There is not alot of information out there about Oracle network security. The protocols are proprietary and closely guarded by Oracle. The oracle database runs on 1521, Jserver runs on 2481, Oracle SSL runs over 2482, the name server 1575. There are a few basic items to check. Is a password set on the listener service. Most people have no idea they need one or how to set, so chance are its not there. If not you should be able to gain access as the oracle user or on windows as the LocalSystem user. The listener also has to lockout, so you can bruteforce it. There is the Covert alert on a buffer overflow in the listener. There is no a patch out for it yet. Oracle is not designed to be exposed to the Internet - in terms of DOS attacks, there is no way to prevent them, and based on the beta, this will not change in Oracle9i. There are also lots of default accounts installed that probably have not been changed. Try dbsnmp/dbsnmp or outln/outln. I've seen over 30 different default passwords on the various platforms and versions. There is the security alerts page at oracle, although you'll get little to no real information from these advisories: http://otn.oracle.com/deploy/security/index2.htm?Info&alerts.htm We are in the process of putting out a complete list of Oracle security alerts - check out our web site later this week. We have a discussion board specifically for Oracle security. We are working on some tools that could be useful to you. Let me know if you'd like to beta test. HTH, Aaron C. Newman CTO/Founder Application Security, Inc. 212-490-6022 anewmanat_private www.appsecinc.com -Protection Where It Counts- -----Original Message----- From: pen-test-return-445-aaron=newman-family.comat_private [mailto:pen-test-return-445-aaron=newman-family.comat_private]On Behalf Of INA (V. Brahmanandam) Sent: Monday, July 02, 2001 1:17 AM To: 'PEN-TESTat_private' Subject: Oracle8i Hi all, Has any one in this group had a chance to pen-test Oracle 8i running on Net 8 network. I am required to undertake a review of Oracle database and Net 8 security. While I have had occasions to review Oracle database security earlier, this is the first time I am venturing on to Net 8 security review. I am particularly looking for the following information: * Risks specific to Oracle with Net8 * Does NET8 run its own network services; if so, how to identify them * How to identify ports managed by Net8, if any * Are there any automated tools, which I can use to review NET8 security (shareware/freeware or any tools supplied as part of NET8 ) I have partially gone through the Oracle documentation with no luck for the above information so far. I would appreciate any help in this regard. Regards. Brahma ---------------------------------------------------------------------------- ---------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Jul 02 2001 - 09:33:40 PDT