Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Oracle8i

From: "Aaron C. Newman" <aaron () newman-family com>
Date: Mon, 2 Jul 2001 04:02:09 -0400
There is not alot of information out there about Oracle network security.
The protocols are proprietary and closely guarded by Oracle.

The oracle database runs on 1521, Jserver runs on 2481, Oracle SSL runs over
2482, the name server 1575.

There are a few basic items to check. Is a password set on the listener
service. Most people have no idea they need one or how to set, so chance are
its not there. If not you should be able to gain access as the oracle user
or on windows as the LocalSystem user. The listener also has to lockout, so
you can bruteforce it.

There is the Covert alert on a buffer overflow in the listener. There is no
a patch out for it yet.

Oracle is not designed to be exposed to the Internet - in terms of DOS
attacks, there is no way to prevent them, and based on the beta, this will
not change in Oracle9i.

There are also lots of default accounts installed that probably have not
been changed. Try dbsnmp/dbsnmp or outln/outln. I've seen over 30 different
default passwords on the various platforms and versions.

There is the security alerts page at oracle, although you'll get little to
no real information from these advisories:
http://otn.oracle.com/deploy/security/index2.htm?Info&alerts.htm

We are in the process of putting out a complete list of Oracle security
alerts - check out our web site later this week. We have a discussion board
specifically for Oracle security. We are working on some tools that could be
useful to you. Let me know if you'd like to beta test.

HTH,

Aaron C. Newman
CTO/Founder
Application Security, Inc.
212-490-6022
anewman () appsecinc com
www.appsecinc.com
-Protection Where It Counts-



-----Original Message-----
From: pen-test-return-445-aaron=newman-family.com () securityfocus com
[mailto:pen-test-return-445-aaron=newman-family.com () securityfocus com]On
Behalf Of INA (V. Brahmanandam)
Sent: Monday, July 02, 2001 1:17 AM
To: 'PEN-TEST () SECURITYFOCUS COM'
Subject: Oracle8i


Hi all,

Has any one in this group had a chance to pen-test Oracle 8i running on  Net
8 network.

I am required to undertake a review of Oracle database and Net 8 security.
While I have had  occasions  to review Oracle database security earlier,
this is the first time I am venturing on to Net 8 security review.

I am particularly looking for the following information:

*       Risks specific to Oracle with Net8
*       Does NET8 run its own network services; if so, how to identify them
*       How to identify ports managed by Net8, if any
*       Are there any automated tools, which I can use to review NET8
security (shareware/freeware or any tools supplied as part of NET8 )

I have partially gone through the Oracle documentation with no luck for the
above information so far. I would appreciate any help in this regard.

Regards.

Brahma




----------------------------------------------------------------------------
----------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service
For more information on SecurityFocus' SIA service which automatically
alerts you to
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/



--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: