Wednesday, 18 August 2010

Oracle Default Accounts

In order to create a sensible plan to deal with default accounts, it’s important to understand what each account is there for. This key first step will form the basis of the security plan for default accounts, identifying those accounts that are not needed and can be removed from the database. The following list covers Oracle9i and 10g, presenting the account name, default password, versions affected, and a description of the account’s function.


Account: ADAMS
Default password: WOOD
Password hash: 72CDEF4A3483F60D
Versions affected: 9i, 9iR2
Description: ADAMS is a sample schema owner and training account. It should always be removed in a production environment.

Account: ANONYMOUS
Default password: ANONYMOUS
Password hash: FE0E8CE7C92504E9
Versions affected: 10g
Description: ANONYMOUS is used to provide (you guessed it) anonymous access to an Oracle XML DB repository via Hypertext Transfer Protocol (HTTP). It’s almost always a really bad idea to offer anonymous access. Oracle’s documentation points out the security risks of enabling this account. If you are not granting anonymous access to XML DB, this account should be removed from the system.

Account: AURORA$JIS$UTILITY$
Default password: N/A (This account gets a randomly generated password)
Password hash: N/A
Versions affected: 9i
Description: JSERV account used by CORBA tools and Enterprise Java Beans.
CORBA (ORB) is a standard for communication between objects in a distributed computing system. This account is created during the install of the Oracle Servlet Engine. Changing the password for this account is not allowed. However, if you are not using the Oracle Java Virtual Machine (JVM) or CORBA, this account should be removed.

Account: AURORA$ORB$UNAUTHENTICATED
Default password: N/A (This account gets a randomly generated password)
Password hash: N/A
Versions affected: 9i
Description: JSERV account used by CORBA tools and Enterprise Java Beans.
CORBA (ORB) is a standard for communication between objects in a distributed computing system. This account is created during the install of the Oracle Servlet Engine. Changing the password for this account is not allowed. However, if you are not using the Oracle JVM or CORBA, this account should be removed.

Account: BLAKE
Default password: PAPER
Password hash: 9435F2E60569158E
Versions affected: 9i
Description: BLAKE is a training account. It should always be removed in a production environment.

Account: CLARK
Default password: CLOTH
Password hash: 7AAFE7D01511D73F
Versions affected: 9i
Description: CLARK is a training account. It should always be removed in a production environment.

Account: CTXSYS
Default password: CTXSYS or CHANGE_ON_INSTALL
Password hash: 24ABAB8B06281B4C or 71E687F036AD56E5
Versions affected: All
Description: CTXSYS supports the Oracle Text component of the interMedia (formerly ConText) Option.The interMedia feature allows the database to manage content
(such as documents, audio, and video) in the same manner as it manages regular business data.This is a cool feature of Oracle, as it allows for indexing and searching of various document types, performing Structured Query Language (SQL) queries against documents and streaming audio, video, or images on the Web. CTXSYS is a highly privileged user with DBA level access. If you have no need for the interMedia option, the account can be removed. Otherwise, be sure to set a strong password and potentially lock the account.

Account: DBSNMP
Default password: DBSNMP
Password hash: E066D214D5421CCC
Versions affected: All
Description: DBSNMP is the account used to run the Oracle Intelligent Agent
(OIA), which is the database resident component that allows the database to be managed by Oracle Enterprise Manager (OEM). OIA and therefore, DBSNMP, is used to discover databases that can be managed by OEM, monitor events on behalf of OEM, and execute tasks related to jobs submitted to OEM. DBSNMP is not a DBA, but has powerful permissions and can be used to become SYSDBA. Since OEM is widely used to manage Oracle databases, removing the OIA is probably not an option, but that doesn’t mean that you need to keep DBSNMP. OEM allows you to specify both the username and password for the OIA account in the file snmp_rw.ora.
Make sure you take advantage and at least set a strong password for this account.

Account: DIP
Default password: DIP
Password hash: CE4A36B8E06CA59C
Versions affected: 10g, 10gR2
Description: DIP is used by the Oracle Internet Directory (OID) and the associated Directory Integration Platform. OID is a Lightweight Directory Access Protocol (LDAP) v3 directory running on top of an Oracle database. DIP facilitates integration and synchronization of OID with other directories, allowing organizations to create a single directory system that provides access to resources across the enterprise.
Oracle has chosen OID to replace Oracle Names as the product of choice for storage of database service names. If you are not using OID, the DIP account can be removed.

