Back

Passwords transmitted in clear text on SQL*Net for CREATE USER and GRANT ... IDENTIFIED BY statements

This short article comes from a post on the ORACLE-L list by Ravi Kulkarni who pointed out that CREATE USER commands also pass the password to the database server in clear text as well. I did a couple of test cases to check this as follows:

I first set the following values in my server $ORACLE_HOME/network/admin/sqlnet.ora file:

	TRACE_FILE_SERVER=clear_text.trc
	TRACE_DIRECTORY_SERVER=c:\temp
	TRACE_LEVEL_SERVER=SUPPORT

And i connected to SQL*Plus and ran the two following commands to create two users:

	SQL*Plus: Release 9.2.0.1.0 - Production on Mon Mar 15 19:59:27 2004
	
	Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.
	
	
	Connected to:
	Personal Oracle9i Release 9.2.0.1.0 - Production
	With the Partitioning, OLAP and Oracle Data Mining options
	JServer Release 9.2.0.1.0 - Production
	
	SQL> create user pete5 identified by pete5;
	
	User created.
	
	SQL> grant create session to pete6 identified by pete6;
	
	Grant succeeded.
	
	SQL>

These two cases produced the following entries in the SQL*Net trace file:

	[15-MAR-2004 19:59:47:263] nsprecv: 00 00 00 00 00 25 63 72  |.....%cr|
	[15-MAR-2004 19:59:47:263] nsprecv: 65 61 74 65 20 75 73 65  |eate.use|
	[15-MAR-2004 19:59:47:263] nsprecv: 72 20 70 65 74 65 35 20  |r.pete5.|
	[15-MAR-2004 19:59:47:263] nsprecv: 69 64 65 6E 74 69 66 69  |identifi|
	[15-MAR-2004 19:59:47:263] nsprecv: 65 64 20 62 79 20 70 65  |ed.by.pe|
	[15-MAR-2004 19:59:47:263] nsprecv: 74 65 35 01 00 00 00 01  |te5.....|

and

	[15-MAR-2004 20:00:46:648] nsprecv: 00 00 00 00 31 67 72 61  |....1gra|
	[15-MAR-2004 20:00:46:648] nsprecv: 6E 74 20 63 72 65 61 74  |nt.creat|
	[15-MAR-2004 20:00:46:648] nsprecv: 65 20 73 65 73 73 69 6F  |e.sessio|
	[15-MAR-2004 20:00:46:648] nsprecv: 6E 20 74 6F 20 70 65 74  |n.to.pet|
	[15-MAR-2004 20:00:46:648] nsprecv: 65 36 20 69 64 65 6E 74  |e6.ident|
	[15-MAR-2004 20:00:46:648] nsprecv: 69 66 69 65 64 20 62 79  |ified.by|
	[15-MAR-2004 20:00:46:648] nsprecv: 20 70 65 74 65 36 01 00  |.pete6..|

These two cases show that the passwords for this syntax are indeed passed in clear text to the server.

What can we do to prevent a hacker or malicious employee taking advantage of this? A few options spring to mind

use encrypted network connections such as Oracle's Advanced Security Option or free solutions such as tunneling with ssh.
Set the password to "password" or something similar but importantly set the account to be locked and expired as well. Then the password can be changed using the PASSWORD function in SQL*plus that doesn't transmit the password in clear text.

Please see also Passwords in clear text for ALTER USER in SQL*Net and Issues with bypassing password protected roles for info on similar issues.

Back


There are 29 visitors online
Services \| Portal \| White Papers \| Scripts \| Tools \| Newsletter \| Information \| Alerts \| Search \| Weblog / Forum \| What's New About Us Consulting Services Training Courses Oracle Security Research Database Policy Partners Products Careers Pete Finnigan Contact Details Events Oracle Security Database Security Database Software Security Web Development Programming Off Topic Oracle Security Oracle Security (Page 2) Others Ramblings Oracle Security Tips SQL and PL/SQL Unix Tools Audit Tools Default Password Checker Default Password List Oracle Security Scanner Subscribe Un-Subscribe Recent Newsletters Web Links Books Oracle Newsgroups Oracle Blogs Oracle news Feedback / Enquiries Guestbook Site Map Site Statistics WebLog Forum Security Issues Database What's New Register for Updates PeteFinnigan.com in the news