Thread: Oracle DB Worm Code Published
A recent article about an Oracle worm: http://www.eweek.com/article2/0,1895,1880648,00.asp got me wondering. Could a worm like this infect a PostgreSQL installation? It seems to depend on default usernames and passwords - and lazy DBAs, IMO. Isn't it true that PostgreSQL doesn't have any default user/password? Is this an issue we should be concerned about, at some level? TJ O'Donnell
> A recent article about an Oracle worm: > http://www.eweek.com/article2/0,1895,1880648,00.asp > got me wondering. > Could a worm like this infect a PostgreSQL installation? > It seems to depend on default usernames and passwords - and > lazy DBAs, IMO. > Isn't it true that PostgreSQL doesn't have any default user/password? That's true. however, PostgreSQL ships by default with access mode set to "trust", which means you don't *need* a password. And I bet you'll find the user being either "postgres" or "pgsql" in 99+% of all installations. We do, however, ship with network access disabled by default. Which means a worm can't get to it, until you enable that. But if you enable network access, and don't change it from "trust" to something else (such as md5), then you're wide open to this kind of entry. (Just create an untrusted PL and hack away - assuming those binaries are inthere, but I bet they are in most installations) //Magnus
> A recent article about an Oracle worm: > http://www.eweek.com/article2/0,1895,1880648,00.asp > got me wondering. > Could a worm like this infect a PostgreSQL installation? > It seems to depend on default usernames and passwords - > and lazy DBAs, IMO. > Isn't it true that PostgreSQL doesn't have any default user/password? > Is this an issue we should be concerned about, at some level? PostgreSQL doesn't allow network access, by default, which more than makes up for that. -- "cbbrowne","@","cbbrowne.com" http://cbbrowne.com/info/slony.html "...Yet terrible as Unix addiction is, there are worse fates. If Unix is the heroin of operating systems, then VMS is barbiturate addiction, the Mac is MDMA, and MS-DOS is sniffing glue. (Windows is filling your sinuses with lucite and letting it set.) You owe the Oracle a twelve-step program." --The Usenet Oracle
Christopher Browne <cbbrowne@acm.org> writes: >> A recent article about an Oracle worm: >> http://www.eweek.com/article2/0,1895,1880648,00.asp >> got me wondering. > PostgreSQL doesn't allow network access, by default, which more than > makes up for that. You would have to both alter postgresql.conf (to make the postmaster listen for anything except local connections) and alter pg_hba.conf to let people in. Of course, if you were fool enough to set pg_hba.conf to allow "trust" connections from the whole net, you'd have a door open even wider than Oracle's. But I hope that's not common. A worm can't be successful unless there's a fairly large population of vulnerable machines. I am sure that there are *some* PG installations out there that are wide open, but I doubt there are enough to make a worm viable. regards, tom lane
On 1/7/06, Magnus Hagander <mha@sollentuna.net> wrote: > > A recent article about an Oracle worm: > > http://www.eweek.com/article2/0,1895,1880648,00.asp > > got me wondering. > > Could a worm like this infect a PostgreSQL installation? > > It seems to depend on default usernames and passwords - and > > lazy DBAs, IMO. > > Isn't it true that PostgreSQL doesn't have any default user/password? > > That's true. however, PostgreSQL ships by default with access mode set > to "trust", which means you don't *need* a password. And I bet you'll > find the user being either "postgres" or "pgsql" in 99+% of all > installations. > > We do, however, ship with network access disabled by default. Which > means a worm can't get to it, until you enable that. But if you enable > network access, and don't change it from "trust" to something else (such > as md5), then you're wide open to this kind of entry. > I don't think it's quite that easy. The default installs from SUSE and other RPM I have done are set to ident sameuser for local connections. Even if you turn on the -i flag, you can't get in remotely since there is no pg_hba.conf record for the rest of the world by default. You would have to add a record to pg_hba.conf. PostgreSQL is remarkably secure out of the box compared to Brand X.