So I was thinking about the lockdown script I wrote yesterday and noticed an attack vector.
I only created the variable for RANDPWD once…so…if an attacker knew the variable they could comprise the system…in theory…but hey…it was worth rewriting…
function lock_default_oracle_accounts()
{
sqlplus / as sysdba <<EOF
set sqlprompt ' '
set echo off
set feedback off
set timing off
set heading off
set pagesize 0
set linesize 9999
set trimspool on
set tab off
set recsep off
spool /tmp/defpwd_accounts.txt
select username from dba_users_with_defpwd;
spool off;
exit;
EOF
for i in `cat /tmp/defpwd_accounts.txt | grep -v "select username from dba_users_with_defpwd;" | grep -v "spool off"`
do
sleep 1
export RANDPWD=`date +%s | sha256sum | base64 | head -c 12`
sqlplus / as sysdba <<EOF
alter user ${i} account lock;
alter user ${i} identified by ${RANDPWD};
exit;
EOF
done
sqlplus / as sysdba <<EOF
set lines 200
spool /tmp/user/check_defpwd_account_status.log
select username from dba_users_with_defpwd;
select username, account_status from dba_users;
spool off
exit
EOF
}
OraMatt: YABAOracle 
Leave a comment