NGSSoftware Insight Security Research Advisory Name: Oracle 10g clear text passwords Systems Affected: Oracle 10g on all operating systems Severity: Medium Risk Vendor URL: http://www.oracle.com/ Author: David Litchfield [ davidl at ngssoftware.com ] Relates to: http://www.nextgenss.com/advisories/oracle-01.txt Date of Public Advisory: 23rd December 2004 Advisory number: #NISR2122004D Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004D.txt Description *********** The 10g Oracle database server may have passwords in clear text in world readable files. Details ******* The password for the SYSMAN account (a DBA) can be found in $ORACLE_HOME/hostname_sid/sysman/config/emoms.properties. This file is world readable. Also, on installing Oracle 10g if the installer supplies the same password for the SYS, SYSTEM, DBSNMP and SYSMAN accounts and that password has an exclamation mark in it (e.g. f00bar!!) then an error occurs in the DB install when the passwords are set for SYSMAN and DBSNMP. This error is logged to the "postDBCreation.log" logging the password. alter user SYSMAN identified by f00bar!! account unlock ERROR at line 1: ORA-00922: missing or invalid option alter user DBSNMP identified by f00bar!! account unlock ERROR at line 1: ORA-00922: missing or invalid option This file is world readable giving attackers access to what the passwords are for these powerful accounts. Please note that no error is generated for SYS or SYSTEM and these accounts are assigned the password f00bar!!. The other accounts are given their default passwords. Fix Information *************** A patch (#68) was released for this problem by Oracle. See http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle (http://www.nextgenss.com/squirrelora.htm), can be used to assess whether your Oracle servers are vulnerable to this. About NGSSoftware ***************** NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments. http://www.ngssoftware.com/ Telephone +44 208 401 0070 Fax +44 208 401 0076 enquiries@ngssoftware.com