Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 55 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog


Home » Archives » September 2009 » Default Users

[Previous entry: "Backups are valuable"] [Next entry: "SQL Injection - accessing additional tables via the where clause"]

Default Users

September 28th, 2009 by Pete


I saw an article on default accounts on the database journal website titled "Oracle 11g Security - Those Pesky Predefined Accounts" and as its a subject (default users and default passwords) I have personally written about many times in the past both in articles (the first ones were 8 years ago when i worked at Pentest), blogs, default password lists and more recently even a password cracker written in PL/SQL.

Oracle has entered the fray also since 11g with a dictionary table and view that includes a list of default accounts/passwords.

James article is good but there are some questions and inconsistencies. James suggests:
expiration on an account after initial database creation , means that there is no password assigned on the account so connection is impossible


He suggests that default accounts that are created as part of the install do not have passwords assigned (the logical conclusion to this statement is that they would have "blank" passwords. This is absolutely not true, Oracle never creates accounts with blank passwords, no matter what the status of the account is; although to be honest I suspect he made a bad choice of words and maybe didnt actually mean this, but...?

A default installation of Oracle sets various accounts passwords and status's; the account james chose hasd an impossible password set:



SQL> col name for a10
SQL> col astatus for 99
SQL> col password for a16
SQL> col spare4 for a30
SQL> l
1 select name,astatus,password,spare4
2 from sys.user$
3* where astatus=9
SQL> /

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
OUTLN 9 4A3BA55E08595C81 Sbig grin12EC0F0242EBFB81FCCD97CF192
68528DA474910F773814CB7D4FFFC5
BD

DIP 9 CE4A36B8E06CA59C Sbig grinC95000980EF1669CAB6332D21FC
D9AD14B7CB2422FC970B9A50DBB5F0
B4

TSMSYS 9 3DF26A8B17D0F29F S:BF0B9459FC2D835A337E69D052E1
CD2BEC8533D36C0B9B6CD2F47EC2A5
95

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------

ORACLE_OCM 9 6D17CF1EB1611F94 S:5EB749D124D2B652658BF3CC867A
760165FF653E42067AD749A4BD3B5E
C0

XDB 9 88D8364765FCE6AF S:BCECCB19D5DC426F38A01971BFC1
BE73E45506E939C18B1DBC083B67EF
15

WMSYS 9 7C9BA362F8314299 S:5EECF47B56B2CFC563941433F9B7
4CAE9F220D7872A3C66CE26A9A9487

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
C1

EXFSYS 9 66F4EF5650C20355 S:4CE5DE7874C9F28E9B7B8429600E
681E376F86129B9784B157682F7656
CA

CTXSYS 9 71E687F036AD56E5 S:5BBACFFD7987BA61F767FCE44C5B
AF45BE4CAF2C6CD01DA447AED98815
1C

XS$NULL 9 DC4FCC8CB69A6733 S:19FC9249A4EC856AE1D6034F3877

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
93B8C9642F1A5C60C194093C8E7DD9
09

ANONYMOUS 9 anonymous
ORDSYS 9 7EFA02EC7EA6B86F S:FD3758C6CCA191255E18DE064334
D242CE29D94C72351D03E97829DC91
6F

ORDPLUGINS 9 88A2B2C183431F00 S:4A436BD7BB1F49C6F2C860E1E917
A1BA223EB24002A860C97B0B7AF94F
01

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------

SI_INFORMT 9 84B8CBCA4D477FA3 Sbig grin3804242E9F82C40B8C471A5E7CE
N_SCHEMA 9B3A3612EA2707EEA03A19C44BA9E9
46

MDSYS 9 72979A94BAD2AF80 S:4D9ED94AD60E64B7D44677E20EEC
F41E5D8B71EB0FF8ADF1FEE2F2D62F
87

OLAPSYS 9 4AC23CC3B15E2208 S:8B84EDE1B66D9FF6F400633F199C
A7BF5B4532DA2B2F1E4B535D8F312A

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
51

MDDATA 9 DF02A496267DEE66 S:324D1A84F48D3BEA3F5F3DC7D8EF
06C39A352B97AB0844105379A56276
71

HR 9 6399F3B38EDF3288 S:25E7EA60CF1ADF0AFC4A38061439
F0B9599477606230DE709962ADD5FB
0F

SPATIAL_WF 9 7117215D6BEE6E82 S:6119D4B8BCAFC9C99DB72E0D2DFA

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
S_ADMIN_US CF522D40F5AA33597307C54F870B7F
R 81

SPATIAL_CS 9 1B290858DD14107E S:E2961CD3E5459036BD8CE4A5676B
W_ADMIN_US B09E935214FC8D76F72754EFA76455
R 73

WKSYS 9 69ED49EE1851900D S:8BC14DCA57EBF01001CA1906A1B1
A9049FF12B2E47431CEA13B7438C3C
F0


NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
WKPROXY 9 B97545C4DD2ABE54 S:1C6314C3E19A10B0ABF0CB8D8285
3444A101513782B9E07C3ED37BC12C
10

WK_TEST 9 29802572EB547DBF S:E24DCDB42CA9753525D9A3118203
E277FB26E0FF0651EE1BF03B56E1AD
8A

FLOWS_FILE 9 0B054C835B0A826B S:B9602AAF42718436DFA5EEBBB715
S 8437A3B05B7F6BF13DD01403D2290E
7F

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------

APEX_PUBLI 9 978468D2F78777DF S:B3A96760BAF7AF7AE4E8A5C73CA5
C_USER 7808C049E22C9275144DF36471ED7B
0F

FLOWS_0300 9 1B85764DE15A3916 S:1E688E6F8D574B1BE80DE2A801D0
00 93FE6657E2931B8DF646BD39CB19D2
D8

OWBSYS 9 610A3C38F301776F S:F6B79D2E4FB3E3DE36AAB8C277DF
CC858C74FFAC59CD997F1F03A79538

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
37

SCOTT 9 F894844C34402B67 S:2228935D3E627C9EADE19D8297C8
3714A54E6E60B00C581691674BF43F
4A

OE 9 9C30855E7E0CB02D S:27FDBAF13F3B1BA9BF35AEC0D7B2
CE8E12659E9373E73B95C062C40E12
CD

IX 9 2BE6F80744E08FEB S:AC2705774CCF66F5D6193667E172

NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
F8C7D3643E8192E7C1BC6F1ECD5BE8
99

SH 9 9793B3777CD3BD1A S:837CE859F5B956516327F5932272
BC61300F6758574DE12869B3620966
AA

PM 9 72E382A52E89575A S:FE9774804908800DCB81F7160760
91C327302E77A00AA549569DC90BDE
03


NAME ASTATUS PASSWORD SPARE4
---------- ------- ---------------- ------------------------------
BI 9 FA1D2B85B70213F3 S:52412524ED76F07270CD66E88251
721711F6F0751CA57958CF71E24663
CC


32 rows selected.

SQL>




This shows that "ANONYMOUS" has a password of ANONYMOUS, i.e. an imposisble password not a blank password. This is actually more secure than James suggests as no guess of a password will ever succeed. You will also note that all accounts by default have a 10g password hash also set. This as I have discussed here before weakens the passwords as its simply necessary to crack the 10g password first and then move up to the case sensitive version for 11g.

If we run the password cracker we will see the expired&locked accounts all have passwords set:



SQL> @cracker-v2.0.sql
cracker: Release 1.0.4.0.0 - Beta on Mon Sep 28 15:34:20 2009
Copyright (c) 2008 PeteFinnigan.com Limited. All rights reserved.

