I have just added a new free tool to my web site that will test your database for known default users and more importantly for known default passwords. The tool is a set of PL/SQL scripts that loads a list of 474 known default users to a table. A package procedure is then used to loop through all of the databases users to test if they are default and have known passwords.

The list of passwords and users is supplied in a spreadsheet that includes details of what most of the users are used for as well as a severity rating for them. This is probably the biggest list of default users available on the net.

The scripts were written by Marcel-Jan Krijgsman and are available from http://www.petefinnigan.com/default/default_password_checker.htm

Kind regards

Pete
--
Pete Finnigan (email:pete@petefinnigan.com)
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

http://www.enterpriseappspipeline.com/showArticle.jhtml?articleId=52601412

Hi Francesco

Thanks for your reply to my post. I have looked at the article you mention, this is the recent Garnter report into the state of Oracles (then) monthly patch release cycle which was announced and started at the end of August. The next monthly patch failed to materialise. Lots of customers are complaining about the patch, the time needed to apply, the lack of information etc....

The thrust of the Gartner report is that Oracle did not give clients enough information to assess the risk involved with the bugs fixed in the now infamous security patch 68. A lot of clients run out of date versions of Oracle and there are no patches available BUT what was worse was that there is no information as to how vulnerable these versions are. Even for supported versions the amount of information given out is not sufficient to known what the problems are to assess whether you are at risk. This is Oracles policy to not reveal what was found and what was fixed.

The Gartner report gives some suggestions to customers at the end of it. I won't repeat here - link at the end..:-)

At the end of last week Oracle finally announced a new security bug fixing schedule that is not to be quartlery on fixed dates in the year starting on Jan 18 2005. This should allow for some preparation by customers but i fear we will still not know what the bugs actually are and what is fixed.

I should state that I don't think Oracle should reveal enough for hackers to write exploit code but should at least give information to customers to know which functions / features are affected.

OK, some links. The infamous alert 68 is covered by an Oracle advisory which has links to researchers advisories - those who found the security bugs - including me. There are links to this on my alerts page http://www.petefinnigan.com/alerts.htm

I have talked about in my Oracle security weblog and linked to various news articles about the issues and complaints with alert 68, the Gartner report and the new quarterly patch schedule.

There are links to all of these articles in my web log index that you can find here - http://www.petefinnigan.com/weblog/archives/ - you can spot the relevant articles by their titles.

Kind regads

Pete