Wednesday, March 3, 2010

JAZN Security - Hacked

I guess pretty much everybody in Oracle community knows that Oracle supports indirect password (for data-sources.xml) via file based security system (Jazn). All the container passwords e.g. oc4jadmin, bpeladmin are also stored in Jazn. File name is $ORACLE_HOME/j2ee/<<container_name>>/config/system-jazn-data.xml

There are multiple ways to implement indirect password, and you can go through http://download.oracle.com/docs/cd/B31017_01/web.1013/b28957/deploysimple.htm#BABCCIFH if you really using it first time.
- You can use EM to use indirect password
- You can change data-sources.xml and put ! infront of password.
- You can put "->USERNAME" and create that USERNAME in Jazn with indirect password using EM

Anyways, back to the main problem, passwords are stored in encrypted form in system-jazn-data.xml, so people who has access to the file system would not know clear text password. The encryption algorithm used was way too weak to break. I would avoid putting the solution on my blog just to avoid hacking encouragement.

I would assume the person who wrote encryption algorithm for Jazn was either too lazy or didn't want to implement it correctly, because I believe an average Java programmer can decrypt system-jazn-data.xml in less than 30 minutes.

No comments: