations you need but don’t have the database link password.
It works only if the database link was created pre-11.2.0.2.

The vulnerability only is exposed if user has one of the follow privileges:
SYS
SYSDBA
DBA
SYS WITHOUT SYSDBA
SYSASM
EXP_FULL_DATABASE
DATAPUMP_EXP_FULL_DATABASE
DATAPUMP_IMP_FULL_DATABASE

Starting with 11.2.0.2, Oracle changed the hashes format for database link passwords, solving this vulnerability. But it only apply to dblinks created in this version or higher.
If you have dblink created when database was on 11.2.0.1, for example, and upgrade the database for 11.2.0.4, the problem remains until you recreate the database link.

So, if you are upgrading database from 11.2.0.1 or lower to 11.2.0.2 or higher, remember to reacreate database links!

The vulnerability was exposed in 2012 by Paul Wright. Here is his PoC.
And there is his post.

To make it different, below I made the same test (using a PLSQL block, to make it prettier) with an upgraded database, from 11.2.0.1 to 11.2.0.4:

testdb11204> select passwordx from sys.link$ where name='MY_DBLINK';

PASSWORDX
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0540C5B8090D021649C5C614E8E0C242AF33F71C08C535900C
1 row selected.
testdb11204> set serveroutput on
testdb11204> declare
2   db_link_password varchar2(100);
3  begin
4   db_link_password := '0540C5B8090D021649C5C614E8E0C242AF33F71C08C535900C';
5   dbms_output.put_line ('Password: ' || utl_raw.cast_to_varchar2 ( dbms_crypto.decrypt ( substr (db_link_password, 19) , dbms_crypto.DES_CBC_PKCS5 , substr (db_link_password, 3, 16) ) ) );
6  end;
7  /
Password: P4SSW0RD

Note that the simple upgrade does not solve the question. Is needed to recreate database link.

Matheus.

Database, Errors and Bugs, Security, SQL | PLSQL

ORA-28004: invalid argument for function specified in PASSWORD_VERIFY_FUNCTION

By matheusdba 21 de October de 2015 21 de April de 2020

An unexpected error, right?

SQL> CREATE PROFILE TEST_PROF LIMIT
FAILED_LOGIN_ATTEMPTS 5
PASSWORD_LIFE_TIME 180
PASSWORD_GRACE_TIME 30
PASSWORD_REUSE_MAX 15
PASSWORD_VERIFY_FUNCTION fnc_validation;
CREATE PROFILE TEST_PROF LIMIT
*
ERROR at line 1:
ORA-28004: invalid argument for function specified in PASSWORD_VERIFY_FUNCTION FNC_VALIDATION

That is a simple need. You have to use 3 parameters on function: username varchar2, password varchar2, old_password varchar2.

Matheus.