Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Oracle :: oracle~1.htm

Oracle's ADI 7.1.1.10.1 plaintext passwords



Vulnerability

    Oracle

Affected

    Oracle's ADI 7.1.1.10.1

Description

    Melanie Abbas found  following.  The  version of ADI  (Application
    Desktop  Integrator)  7.1.1.10.1  which  was recently shipped with
    Oracle's Financial  Applications version  11.5.3 contains  a major
    security breach.

    Whenever  the  software  is  launched,  it  creates  a file called
    dbg.txt on the  local hard drive  on the system  which contains in
    PLAIN TEXT the  usernames and passwords  for both the  application
    user and the APPS schema!

    To explain further, the software runs on Windows systems and  uses
    the net8 client to talk to the database, however, user's logon  as
    their application ID and password, not directly to the database.

    In order for  this to work,  the application goes  to the database
    with a  public username/password  that must  never be  changed for
    the application to function.  The username/password is APPLYSYSPUB
    and  the  password  is  PUB  (this  is  openly  documented).  This
    database account  is able  to find  the APPS  schema and encrypted
    password in  the database.   It then  unencrypts the  password and
    uses it to connect  to the database.   It has always done  this in
    order to function, however, for some reason, this release  creates
    what appears to be a debug file on the local hard drive and stores
    this information in PLAIN TEXT!

    Since release 11 (we believe)  all access to the database  for the
    financial applications is done by the APPS schema.  Thus, the APPS
    schema has full control of all the tables within the database!

Solution

    The  debug  version  of  FNDPUB11I.DLL  has  been  replaced with a
    production  version.   In  addition,  a  patch  is  available that
    introduces  an  enhanced  security  feature,  Application   Server
    Security,  to  prevent  the  debug  DLL  from  connecting  to  the
    database.   The complete  solution to  this vulnerability requires
    both replacement of  the debug version  DLL and implementation  of
    the  Application  Server  Security  patch.   The  patches for this
    vulnerability can be downloaded from the Oracle Worldwide  Support
    Services web site,  Metalink (http://metalink.oracle.com).   Press
    the "Patches" button to get to the Patch Download page.  Click  on
    the link labeled "Click Here for ALL Product Patches".  Enter  the
    patch number, select a platform,  then press Submit to access  the
    correct patch for your platform.

    To obtain  the full  Application Server  Security patch,  download
    patch 1779336. The patch includes:
    - Application Server Security feature
    - Trusted implementations of middle-tier connection code

    If you do not wish to upgrade your middle-tier application servers
    at  this  time,  a  database-only  version  for  the patch is also
    available as Patch Number 1785034.   This patch contains only  the
    Application  Server  Security  feature.   As  a result of applying
    this  patch,  application  servers  with  old connection code will
    need to be  registered as trusted  servers before they  can access
    the database.  See the README.TXT files associated with the  patch
    for further instructions.

    Apply  the  Application  Server  Security  patch  and  turn server
    security 'ON'.  The old versions of ADI will no longer be able  to
    connect.   New  versions  of  ADI  are  available  which contain a
    trusted implementation  of the  FNDPUB11I.DLL connection  code.  A
    new  version  of  ADI  will  be  required to connect to a database
    which has Application Server Security enabled.  Obtain the correct
    ADI patch for your current version:

        ADI Version           Patch
        -----------           -----
        7.0                   1775480
        7.1.2                 1775479
        7.1.3                 1775476

    After  turning  on  Application  Server  Security,  it is strongly
    recommended that the APPS schema password be changed.

    The server patch is necessary and with the server security feature
    turned  fully  on,  you  would  also  need  to  supply  a pass-key
    associated with the machine from which you were attempting to make
    the connection.  This is intended to prevent access by compromised
    code or malicious DLLs.   Supported Oracle customers should go  to
    Metalink for more details and patch availability.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH