Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Nov 17th, 2017, 9:19pm
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   valid listener passwords
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: valid listener passwords  (Read 2654 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
valid listener passwords
« on: Nov 17th, 2005, 3:13pm »
Quote | Modify

Hi,
 
has anyone tested the complete character set for use on listener passwords. I could not find a valid list of characters to use with a quick search. I assume ascii, digits and _#$ are definites. I just tested a password of "!a" without quotes and it works fine but without exhaustive checks its difficult to validate completely. from this quick check it seems any character from the keyspace is valid. Anyone checked?
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
dlitchfield
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile | Email

Posts: 10
Re: valid listener passwords
« Reply #1 on: Nov 17th, 2005, 9:32pm »
Quote | Modify

Hey Pete,
I've confirmed on my listener - all characters seem ok.
HTH,
David
IP Logged
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: valid listener passwords
« Reply #2 on: Nov 17th, 2005, 10:37pm »
Quote | Modify

Thanks for that David, I guessed that the listener accepted the whole character set from my simple test.
 
Don't you think that its time for Oracle to add some password mangement features to the listener, at least the same features that are provided with the database users or at least a failed_login_attempts parameter?  
 
It would not be a bad idea to extend strong authentication to the listener as well?
 
cheers
 
pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
dlitchfield
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile | Email

Posts: 10
Re: valid listener passwords
« Reply #3 on: Nov 18th, 2005, 2:23am »
Quote | Modify

I'm always up for strengthening procedures but as most of the listener "functionality" has been restricted to localhost on 10g is the extra protection worth it? If I had control of Oracle's security dev budget I could think of better places to spend it Wink
Cheers,
David
IP Logged
isaez
PeteFinnigan.com Junior Member
**



Ivan

   
View Profile |

Gender: male
Posts: 76
Re: valid listener passwords
« Reply #4 on: Nov 18th, 2005, 8:33am »
Quote | Modify

David,
 
Alex Kornbrust found out that the local OS authentication of the listener (10G) can be circumvented. See Oracle bugid 6454409. His advice, for the time needed to fix the bug (and that can take years as we know) I suppose, is to disabled local OS authentication and use a strong password instead.
Reverting to a listener password allows remote users to guess for the password and if found a remote user can use commands like STATUS, SERVICES. Those commands could be used by a worm.
In this light don't you still think it's not worth to spend extra efforts in strengthing the listener password features?
 
Ivan
IP Logged

regards,

Ivan
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: valid listener passwords
« Reply #5 on: Nov 18th, 2005, 11:40am »
Quote | Modify

I was also aware of the local listener authentication bypass. In fact if you look at the Oracle voyager worm source code recently released it demonstrates how this is possible remotely. I can see your point about budgets but the listener should have some mechanism to lockout after or rather during brute force atempts at least.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
dlitchfield
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile | Email

Posts: 10
Re: valid listener passwords
« Reply #6 on: Nov 18th, 2005, 12:33pm »
Quote | Modify

Ivan,
Metalink is showing nothing for this bug ID - probably been "hidden". Are you saying that a remote user can access listener functionality over the network again? Or are you saying a local user can influence the listener? If the former - then I'd be interested to know more if you have the details. If the latter then don't worry.
Cheers,
David
IP Logged
isaez
PeteFinnigan.com Junior Member
**



Ivan

   
View Profile |

Gender: male
Posts: 76
Re: valid listener passwords
« Reply #7 on: Nov 18th, 2005, 12:40pm »
Quote | Modify

David,
 
I don't have details about this bug. But Alex will probably read this and react. Otherwise you can contact him directly.  
 
Ivan
IP Logged

regards,

Ivan
Markus Perdrizat
PeteFinnigan.com Newbie
*




Reality is but a dream - dream on!

   
View Profile | WWW | Email

Gender: male
Posts: 1
Re: valid listener passwords
« Reply #8 on: Nov 19th, 2005, 4:00pm »
Quote | Modify

By now everybody probably knows that you can use the encrypted representation of the password in listener.ora instead of the password itself. So at least the characters Oracle uses to encrypt the listener password are valid...
 
If Oracle is to improve anything in the password handling of the listener, then this should be the first thing to fix. This is the only implementation of a password mechanism I know that allows to use the encrypted representation in place of the original password.
This is quite dangerous, because on many systems listener.ora must be world readable, because the monitoring processes must be able to read the listener configuration.
IP Logged
egravers
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Posts: 3
Re: valid listener passwords
« Reply #9 on: Dec 15th, 2005, 5:14am »
Quote | Modify

Hey  maol,
 
I'm not sure I understand your concerns.
 
To password protect the tns listener, the listener must store either the password or it's hashed value somewhere.
 
That somewhere will most likely have to be a disk file on the host where the listener runs.
 
If this file is not protected, i.e. owned by oracle and accessible only to oracle (chmod 600), you have already lost the keys to the kingdom.
 
The argument about monitoring system requiring access to the file is not valid in my opinion; this is like arguing that because the security service will be making a nightly round at your workplace (to check for lights left on and other things) you must leave the door key under the door mat.  
NO - that not what you do, - you give the security service their own key!
 
Just imagine trying to convince your unix admin to make /etc/shadow world readable because you need to 'monitor' something...
 
IP Logged
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board