If you have some web-based PL/SQL application then you can be interested in the following information.
May be many DBAs who have been involved in the database security have asked themselves: "How to be sure that my DAD files hides well the application schema passwords?"
Well, Oracle doesn't have very good solution for this problem.
Lets take a look at one DAD file used from an Oracle Application Server 9i or the local Apache server:
For every DAD alias you can see two lines (for Local HTTP server):
[DAD_my_appl_alias_name]
...
connect_string = my_appl_schema_namepassword = !ZG9udF90aGlua190aGF0X3lvdV9hcmVfc2VjdXJlZA==...For Oracle9i AS you will see two similar lines:
[DAD_my_appl_alias_name]...PlsqlDatabaseUsername my_appl_schema_namePlsqlDatabasePassword !ZG9udF90aGlua190aGF0X3lvdV9hcmVfc2VjdXJlZA==...If some intruder is able to see these two lines then he/she will be able easily to find the real password.
When someone see an encrypted string the first thing that is jumping in mind is to check for leading "!" symbol. This symbol usually means that the password is encoded by simple Base 64 encoding.
Before Oracle Application Server 10g all DAD passwords are only Base 64 encoded.
How to see the passwords in clear text:
1. Open your DAD configuration file
- for local HTTP Server it is located on
ORACLE_HOME/Apache/modplsql/wdbsvr.app- for Oracle9i AS it can be found on
ORACLE_HOME/Apache/modplsql/dads.conf2. Go to desired DAD alias name and copy the encoded password string without the leading "!" symbol
3. Decode it with some simple Base 64 decoder
3.1. Use Java (in this case do not remove the leading "!" symbol):
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.PrintWriter;
import java.io.IOException;
import sun.misc.BASE64Decoder;
public class get_password extends HttpServlet
{
private static final String CONTENT_TYPE = "text/html; charset=UTF-8";
private String psw = "";
private BASE64Decoder decoder = new BASE64Decoder();
public void init(ServletConfig config) throws ServletException
{
super.init(config);
}
public void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
{
response.setContentType(CONTENT_TYPE);
PrintWriter out = response.getWriter();
try
{
psw = new String(decoder.decodeBuffer(request.getParameter("password").substring(1,request.getParameter("password").length())));
out.println("The password is: "+psw);
}
catch (Exception exc1) {}
}
}
3.2. Use an online Base 64 decoder:
Online Base 64 DecoderYou will be able easily to see the "hidden" password in clear text.
All tests are performed on an 9.2.0.5 Oracle database with local HTTP server and Oracle Application Server 9i (9.0.3).
Starting from Oracle Application Server 10g (9.0.4) Oracle obfuscates passwords with different algorithm and the password string is leading with "@". I don't know a way how these passwords can be decrypted.
What are the conclusions from these findings:
1. Don't forget to secure at the OS level both your Application Server and Oracle Database PCs. Be aware of that everyone who have access to DAD configuration files probably can have access to your application data as well. The intruder doesn't need to have serious technical skills in order to steal your DAD passwords.
2. Always desing your application to use different level of secured database schemes. For example (lets call them "outer" and "inner" schemes), put in DAD files only password for an "outer" database schema and restrict its grants, then let your application interface to connect directly only to them. The "outer" schema must have only small set of object grants that will be used for executing of procedures from "inside" schemes. The "outer" schema must don't have any rights for creating tables, synonyms and any database objects. This will help you to decrease the damage from potential intrusion attacks. Put all dangerous procedures and critical application data on safe place, in the "inner" schemes.
3. Always wrap your PL/SQL procedures and packages. Although that the wrap encryption can be reverse-engineered till this moment no one have reported that he was succeed to do that. The wrapped PL/SQL code will decrease potential damages as well.
4. This information is another good reason for faster moving to an Oracle 10g environment.
Labels: Security
0 Responses to “How to see the MOD_PLSQL passwords in clear text”
Leave a Reply