COMMAND

	Oracle has default user/pass combinations

SYSTEMS AFFECTED

	Oracle 7, 8, 9i

PROBLEM

	Jonathan A. Zdziarski says :
	

	Oracle\'s RDBMS has some very odd default installation quirks ...
	

	1.  The  SYSTEM  and  SYS   passwords   are   defaulted   (manager   and
	change_on_install, respectively).
	

	2. The database comes with a handfull of pre-existing \"demo\"  accounts
	with preset passwords (e.g. SCOTT/TIGER, and a few  others,  try  SELECT
	USERNAME FROM DBA_USERS).
	

	3. Shell commands can by default be  executed  by  a  connected  sqlplus
	user, without any particularly special privileges.  For example:
	

	SQL> !pwd

	/export/home/jonz

	

	SQL> host

	$

	

	I would be curious to know if this shellcode is built into  one  of  the
	server-side  client  libraries  or  just  sqlplus.  The  fact  that  the
	behavior of the product is kept in the database is very suspicious.
	

	4. Auditing is turned off by default
	

	Combining this with a very  proprietary  protocol,  Oracle\'s  perverted
	naming service (TNS),  and  support  for  sacreligous  rituals  such  as
	supporting plain-text passwords for linking  databases  together,  it\'s
	no surprise that it should be relatively easy to hack someone\'s  Oracle
	box.
	

	 Update

	 ======

	

	 About the above points Jonathan argues :

	

	

	To clarify, the \"host\" command is client-based.  For instance, when I 

	SQLPLUS into a remote database, and I use the host command, it breaks me 

	out into the directory of the local machine, not the server you\'re 

	connected into.  Same goes for any local shell commands.  I don\'t see that 

	as being a security risk.

	

	As to the System and Sys accounts having defaulted passwords, the last time 

	I installed 9i it made me change them at the time of install.  The accounts 

	were also locked, and not accessible, until I went in as INTERNAL and 

	modified them.  I find this to be somewhat acceptable behaviour.

	

SOLUTION

	To suppress demo users :
	

	SELECT USERNAME FROM DBA_USERS;

	And look for any names that look like \"people\" then delete them using

	DROP USER.

	

	

	To deactivate shell access : run  $ORACLE_HOME/sqlplus/admin/pupbld.sql,
	then run this SQL Statement as DBA,
	

	INSERT INTO PRODUCT_USER_PROFILE 

	  VALUES(\'SQL*Plus\',\'%\',\'HOST\',NULL,NULL,\'DISABLED\',NULL,NULL)

	/