T Username Password CR FL STA
=======================================================

U "SYS" [ORACLE1 ] DI CR OP
U "SYSTEM" [ORACLE1 ] DI CR OP
U "OUTLN" [OUTLN ] DE CR EL
U "DIP" [DIP ] DE CR EL
U "TSMSYS" [TSMSYS ] PU CR EL
U "ORACLE_OCM" [ORACLE_OCM ] PU CR EL
U "XDB" [CHANGE_ON_INSTALL ] DE CR EL
R "GLOBAL_AQ_USER_ROLE [GL-EX {GLOBAL} ] GE CR OP
U "DBSNMP" [ORACLE1 ] DI CR OP
U "WMSYS" [WMSYS ] DE CR EL
U "EXFSYS" [EXFSYS ] DE CR EL
U "CTXSYS" [CHANGE_ON_INSTALL ] DE CR EL
U "XS$NULL" [ ] -- -- EL
U "ANONYMOUS" [IMP {anonymous} ] IM CR EL
R "SPATIAL_WFS_ADMIN" [SPATIAL_WFS_ADMIN ] PU CR OP
U "ORDSYS" [ORDSYS ] DE CR EL
U "ORDPLUGINS" [ORDPLUGINS ] DE CR EL
U "SI_INFORMTN_SCHEMA" [SI_INFORMTN_SCHEMA ] DE CR EL
U "MDSYS" [MDSYS ] DE CR EL
U "OLAPSYS" [ ] -- -- EL
U "MDDATA" [MDDATA ] DE CR EL
U "HR" [CHANGE_ON_INSTALL ] DE CR EL
U "SPATIAL_WFS_ADMIN_U [SPATIAL_WFS_ADMIN_US] PU CR EL
R "WFS_USR_ROLE" [WFS_USR_ROLE ] PU CR OP
R "SPATIAL_CSW_ADMIN" [SPATIAL_CSW_ADMIN ] PU CR OP
U "SPATIAL_CSW_ADMIN_U [SPATIAL_CSW_ADMIN_US] PU CR EL
R "CSW_USR_ROLE" [CSW_USR_ROLE ] PU CR OP
U "WKSYS" [CHANGE_ON_INSTALL ] DE CR EL
U "WKPROXY" [CHANGE_ON_INSTALL ] DE CR EL
U "WK_TEST" [WK_TEST ] DE CR EL
U "SYSMAN" [ORACLE1 ] DI CR OP
U "MGMT_VIEW" [ ] -- -- OP
U "FLOWS_FILES" [ ] -- -- EL
U "APEX_PUBLIC_USER" [ ] -- -- EL
U "FLOWS_030000" [ ] -- -- EL
U "OWBSYS" [OWBSYS ] PU CR EL
R "OWB$CLIENT" [S ] BF CR OP
R "OWB_DESIGNCENTER_VI [S ] BF CR OP
U "SCOTT" [TIGER ] DE CR EL
U "OE" [CHANGE_ON_INSTALL ] DE CR EL
U "IX" [CHANGE_ON_INSTALL ] DE CR EL
U "SH" [CHANGE_ON_INSTALL ] DE CR EL
U "PM" [CHANGE_ON_INSTALL ] DE CR EL
U "BI" [CHANGE_ON_INSTALL ] DE CR EL


INFO: Number of crack attempts = [46373]
INFO: Elapsed time = [2.85 Seconds]
INFO: Cracks per second = [16270]

PL/SQL procedure successfully completed.

SQL>




This shows that the accounts have known default passwords. Also interestingly James says that an account that is created EXPIRED&LOCKED is different to one that is unlocked and then expired and locked. But he then doesnt show why?; there is no difference as its not possible to create an account without specifying a password unless the record is inserted into SYS.USER$ directly but a hash is still required so its the same as an account where the password is changed; again this could be a bad choice of words as he talks about changing passwords before locking and expiring to prevent someone resetting.

The article also states its best practice to lock accounts and not remove them; I disagree; if it can be shown that an account is not required, especially an account that is a built-in one; James implies from this that its better to lock HR rather than remove it?; then the accounts are better removed. Locking or stopping access to an account does not prevent use of its features, PL/SQL packages for instance. If this was the case there would be work-arounds for CPU fixed bugs in PL/SQL. A connection to an account is not always needed to attack its features.

September 2009
SMTWTFS
  12345
6789101112
13141516171819
20212223242526
27282930   

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives


Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0


Valid XHTML 1.0!