Introduction

To maximize the security features offered by Oracle Database in any business environment, it is imperative that the database itself be well protected. If you do not use encryption in SQL Net everything that goes from the client to the server is visible on the network, just run a sniffer on the network to see. So, when you use the best-known command to change the password of a database user you are actually leaving your database even more vulnerable.

I must thank my fellow DBA Franky Weber Faust for his publication in his blog.

Changing passwords via SQL*Plus in an insecure way

We have installed tcpdump rpm via YUM for this demo. I will run the tcpdump command to monitor my network card:

[root@oracle ~]# tcpdump -XX -i eth0 > tcpdump.log

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

^C99 packets captured

100 packets received by filter

0 packets dropped by kernel

And then, I will change my user's password in the database through the SQL * Plus client:

[oracle@PREMISE ~]$ sqlplus system/oracle@192.168.15.21:1521/cdb3.localdomain

 

SQL*Plus: Release 12.1.0.2.0 Production on Sat Jun 24 21:07:37 2017

 

Copyright (c) 1982, 2016, Oracle. All rights reserved.

 

Last Successful login time: Sat Jun 24 2017 20:26:25 -03:00

 

Connected to:

Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

 

SQL> alter user c##test identified by oracle;

User altered.

 

Let's see what was written to the tcpdump.log file. I'll show only the part that matters, because tcpdump captures all the traffic that passed through this network card. Let's see:

[root@oracle ~]# vi tcpdump.log

21:07:42.337686 IP PREMISE.compute-gbvodafone.oraclecloud.internal.ncube-lm > PREMISE.compute-gbvodafone.oraclecloud.internal.54831: Flags [P.], seq 6724:7023, ack 7042, win 4096, options [nop,nop,TS val 1454618478 ecr 31220076], length 299

0x0000: 0800 270f d012 80e6 5009 af7a 0800 4500 ..'.....P..z..E.

0x0010: 015f 1de8 4000 4006 7c3d c0a8 0f0e c0a8 ._..@.@.|=......

0x0020: 0f15 e180 05f1 aa83 ce5f 6566 9019 8018 ........._ef....

0x0030: 1000 60dc 0000 0101 080a 56b3 b76e 01dc ..`.......V..n..

0x0040: 616c 0000 012b 0600 0000 0000 035e 1121 al...+.......^.!

0x0050: 8000 0000 0000 00fe ffff ffff ffff ff7b ...............{

0x0060: 0000 00fe ffff ffff ffff ff0d 0000 00fe ................

0x0070: ffff ffff ffff fffe ffff ffff ffff ff00 ................

0x0080: 0000 0001 0000 0000 0000 0000 0000 0000 ................

0x0090: 0000 0000 0000 0000 0000 0000 0000 00fe ................

0x00a0: ffff ffff ffff ff00 0000 0000 0000 00fe ................

0x00b0: ffff ffff ffff fffe ffff ffff ffff fffe ................

0x00c0: ffff ffff ffff ff00 0000 0000 0000 00fe ................

0x00d0: ffff ffff ffff fffe ffff ffff ffff ff00 ................

0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................

0x00f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................

0x0100: 0000 0000 0000 0000 0000 0000 0000 0029 ...............)

0x0110: 616c 7465 7220 7573 6572 2063 2323 6672 alter.user.c##te

0x0120: 616e 6b79 2069 6465 6e74 6966 6965 6420 st.identified...

0x0130: 6279 206f 7261 636c 6501 0000 0001 0000 by.oracle.......

0x0140: 0000 0000 0000 0000 0000 0000 0000 0000 ................

0x0150: 0000 0000 0007 0000 0000 0000 0000 8000 ................

0x0160: 0000 0000 0000 0000 0000 0000 00 .............

The command I used to change the password, including the password itself, is available to anyone who knows how to intercept it.

How to avoid that problem?  I would like to introduce you to a command that few people know about; it is of great importance because it sends only the hash of the password to the database, even if you do not have Oracle Net encrypted.

Changing the password via SQL * Plus securely

I will generate a new tcpdump and store the output in another log:

[root@oracle ~]# tcpdump -XX -i eth0 > tcpdump_2.log

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

^C112 packets captured

113 packets received by filter

0 packets dropped by kernel

I raise the password via SQL * Plus again, but this time using the password command, which sends the encrypted password to the database by increasing the security of the environment a bit:

[oracle@PREMISE ~]$ sqlplus system/oracle@192.168.15.21:1521/cdb3.localdomain

 

SQL*Plus: Release 12.1.0.2.0 Production on Sat Jun 24 21:14:51 2017

 

Copyright (c) 1982, 2016, Oracle. All rights reserved.

