Killing Session With post_transaction Clause

Today I would like to talk about the option to kill a connection with the post_transaction clause, it looks like the shutdown transactionl that the database has. In this case you wait for the process to finish its work.

  • The POST_TRANSACTION setting allows ongoing transactions to complete before the session is disconnected.
  • If the session has no ongoing transactions, then this clause has the same effect described for the KILL SESSION.

An example would be the following;

ALTER SYSTEM DISCONNECT SESSION ‘sid, serial #’ POST_TRANSACTION

HTH – Antonio NAVARRO

Advertisements

Sniffing Password In SQL Server

A few days ago I talked about the risks of sending user passwords through the network without protecting these in Oracle. Today we are going to see the demonstration for SQL Server.

We run from an SSMS (in my case version 17.7 just installed) the next alter login against a SQL Server 2012.

alter login antonion with password =’newpass’

Previously we have activated a sniffer between the client and the server, in my case Microsof Message Analyzer (Wireshark is another tool that I recommend, this code is open and also free as Microsoft). If we focus on the payload of the TCP frame;

foto_sniffer_sqlserver_2

As always, be careful of what is sent over the network or encrypt the communication between client and server, either by using VPN or using native Microsoft encryption. In the following URL I indicate the documentation for 2008 R2 versions;

Encrypting Connections to 2008 R2

HTH – Antonio NAVARRO

 

Released SQL Server Management Studio 17.7

Recently Microsoft has released the new version of its Sql Server Management Studio (SSMS), specifically version 17.7. You can download it for free in the url that I indicate below. It must be recognized that Microsoft in the database field is constantly improving.

Download SSMS 17.7

If you have a previous 17.x version you can upgrade to version 17.7 using the following link;

Upgrade SSMS from 17.x to 17.7

HTH – Antonio NAVARRO

 

 

New Versions But Old Vices

In today’s post I want to talk about passwords in Oracle, from very old versions, it is very easy to “catch” password changesĀ using a sniffer. The recommendation of Oracle and that is given in many forums is to use the password command from sqlplus instead of executing an alter user. Currently the client should be smarter or at least give the option to encrypt this type of statements sql (alter)

Let’s go see an example. We connect using client 18 to a RDBMS 12.1 with user scott

foto_sniffer_4

Now we change he pass with alter user command like show below;

SQL> alter user scott identified by scott1234;

Using a sniffer (in this test Microsoft Message Analyzer) we can see the payload for tcp trame between my lagtop and the server in clear text;

foto_sniffer_2

Now using the password command from sqlplus. Show the tcp trame captured by the sniffer. Here you can not seeĀ  the text in clear;

foto_sniffer_3

How to minimize the risk

– First of all do not use “alter user”
– Use encrypted communications between the client and the database server (the Oracle native or a VPN), now from what I see, in this version (18) Oracle still does not protect the memory areas, the encryption in the The communications channel is partially distorted if there is access to the memory of the client computer. Windows DPAPI already implements in a fairly acceptable way memory encryption via CryptProtectMemory / ProtectedMemory

 

HTH – Antonio NAVARRO

Oracle Java Serialization/Deserialization

Oracle plans to drop support for data serialization/deserialization from the main body of the Java language, according to Mark Reinhold, chief architect of the Java platform group at Oracle.

Serialization is the process of taking a data object and converting it into a stream of bytes (binary format), so it can be transported across a network or saved inside a database, only to be deserialized later and used in its original form.

The products affected by this type of attack are multiple, since JAVA is the basis of many solutions. Within the database there are several areas vulnerable to this type of attacks, the most significant services being REST type. They are defined as (from the Oracle documentation);

Oracle REST Data Services (ORDS) makes it easy to develop modern REST interfaces for relational data in the Oracle Database, Oracle Database 12c JSON Document Store, and Oracle NoSQL Database. A mid-tier Java application, ORDS maps HTTP (S) verbs (GET, POST, PUT, DELETE, etc.) to database transactions and returns any results formatted using JSON.

HTH – Antonio NAVARRO

 

 

 

Where is the Crontab File on Solaris

Many times to see the crontab content we use the crontab -l command and to modify it we use the crontab -e command. The crontab as we see it or edit it is not more than a file, which can be seen with a simple cat, view, etc and can be modified directly (having the right permissions since it is owned by root and we must have permission from this to modify it). In Solaris the file is located in the following location (usually each user have its own file);

/var/spool/cron/crontabs

HTH – Antonio NAVARRO