Account: DMSYS
Default password: DMSYS
Password hash: BFBA5A553FD9E28A
Versions affected: 10g, 10gR2
Description: DMSYS is the account used to run Oracle Data Mining (ODM).ODM is Oracle’s solution for performing deep, detailed analysis on massive amounts of data in order to find patterns and gain new insights. Businesses use ODM for several purposes, including profiling customers, detecting fraud, and using historical data to predict future business trends. Oracle is a leader in the data mining market; however, data mining is not for everyone and certainly not for every Oracle database. If you aren’t going to use ODM, you should remove the powerful DMSYS account.

Account: EXFSYS
Default password: EXFSYS
Password hash: 66F4EF5650C20355
Versions affected: 10g, 10gR2
Description: EXFSYS is used for Expression Filters, a new feature introduced in
Oracle10g. Expression Filters allow you to define and store what amounts to a set of
WHERE clauses that evaluate data as it is input into the database. The Expressions
Filters can then alert you when data that match their evaluation criteria becomes available. While this feature is extremely useful, it is quite new and not very widely used. If you do not plan to use Expression Filters, you can remove the EXFSYS account.

Account: JONES
Default password: STEEL
Password hash: B9E99443032F059D
Versions affected: 9i
Description: JONES is a training account. It should always be removed in a production environment.

Account: HR
Default password: HR or CHANGE_ON_INSTALL
Password hash: 4C6D73C3E8B0F0DA or 6399F3B38EDF3288
Versions affected: All
Description: Human Resources sample schema owner. HR is a training account. It should always be removed in a production environment.

Account: LBACSYS
Default password: LBACSYS
Password hash: AC9700FD3F1410EB
Versions affected: All
Description: LBACSYS is the account used to manage Oracle Label Security (OLS).
The account is created when OLS is installed and acts as the administrator for the OLS system. If you are not using Label Security, there is no need for the LBACSYS account and it should be removed.

Account: MDDATA
Default password: MDDATA
Password hash: DF02A496267DEE66
Versions affected: 10g, 10gR2
Description: The MDDATA account is used by the Oracle Spatial Option, which provides location-based services to applications running on Oracle databases. Oracle
Spatial is typically used in applications designed for wireless, online, and in-vehicle deployments. The MDDATA schema is used specifically for the Geocoder (computes
latitude/longitude coordinates for a given address) and the Router (generates routes such as driving directions between two locations). If you are not using the Oracle
Spatial Option, MDDATA should be removed.

Account: MDSYS
Default password: MDSYS
Password hash: 72979A94BAD2AF80
Versions affected: All
Description: MDSYS is the Oracle Spatial Option administrator account.This is a powerful account, with an access level roughly equivalent with that of a DBA.There are several attacks out there that target packages owned by MDSYS. It is critical to remove this account if you are not using Oracle Spatial. Otherwise, make sure you set a strong password for MDSYS and keep your database patches up-to-date.

Account: ODM
Default password: ODM
Password hash: C252E8FA117AF049
Versions affected: 9iR2, 10g, 10gR2
Description: The ODM account and schema is used by Oracle Data Mining (see DMSYS for an explanation of Oracle Data Mining). Remove this account if you are not using ODM. Otherwise, be sure to set a strong password.

Account: ODM_MTR
Default password: MTRPW
Password hash: A7A32CD03D3CE8D5
Versions affected: 9iR2, 10g, 10gR2
Description: The ODM_MTR schema is used to store sample data for Oracle Data Mining (see DMSYS for an explanation of Oracle Data Mining). ODM_MTR is the least powerful of the ODM accounts; however, it has been granted some roles and permissions that would be extremely useful to an attacker. This account should be removed in a production system.

Account: OE
Default password: OE or CHANGE_ON_INSTALL
Password hash: D1A2DFC623FDA40A or 9C30855E7E0CB02D
Versions affected: All
Description: Order Entry (OE) sample schema owner. OE is a training account. It should always be removed in a production environment.

Account: OLAPDBA
Default password: OLAPDBA
Password hash: 1AF71599EDACFB00
Versions affected: 9i
Description: The OLAPDBA account is one of several accounts used by Oracle
OnLine Analytical Processing (OLAP). OLAP services provide fast analysis of multidimensional information, primarily used in creating financial reports, budgeting, and business forecasting. OLAPDBA is the administrator account for OLAP services. If you are not using OLAP, the account can be removed. Otherwise, assign OLAPDBA a strong password, then configure OLAP services to use the new password using the OLAP Instance Manager tool.

Account: OLAPSVR
Default password: OLAPSVR or INSTANCE
Password hash: 3B3F6DB781927D0F or AF52CFD036E8F425
Versions affected: 9i
Description: The OLAPSVR account is used by Oracle OLAP Services. OLAPSVR is used as a proxy account for OLAP. If you are using OLAP, assign a strong password to OLAPSVR and then input that password into the OLAP Instance Manager tool.
Be sure to restart the instance of OLAP services after changing the password.

Account: OLAPSYS
Default password: OLAPSYS or MANAGER
Password hash: C1510E7AC8F0D90D or 3FB8EF9DB538647C
Versions affected: All
Description: The OLAPSYS account is used by Oracle OLAP Services. OLAPSYS owns the schema that holds the OLAP catalog, a collection of metadata that manages
OLAP constructs such as dimensions, measures, cubes, levels, and hierarchies. Several significant vulnerabilities have been discovered in packages owned by OLAPSYS. If you are not using OLAP Services, you should remove OLAPSYS. Otherwise, be sure to configure a strong password for the account.

Account: ORDPLUGINS
Default password: ORDPLUGINS
Password hash: 88A2B2C183431F00
Versions affected: All
Description: The ORDPLUGINS account is a component of interMedia. ORDPLUGINS owns the schema used to install both Oracle and third-party plug-ins used to extend the functionality of interMedia to support new data types, new data sources, and processing of audio or video data.The ORDPLUGINS schema is required for proper operation of interMedia, so it should not be removed independently of other interMedia components. If you’re not using interMedia, remove ORDPLUGINS. Otherwise, be sure to configure a strong password for the account as ORDPLUGINS is highly privileged.

Account: ORDSYS
Default password: ORDSYS
Password hash: 7EFA02EC7EA6B86F
Versions affected: All
Description: The ORDSYS account is the administrator for interMedia and owns the schema that holds all code and default data for the interMedia option. Oracle
Time Series (used to timestamp a set of data) is also installed in the ORDSYS schema. ORDSYS has some powerful permissions, including the ability to run commands on the database host operating system (OS) using external libraries. There have also been a number of vulnerabilities discovered in the ORDSYS schema, including susceptibility to Denial of Service (DoS) attacks that can bring the database to a grinding halt. Be sure to set a strong password for ORDSYS if you are using
interMedia. Otherwise, remove the account from the database.

Account: OSE$HTTP$ADMIN
Default password: N/A (This account gets a randomly generated password)
Password hash: N/A
Versions affected: 9i
Description: The account OSE$HTTP$ADMIN is used to run the Oracle Servlet Engine for Enterprise Java Beans and CORBA tools. Changing the password for this account is not allowed. However, if you are not using the Oracle JVM or CORBA, this account should be removed.

Account: OUTLN
Default password: OUTLN
Password hash: 4A3BA55E08595C81
Versions affected: All
Description: The account OUTLN is used to support Oracle’s Plan Stability feature.
OUTLN owns the schema used to store and manage outlines, essentially query executions plans that ensure SQL queries will be run the same way regardless of changes to data in or the structure of the target tables, changes in system configuration, or even use of different optimizers. The OUTLN account is a DBA, so it is critical to protect this account with a strong password. If you are not using Plan Stability,
OUTLN should be removed.

Account: PM
Default password: PM
Password hash: C7A235E6D2AF6018
Versions affected: All
Description: Product Media (PM) sample schema owner. PM is a training account. It should always be removed in a production environment.

Account: QS
Default password: QS
Password hash: 4603BCD2744BDE4F
Versions affected: All
Description: Queued Shipping (QS) sample schema owner. QS is a training account.
Several other training accounts exist to support the Queued Shipping sample:
QS_ADM, QS_CB, QS_CBADM, QS_CS, QS_ES, QS_OS, QS_WS. Each of these supporting accounts have a default password that is the same as their username. Every one of the QS accounts should be removed in a production environment.

Account: RMAN
Default password: RMAN
Password hash: E7B5D92911C831E1
Versions affected: 10g, 10gR2
Description: The account RMAN is used by the Oracle Recovery Manager, the tool
Oracle recommends for backing up and recovering Oracle databases. We recommend it as well, particularly if you enable the encrypted backup option in 10gR2.The
RMAN account is used to collect the backup data and ship it off for storage; therefore, this account has access to data in the database and may be used to inappropriately modify data as it is being backed up. If you are using Recovery Manager, be sure to set a strong password for RMAN, otherwise, the account should be removed.

Account: SCOTT
Default password: TIGER
Password hash: F894844C34402B67
Versions affected: All
Description: The account SCOTT is one of the most well-known Oracle default accounts. SCOTT owns sample schemas that are often referenced in Oracle documentation.
Despite SCOTT’s popularity, the account is for training purposes only and should always be removed in a production environment.

Account: SH
Default password: SH
Password hash: 54B253CBBAAA8C48
Versions affected: All
Description: Sales History sample schema owner. SH is a training account. It should always be removed in a production environment.

Account: SI_INFORMTN_SCHEMA
Default password: SI_INFORMTN_SCHEMA
Password hash: 84B8CBCA4D477FA3
Versions affected: 10g, 10gR2
Description: The account SI_INFORMTN_SCHEMA is used to support the Oracle
interMedia Option. SI_INFORMTN_SCHEMA owns the schema that stores data for the SQL/MM Still Image Standard.This standard allows the database to do all sorts of interesting things with images using SQL, from image storage and retrieval, to complex searches on visual aspects such as size, color, and texture. If you are not storing or processing images in your database, you should remove this account. If
SI_INFORMTN_SCHEMA is in use, be sure to configure a strong password for the account.

Account: SYS
Default password: CHANGE_ON_INSTALL
Password hash: D4C5016086B2DC6A
Versions affected: All
Description: The most powerful account in the Oracle database, SYS owns the schema that holds the data dictionary. Objects owned by SYS are extremely sensitive and are not directly modifiable, as mistakes could easily lead to functional problems in the database. The SYS account is required for the proper operation of Oracle; it can never be removed or replaced. It is absolutely critical to set an extremely strong password for SYS immediately after installing the database (or during the install with
10g). Never, ever leave the SYS password set to CHANGE_ON_INSTALL on any Oracle database, production or not.

Account: SYSMAN
Default password: OEM_TEMP
Password hash: 639C32A115D2CA57
Versions affected: 10g, 10gR2
Description: The SYSMAN account is used to manage OEM.This is an extremely powerful account as it has rights on any database managed by OEM. Make sure to set a strong password for SYSMAN when you install the database.

Account: SYSTEM
Default password: MANAGER
Password hash: D4DF7931AB130E37
Versions affected: All
Description: The SYSTEM account is another extremely powerful Oracle account, second only to SYS. SYSTEM is more than just a DBA, as the account owns and has access to internal tables and views that contain administrative data and are used by
Oracle tools to manage and monitor the database. It is critical to ensure that the
SYSTEM account has a strong password set immediately after installing the database
(or during the install with 10g). Never run any Oracle database with the SYSTEM password set to MANAGER.

Account: TSMSYS
Default password: TSMSYS
Password hash: 3DF26A8B17D0F29F
Versions affected: 10gR2
Description: The account TSMSYS is used to perform Transparent Session
Migration, a feature that supports grid computing. Transparent Session Migration migrates database sessions (essentially connections) from instance to instance in a manner that is completely transparent to the end user.This can be used to implement load balancing across the grid and can handle moving sessions off an instance that is about to be shut down. Not in a grid? TSMSYS should be removed.

Account: WK_TEST
Default password: WK_TEST
Password hash: 29802572EB547DBF
Versions affected: 10g, 10gR2
Description The account WK_TEST is used by the Oracle Ultra Search feature.
Ultra Search is a tool that Oracle provides with their database, application server, and collaboration suite that makes it simple to index and search databases,Web pages, files, and e-mail for text strings. Ultra Search is dependant on Oracle Text and on the CTXSYS schema. WK_TEST owns the schema used to host the default instance of Ultra Search (WK_INST). If you are not using Ultra Search, the WK_TEST account should be removed. Otherwise, configure a strong password for the account and then set that same password in the Ultra Search Administration Tool on the Edit Instance page.

