SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Oracle Application Desktop Integrator Vendors:   Oracle
Oracle's Application Desktop Integrator that Ships with Oracle's Financial Applications Gives Local Users Access to Database Passwords
SecurityTracker Alert ID:  1001484
SecurityTracker URL:  http://securitytracker.com/id/1001484
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 7 2001
Impact:   Disclosure of authentication information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): ADI v7.1.1.10.1 that ships with Oracle's Financial Applications version 11.5.3
Description:   It is reported that a specific version of Oracle's Application Desktop Integrator that ships with Oracle's Financial Applications contains a security vulnerability that allows local users to obtain database passwords.

It is reported that when the software is launched, it creates a file called dbg.txt on the host's local hard drive that contains the usernames and passwords for both the application user and the APPS schema in plain text.

It is reported that all access to the database for the financial applications is performed using the APPS schema. As a result, the APPS schema has full control of all the tables within the database.

The problem is apparantly related to some code in fndpub11i.dll that was delivered with the 7.1.1.10.1 version.

The vendor has reportedly been notified.

Impact:   A local user can obtain usernames and passwords for the application user and the APPS schema. With the password for the APPS schema, the user can obtain full control of the database tables.
Solution:   No vendor solution was available at the time of this entry.
Vendor URL:  www.oracle.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Releases Fix) Re: Oracle's Application Desktop Integrator that Ships with Oracle's Financial Applications Gives Local Users Access to Database Passwords
The vendor has provided a fix.



 Source Message Contents

Subject:  Oracle's ADI 7.1.1.10.1 Major security hole


The version of ADI (Application Desktop Integrator) 7.1.1.10.1 which was
recently shipped with Oracle's Financial Applications version 11.5.3
contains a major security breach.

Whenever the software is launched, it creates a file called dbg.txt on the
local hard drive on the system which contains in PLAIN TEXT the usernames
and passwords for both the application user and the APPS schema!

To explain further:
The software runs on Windows systems and uses the net8 client to talk to
the database, however, user's logon as their application ID and password,
not directly to the database.

In order for this to work, the application goes to the database with a
public username/password that must never be changed for the application to
function. The username/password is APPLYSYSPUB and the password is PUB
(this is openly documented). This database account is able to find the
APPS schema and encrypted password in the database. It then unencrypts the
password and uses it to connect to the database. It has always done this
in order to function, however, for some reason, this release creates what
appears to be a debug file on the local hard drive and stores this
information in PLAIN TEXT!

Since release 11 (I believe) all access to the database for the financial
applications is done by the APPS schema. Thus, the APPS schema has full
control of all the tables within the database!

I have opened a technical assistance request with Oracle and they are
working on a fix. It is apparantly some code that is in the fndpub11i.dll
that was delivered with the 7.1.1.10.1 version. They suggest we get an
earlier release and use the fndpub11i.dll from that version or wait for
the newer release which should be out soon.

So, if you use ADI, or have locations where users have a net8 client
connection to your financials database, do NOT install the 7.1.1.10.1
version! Also be aware that if your users have access to Metalink, the
offending version is still available for download!

--
Melanie Abbas
Oracle Application Administrator - ITS
University of Northern Iowa
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Be content with such things as you have. For God himself has said, I shall
never leave you nor forsake you.	-Hebrews 13:5

Office: GIL 255		Regular hours: 8:00-5:00
Phone: 273-6452		Fax: 273-5836		Beeper: 833-4489
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC