Oracle Password Hash in Audit Logs [CVE-2009-1969]

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap

Oracle Password Hash in Audit Logs

Name	Oracle Password Hash in Audit Logs - CVE-2009-1969
Systems Affected	Oracle Database
Severity	Medium Risk
Category	Information Disclosure
Vendor URL	http://www.oracle.com/
Author	Alexander Kornbrust (ak at red-database-security.com)
Advisory	27 Jul 2009 (V 1.00)

Details
The alter user command was not filtered properly. As a result of this problem the password hash was written into the the audit trail of Oracle (Core) Auditing
and Oracle Database Vault Audit Trail.

Sample (without database vault):
SQL> alter user alter_test identified by values 'D768C717761F43BB' replace alter_test;
SQL> select sql_text from sys.aud$ where lower(sql_text) like '%alter user%':
alter user alter_test identified by values 'D768C717761F43BB' replace ********;

Sample (with database vault):

SQL> conn / as sysdba

SQL> create user alexK identified by values '05E29458F5CE92C7';
create user alexk identified by values '05E29458F5CE92C7'
*
ERROR at line 1:
ORA-01031: insufficient privileges

SQL> conn DVSYS/DVSYS123
SQL> select username,action_command from dvsys.audit_trail$ where action_command
like '%create%';
SYS create user alexKs identified by values '05E29458F5CE92C7'

Patch Information
Apply the patches for Oracle CPU Jul 2009.

History
20-aug-2008 Bug reported
15-jul-2009 Oracle published CPU January 2009
27-jul-2009 Advisory published