Call: +44 (0)1904 557620 Call
Forum

Welcome, Guest. Please Login.
Jun 16th, 2024, 1:38am
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   valid listener passwords
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: valid listener passwords  (Read 4801 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
valid listener passwords
« on: Nov 17th, 2005, 3:13pm »
Quote | Modify

Hi,
 
has anyone tested the complete character set for use on listener passwords. I could not find a valid list of characters to use with a quick search. I assume ascii, digits and _#$ are definites. I just tested a password of "!a" without quotes and it works fine but without exhaustive checks its difficult to validate completely. from this quick check it seems any character from the keyspace is valid. Anyone checked?
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: valid listener passwords
« Reply #1 on: Nov 17th, 2005, 9:32pm »
Quote | Modify

Hey Pete,
I've confirmed on my listener - all characters seem ok.
HTH,
David
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: valid listener passwords
« Reply #2 on: Nov 17th, 2005, 10:37pm »
Quote | Modify

Thanks for that David, I guessed that the listener accepted the whole character set from my simple test.
 
Don't you think that its time for Oracle to add some password mangement features to the listener, at least the same features that are provided with the database users or at least a failed_login_attempts parameter?  
 
It would not be a bad idea to extend strong authentication to the listener as well?
 
cheers
 
pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: valid listener passwords
« Reply #3 on: Nov 18th, 2005, 2:23am »
Quote | Modify

I'm always up for strengthening procedures but as most of the listener "functionality" has been restricted to localhost on 10g is the extra protection worth it? If I had control of Oracle's security dev budget I could think of better places to spend it Wink
Cheers,
David
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: valid listener passwords
« Reply #4 on: Nov 18th, 2005, 8:33am »
Quote | Modify

David,
 
Alex Kornbrust found out that the local OS authentication of the listener (10G) can be circumvented. See Oracle bugid 6454409. His advice, for the time needed to fix the bug (and that can take years as we know) I suppose, is to disabled local OS authentication and use a strong password instead.
Reverting to a listener password allows remote users to guess for the password and if found a remote user can use commands like STATUS, SERVICES. Those commands could be used by a worm.
In this light don't you still think it's not worth to spend extra efforts in strengthing the listener password features?
 
Ivan
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: valid listener passwords
« Reply #5 on: Nov 18th, 2005, 11:40am »
Quote | Modify

I was also aware of the local listener authentication bypass. In fact if you look at the Oracle voyager worm source code recently released it demonstrates how this is possible remotely. I can see your point about budgets but the listener should have some mechanism to lockout after or rather during brute force atempts at least.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: valid listener passwords
« Reply #6 on: Nov 18th, 2005, 12:33pm »
Quote | Modify

Ivan,
Metalink is showing nothing for this bug ID - probably been "hidden". Are you saying that a remote user can access listener functionality over the network again? Or are you saying a local user can influence the listener? If the former - then I'd be interested to know more if you have the details. If the latter then don't worry.
Cheers,
David
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: valid listener passwords
« Reply #7 on: Nov 18th, 2005, 12:40pm »
Quote | Modify

David,
 
I don't have details about this bug. But Alex will probably read this and react. Otherwise you can contact him directly.  
 
Ivan
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: valid listener passwords
« Reply #8 on: Nov 19th, 2005, 4:00pm »
Quote | Modify

By now everybody probably knows that you can use the encrypted representation of the password in listener.ora instead of the password itself. So at least the characters Oracle uses to encrypt the listener password are valid...
 
If Oracle is to improve anything in the password handling of the listener, then this should be the first thing to fix. This is the only implementation of a password mechanism I know that allows to use the encrypted representation in place of the original password.
This is quite dangerous, because on many systems listener.ora must be world readable, because the monitoring processes must be able to read the listener configuration.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: valid listener passwords
« Reply #9 on: Dec 15th, 2005, 5:14am »
Quote | Modify

Hey  maol,
 
I'm not sure I understand your concerns.
 
To password protect the tns listener, the listener must store either the password or it's hashed value somewhere.
 
That somewhere will most likely have to be a disk file on the host where the listener runs.
 
If this file is not protected, i.e. owned by oracle and accessible only to oracle (chmod 600), you have already lost the keys to the kingdom.
 
The argument about monitoring system requiring access to the file is not valid in my opinion; this is like arguing that because the security service will be making a nightly round at your workplace (to check for lights left on and other things) you must leave the door key under the door mat.  
NO - that not what you do, - you give the security service their own key!
 
Just imagine trying to convince your unix admin to make /etc/shadow world readable because you need to 'monitor' something...
 
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board
  • PFCLScan PFCLScan

    Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

  • PFCL Obfuscate PFCLObfuscate

    PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

  • PFCLCode PFCLCode

    PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

  • PFCLForensics PFCLForensics

    PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

  • Products We resell PFCLReselling

    PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

  • PFCLATK PFCLATK

    PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

  • PFCLCookie PFCLCookie

    PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

  • PFCL Training PFCLTraining

    PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

  • PFCL Services PFCLServices

    Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

  • PFCLConsulting PFCLConsulting

    Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

  • PFCLCustom PFCLCustom

    All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

  • PFCLCloud PFCLCloud

    Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

  • PFCLUserRights PFCLUserRights

    PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

  • PFCLSTK PFCLSTK

    PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

  • PFCLSFTK PFCLSFTK

    PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

  • PFCLSEO PFCLSEO

    PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues