UNIX Oracle stores "system" account passwords in plaintext
| Description: | plaintext passwords are stored in $ORACLE_HOME/network/config/sql/add*_net.sql |
| Author: | Markus Fleck <fleck@informatik.uni-bonn.de> |
| Compromise: | With these plaintext passwords, database information can be manipulated |
| Vulnerable Systems: | Those running Oracle 7.1, 7.2, and probably earlier versions |
| Date: | 24 August 1997 |
| Notes: | I like it when people send me security holes like this. I wish it would happen more often! <hint, hint, mail me. |
Date: Sun, 24 Aug 1997 02:48:33 +0200
From: Markus Fleck <fleck@informatik.uni-bonn.de>
To: fyodor@nmap.org
Subject: Unfilled Exploit: Oracle/UNIX
Oracle problem:
UNIX Oracle 7.1 and 7.2 store install-time "system" account passwords
in $ORACLE_HOME/network/config/sql/add*_net.sql in plain text.
Previous versions of Oracle may also be affected.
Knowledge of the "system" password allows you to manipulate the
database at will.
This is supposedly fixed in 7.3. Oracle didn't find it
necessary to inform customers about it. There are probably
still many <7.3 versions in heavy use. They're all vulnerable
if the password hasn't been changed after installation.
Yours,
Markus.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
