My experience, findings and thoughts in my daily work with Oracle products

« Home

Previous Post »Previous Post »Previous Post » 

How to see the MOD_PLSQL passwords in clear text

Published Wednesday, August 10, 2005 by Radoslav Rusinov | E-mail this post

E-mail this post



Remember me (?)



All personal information that you provide here will be governed by the Privacy Policy of Blogger.com. More...




If you have some web-based PL/SQL application then you can be interested in the following information.
May be many DBAs who have been involved in the database security have asked themselves: "How to be sure that my DAD files hides well the application schema passwords?"
Well, Oracle doesn't have very good solution for this problem.
Lets take a look at one DAD file used from an Oracle Application Server 9i or the local Apache server:
For every DAD alias you can see two lines (for Local HTTP server):
[DAD_my_appl_alias_name]
...
connect_string = my_appl_schema_name
password = !ZG9udF90aGlua190aGF0X3lvdV9hcmVfc2VjdXJlZA==
...

For Oracle9i AS you will see two similar lines:
[DAD_my_appl_alias_name]
...
PlsqlDatabaseUsername my_appl_schema_name
PlsqlDatabasePassword !ZG9udF90aGlua190aGF0X3lvdV9hcmVfc2VjdXJlZA==
...

If some intruder is able to see these two lines then he/she will be able easily to find the real password.
When someone see an encrypted string the first thing that is jumping in mind is to check for leading "!" symbol. This symbol usually means that the password is encoded by simple Base 64 encoding.
Before Oracle Application Server 10g all DAD passwords are only Base 64 encoded.
How to see the passwords in clear text:
1. Open your DAD configuration file
- for local HTTP Server it is located on ORACLE_HOME/Apache/modplsql/wdbsvr.app
- for Oracle9i AS it can be found on ORACLE_HOME/Apache/modplsql/dads.conf
2. Go to desired DAD alias name and copy the encoded password string without the leading "!" symbol
3. Decode it with some simple Base 64 decoder
3.1. Use Java (in this case do not remove the leading "!" symbol):

import javax.servlet.*;
import javax.servlet.http.*;
import java.io.PrintWriter;
import java.io.IOException;
import sun.misc.BASE64Decoder;

public class get_password extends HttpServlet
{
private static final String CONTENT_TYPE = "text/html; charset=UTF-8";

private String psw = "";
private BASE64Decoder decoder = new BASE64Decoder();

public void init(ServletConfig config) throws ServletException
{
super.init(config);
}

public void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
{
response.setContentType(CONTENT_TYPE);
PrintWriter out = response.getWriter();

try
{
psw = new String(decoder.decodeBuffer(request.getParameter("password").substring(1,request.getParameter("password").length())));
out.println("The password is: "+psw);
}
catch (Exception exc1) {}
}
}

3.2. Use an online Base 64 decoder: Online Base 64 Decoder

You will be able easily to see the "hidden" password in clear text.

All tests are performed on an 9.2.0.5 Oracle database with local HTTP server and Oracle Application Server 9i (9.0.3).
Starting from Oracle Application Server 10g (9.0.4) Oracle obfuscates passwords with different algorithm and the password string is leading with "@". I don't know a way how these passwords can be decrypted.

What are the conclusions from these findings:
1. Don't forget to secure at the OS level both your Application Server and Oracle Database PCs. Be aware of that everyone who have access to DAD configuration files probably can have access to your application data as well. The intruder doesn't need to have serious technical skills in order to steal your DAD passwords.
2. Always desing your application to use different level of secured database schemes. For example (lets call them "outer" and "inner" schemes), put in DAD files only password for an "outer" database schema and restrict its grants, then let your application interface to connect directly only to them. The "outer" schema must have only small set of object grants that will be used for executing of procedures from "inside" schemes. The "outer" schema must don't have any rights for creating tables, synonyms and any database objects. This will help you to decrease the damage from potential intrusion attacks. Put all dangerous procedures and critical application data on safe place, in the "inner" schemes.
3. Always wrap your PL/SQL procedures and packages. Although that the wrap encryption can be reverse-engineered till this moment no one have reported that he was succeed to do that. The wrapped PL/SQL code will decrease potential damages as well.
4. This information is another good reason for faster moving to an Oracle 10g environment.

Labels:


0 Responses to “How to see the MOD_PLSQL passwords in clear text”

Leave a Reply

      Convert to boldConvert to italicConvert to link

 


About me

  • » I'm Radoslav Rusinov
  • » From Sofia, Bulgaria
  • » Employer TechnoLogica Ltd.
  • » I am working as a Database Consultant in Sofia, Bulgaria. My main professional interests are in the database area and especially in the Oracle RDBMS, including database design, development, security and administration.
  • » The views expressed on this blog are my own and do not necessarily reflect the views of my employing company and its affiliates
  • » My profile

RSS 2.0 Feed

Search This Blog with Google

Search This Blog with Free Find


powered by FreeFind

Search This Blog with Technorati

Previous Posts

Archives

Articles & Presentations

Discover Bulgaria

Oracle News & Blogs Aggregators

Oracle Resources

Remote DBA

Oracle User Groups

Oracle Blogs

Oracle Forums

Security Resources

Professional CV

Blog Statistics

              

              

               Page Rank Checker