Category Archives: Security

Cryptographic flaws in Oracle Database authentication protocol

Recently a security researcher (Esteban Martinez Fayo) made the world aware of a problem with the O5LOGON Oracle database authentication protocol (used in 11g – 11.1 & 11.2). This problem, known as CVE-2012-3137, makes it relatively simple for attackers to get hold of passwords using a brute-force attack on the encrypted (AES  -192 bit) session key that is returned by… Read more »

Oracle RAC – granting SYSDBA or SYSOPER is instance specific

The default location for the password file is $ORACLE_HOME/dbs which in most cases (if you don’t have your ORACLE_HOME on a shared disk) is on a non-shared filesystem. Whenever you grant SYSDBA or SYSOPER to a database user Oracle will add the user to the password file. What the Oracle documentation doesn’t tell you is that the user will only… Read more »

Creating database links for another schema

      No Comments on Creating database links for another schema

There are situations (like after cloning databases) where you, as a DBA, want to create database links in other schema’s, for which you don’t have the password. Unfortunately the security of Oracle doesn’t allow (even SYS) you to drop/create database links for other schema’s. One solution for this is to get the password hash value, temporarily change the password for… Read more »

Password History – Reusing a password

      No Comments on Password History – Reusing a password

By setting either one or both the profile limits PASSWORD_REUSE_MAX or PASSWORD_REUSE_TIME are set to anything other than UNLIMITED, Oracle somewhere keeps a history of passwords used by a user. This password history is stored in a table with the name user_history$ which is part of the SYS schema. Whenever the users password is changed, either by the user of… Read more »

Expired passwords in 11g database using 10g client

When I create a new user/schema in an Oracle database I specify a password and immediately use the PASSWORD EXPIRE clause to expire this one-time-use only password. This way I make sure the user/application who is going to use this new account will be forced to specify his own password. This works great unless you have a pre Oracle… Read more »

Oracle RDBMS Password Hashes

      No Comments on Oracle RDBMS Password Hashes

Within Oracle databases passwords get hashed. When, for example, you create a new account or change the password of an account, the specified clear-text password gets hashed. This hash value is stored in the database with the account. Once hashed it is not possible to get the original clear-text password from the hash value (one-way hash algorithms) again. The case-insentive… Read more »

Unwrapping wrapped PLSQL in 10g, 11g and 12c

There are circumstances where you whish to have a look at the source of an wrapped PL/SQL package, procedure or function. The circumstances I want to have peek at the source is when some PL/SQL code becomes invalidated because an object the code depends on disapears or grants on such objects gets lost. It would/should of course be nice if… Read more »