Account: WKPROXY
Default password: WKPROXY or CHANGE_ON_INSTALL
Password hash:AA3CB2A4D9188DDB or B97545C4DD2ABE54
Versions affected: 9iR2, 10g, 10gR2
Description: The account WKPROXY is also used by the Oracle Ultra Search feature.
Similar to the other Ultra Search accounts, WKPROXY should be configured with a strong password or removed entirely if you are not using Ultra Search.

Account: WKSYS
Default password: WKSYS or CHANGE_ON_INSTALL
Password hash: 545E13456B7DDEA0 or 69ED49EE1851900D
Versions affected: 9iR2, 10g, 10gR2
Description: The account WKSYS is the admin account for Oracle Ultra Search.
WKSYS is an extremely powerful account that has been granted the DBA role along with several “ANY” system privileges. WKSYS owns many of the packages used to administer and run Ultra Search. If you are not using Ultra Search, the WKSYS account should be removed. Otherwise, be sure to give it a strong password after install.

Account: WMSYS
Default password: WMSYS
Password hash: 7C9BA362F8314299
Versions affected: 9iR2, 10g, 10gR2
Description: The WMSYS account owns the schema used to store metadata information for the Oracle Workspace Manager. Workspace Manager is a tool used to managed multiple versions of data within the same database.This feature is typically used to run queries against historical, current, and proposed future versions of data for various types of analysis. WMSYS is granted the powerful permission UNLIMITED
TABLESPACE and has rights to execute functions known to be vulnerable to buffer overflow attacks that allow for arbitrary code execution on the database server. Be sure to remove this account if Workspace Manager is not in use. Otherwise, give the account a strong password after install.

Account: XDB
Default password: CHANGE_ON_INSTALL
Password hash: 88D8364765FCE6AF
Versions affected: 9iR2, 10g, 10gR2
Description: The XDB account is used to manage Oracle’s XML database (XDB).
The XDB account is granted the built-in role RESOURCE. If you are not using
XML DB, the account can be removed.


DBSNMP Account
No matter where we find ourselves, if we are looking at an Oracle database,
the chances are extraordinarily high that we will find the DBSNMP account
enabled with its default password in place. It is astounding how few systems
have actually secured this extremely powerful account. Leaving DBSNMP in
place with its default password creates an enormous hole in the security of a
database, regardless of how many firewalls protect it from the Internet. The
trend of leaving DBSNMP in place may be surprising from a security perspective,
but from an operations perspective, it’s the easiest way to ensure an
Oracle database can be managed by Oracle Enterprise Manager (OEM).
If you were a database hacker, you would know about this already.
Accessing databases for nefarious purposes by exploiting the default password
for DBSNMP is commonplace. DBSNMP has powerful permissions in Oracle; by
default, the account has rights to select from many data dictionary tables and
views. In a nutshell, if an attacker can get access via DBSNMP, they can collect
the information they need to assume the role of SYSDBA and take ownership
of your database and every bit of data inside it.
What many DBAs do not realize is that they can fix the problem with
DBSNMP without affecting OEM’s ability to monitor and manage the
database. Within the configuration files for OEM, there are entries where a
username and password can be specified to run the database Simple Network
Management Protocol (SNMP) system. It’s simple. First, change the username
and password of DBSNMP in the database. Next, make the corresponding
changes in the snmp_rw.ora (typically located in the directory /var/opt/oracle,
or $ORACLE_HOME/network/admin) for each {SID} that you want the agent to
connect to. Set the following lines:
snmp.connect.{SID}.NAME = dbsnmp (or new account name)
snmp.connect.{SID}.PASSWORD = {new password}
Locking down the DBSNMP account is a critical step in securing your
Oracle database. DBSNMP is considered low-hanging fruit by the hacker community,
as it is often left unsecured. Take the time to modify your configuration
to ensure that your database does not fall victim to attack by one of the
most powerful and most well-known default accounts out there.


2 comments:

  1. Extremely helpful information. I really want such knowledge. I am glad that I found this information

    Oracle Security

    ReplyDelete
  2. Hi! I am a digital marketer. The previous seo guy working for my client has left a spammy comment at your blog with the username Soledad Knight which links to my client's site.
    Such comments are causing serious damage to my client's site with respect to SEO which is why I am request you here by to remove it asap.
    If you don't remove it by 11:59 pm, Pacific Standard Time, 3rd January 2014, we will have use Google's Disavow Tool to get back-link removed and, sorry to say this, but Google may not look too nicely upon you either for not having removed the comment.
    Thanks in advance for your cooperation.

    ReplyDelete