On occassion, I read 2600 Magazine (used to have a subscription) and while I don't claim to understand every article discussed, sometimes I come across a gem that pertains to my day-to-day life as a Oracle DBA/Developer. For example, the Fall 2006 issue had a Oracle article that I decided to give a try.
Sure enough, under the standard database configuration that comes with CDC Software's iRennaisance, I was able to expose a flaw in the user security. This system comes with two "master" users: fin_prod and man_prod (finance and manufacturing users). Most everyone knows the built-in passwords for these users so logging on via SQL*Plus is not much trouble.
Once logged in, these two users have a custom role defined by the ERP as GEM_DBA. Within this role, comes the ALTER USER privilege. Using these capabilities it is very easy to change the sys (or system) password. With a little more work, one can also:
- Capture the existing sys password (in encrypted state)
- Change the sys password
- Create a new user
- Change the sys password back
Now you have created a backdoor user or have easily gained sys dba privileges.
I originally demonstrated the above and posted to the Technology email list for the ERP vendor as very few clients will ever modify these login password or the GEM_DBA Role. Hopefully, someone at CDC addressed this in a future release.
For now, "alter user" is the name of my blog on all things Oracle that I have encountered.