Oracle DBA – A lifelong learning experience

Hacking into an Oracle database

Posted by John Hallas on September 23, 2008

At a site I was working at they employed a security company to perform penetration testing on a new application (Oracle/Peoplesoft/Unix/Windows/NT). The test was from within the network  and they failed to breach Oracle database security directly. However …

Password guessing against a NT server resulted in the discovery of a domain admin account (db2admin), which resulted in full compromise of this host and also the remaining servers that are members of this domain.

When you build a Windows server you are asked for an initial password (which you are expected to change later on). This password is stored in a build file and as it had not been changed after the installation  it was then used to logon to the domain (any of  the servers as local administrator)This allowed searching of files on the NT server which produced a file containing the oracle account and password to the people account (peoplesoft admin user)

Once onto the database a reasonably privileged account with a weak password was discovered. From there the encrypted values of the users were captured from dba_users and were compared against a known list of passwords and permutations based on the current password i.e. a zero used instead of an ‘o’. This compromised an account with create procedure and from there they were into the OS.


These issues have all been resolved and we are much more secure than we were but it just shows how a lapse in security somewhere on the network can allow what appears to be innocuous access which eventually provides full ingress into what is supposed to be a secure system.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: