Event 10079 and Oracle Net Packet Contents - Secrets of the Oracle Database - page 86

Database Reference

In-Depth Information

SQL> CONNECT / AS SYSDBA

Connected.

SQL> ALTER SESSION SET EVENTS '10079 trace name context forever, level 2';

Session altered.

SQL> PASSWORD ndebes

Changing password for ndebes

New password:

Retype new password:

Password changed

SQL> ORADEBUG SETMYPID

Statement processed.

SQL> ORADEBUG TRACEFILE_NAME

/opt/oracle/obase/admin/TEN/udump/ten1_ora_20364.trc

The resulting trace file contains the following packet dump:

C850BD0 FFD668BF 646E06BF 73656265 00000030 [.h....ndebes0...]

C850BE0 54554110 454E5F48 53415057 524F5753 [.AUTH_NEWPASSWOR]

C850BF0 0000C044 31384000 39314642 38373930 [ D....@81BF190978]

C850C00 41323232 39363642 45453539 42303242 [222AB66995EEB20B]

C850C10 46323546 30324343 30313239 39453434 [F52FCC20921044E9]

C850C20 34423130 32353232 45423332 44393431 [01B4225223BE149D]

C850C30 30304542 00003245 00270000 410D0000 [BE00E2....'....A]

C850C40 5F485455 53534150 44524F57 00000000 [UTH_PASSWORD....]

Obviously, the password was sent encrypted. Thus, the SQL*Plus PASSWORD command is a

safe way to change passwords, whereas ALTER USER user_name IDENTIFIED BY new_password is

not, since it sends the password unencrypted along with the SQL statement text. By the way,

the preceding encryption is different from the password hash in DBA_USERS.PASSWORD , such that

eavesdropping a communications link cannot be used to glean password hashes stored in the

dictionary base table USER$ . Oracle Call Interface provides the function OCIPasswordChange()

and it is safe to assume that SQL*Plus uses this function to implement the PASSWORD command.

Unfortunately the manuals do not state whether or not OCIPasswordChange() encrypts passwords.

Some applications use roles, which are protected by a password, to enable certain privi-

leges only when a user connects with the application. This is intended to restrict the privileges

of users who connect with SQL*Plus or other applications. Event 10079 may be used to prove

that both the SQL statement SET ROLE role_name IDENTIFIED BY password as well as DBMS_

SESSION.SET_ROLE send the role's password unencrypted to the DBMS server. This means that

any user who knows enough about Oracle Net, can get the unencrypted role password from a

packet dump. Since an end user cannot add an ALTER SESSION statement to an application, an alter-

native way to dump Oracle Net packets is needed. All that is necessary is to copy tnsnames.ora and

sqlnet.ora to the user's home directory and to set TNS_ADMIN to the same directory. Then, after

adding the following two lines to sqlnet.ora :

Next Page

Secrets of the Oracle Database

Search WWH ::

Custom Search

Home