 

Last Successful login time: Sat Jun 24 2017 21:07:35 -03:00

 

Connected to:

Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

 

SQL> password c##test

Changing password for c##test

New password:

Retype new password:

Password Changed

Let's look at the generated tcpdump log file. Again I will only show the contents of the file that interests us:

[root@oracle ~]# vi tcpdump_2.log

21:14:59.420581 IP PREMISE.compute-gbvodafone.oraclecloud.internal.ncube-lm > PREMISE.compute-gbvodafone.oraclecloud.internal.54831 lm: Flags [P.], seq 6724:7185, ack 7043, win 4096, options [nop,nop,TS val 1455054066 ecr 31653560], length 461

0x0000: 0800 270f d012 80e6 5009 af7a 0800 4500 ..'.....P..z..E.

0x0010: 0201 78cc 4000 4006 20b7 c0a8 0f0e c0a8 ..x.@.@.........

0x0020: 0f15 e1f4 05f1 b912 0a49 6970 cc99 8018 .........Iip....

0x0030: 1000 28ab 0000 0101 080a 56ba 5cf2 01e2 ..(.......V.\...

0x0040: feb8 0000 01cd 0600 0000 0000 116b 118e .............k..

0x0050: 0000 0082 b100 0001 0000 0003 7312 feff ............s...

0x0060: ffff ffff ffff 1b00 0000 0201 0000 feff ................

0x0070: ffff ffff ffff 0800 0000 feff ffff ffff ................

0x0080: ffff feff ffff ffff ffff 0963 2323 6672 ...........c##te

0x0090: 616e 6b79 2400 0000 0000 5554 485f 5345 st$......AUTH_SE

0x00a0: 5353 4b45 5900 0000 0001 0000 0030 0000 SSKEY........0..

0x00b0: 0010 4155 5448 5f4e 4557 5041 5353 574f ..AUTH_NEWPASSWO

0x00c0: 5244 c000 0000 4045 3435 3835 3731 4632 RD....@E458571F2

0x00d0: 3538 3846 3246 3534 3241 3643 3834 3732 588F2F542A6C8472

0x00e0: 3041 3137 3531 4244 3231 3232 4239 3046 0A1751BD2122B90F

0x00f0: 4534 3837 3933 3943 4132 3032 3733 4643 E487939CA20273FC

0x0100: 3432 3042 3933 4100 0000 0027 0000 000d 420B93A....'....

0x0110: 4155 5448 5f54 4552 4d49 4e41 4c15 0000 AUTH_TERMINAL...

0x0120: 0007 7474 7973 3030 3500 0000 002d 0000 ..ttys005....-..

0x0130: 000f 4155 5448 5f50 524f 4752 414d 5f4e ..AUTH_PROGRAM_N

0x0140: 4d5d 0000 001f 7371 6c70 6c75 7340 4672 M]....sqlplus@Pr

0x0150: 616e 6b79 732d 4d42 5020 2854 4e53 2056 mise-MBP.(TNS.V

0x0160: 312d 5633 2900 0000 0024 0000 000c 4155 1-V3)....$....AU

0x0170: 5448 5f4d 4143 4849 4e45 2100 0000 0b46 TH_MACHINE!....F

Note that this time the password is not displayed.

Changing the password via SQL Developer is also an insecure method

Let’s see how SQL Developer has an insecure password at network level.

Again a new tcpdump:

[root@oracle ~]# tcpdump -XX -i eth0 > tcpdump_3.log

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

^C57 packets captured

58 packets received by filter

0 packets dropped by kernel

 

And I change the password:

Let's see the tcpdump log again:

[root@oracle ~]# vi tcpdump_3.log

21:21:44.160053 IP PREMISE.compute-gbvodafone.oraclecloud.internal.ncube-lm > PREMISE.compute-gbvodafone.oraclecloud.internal.54831: Flags [P.], seq 65:181, ack 76, win 4096, options [nop,nop,TS val 1455457433 ecr 32068599], length 116

0x0000: 0800 270f d012 80e6 5009 af7a 0800 4500 ..'.....P..z..E.

0x0010: 00a8 04b6 0000 4006 d626 c0a8 0f0e c0a8 ......@..&......

0x0020: 0f15 d781 05f1 e264 3434 2dc7 5144 8018 .......d44-.QD..

0x0030: 1000 1f4b 0000 0101 080a 56c0 8499 01e9 ...K......V.....

0x0040: 53f7 0000 0074 0600 0000 0000 035e 3b02 S....t.......^;.

0x0050: 8021 0001 012a 0101 0d00 0000 0004 7fff .!...*..........

0x0060: ffff 0000 0000 0000 0000 0000 0001 0000 ................

0x0070: 0000 0000 0000 0000 0000 0061 6c74 6572 ...........alter

0x0080: 2075 7365 7220 6323 2366 7261 6e6b 7920 .user.c##test..

0x0090: 6964 656e 7469 6669 6564 2062 7920 6f72 identified......

0x00a0: 6279 206f 7261 636c 6501 0000 0001 0000 by.oracle.......

0x00b0: 0280 0000 0000 ......

Conclusion

Note that the password command is more secure and should be done via SQL * Plus. I have not tested it with other tools, so for now I know only that via SQL * Plus it’s secure. Note that in SQL Developer even with the password command and entering the password at the prompt displayed, the password is not sent encrypted over the network.