11/13/2007: "Oracle 11g/10g Installation Vulnerability"
After investigating 11g the other day I came across an interesting issue. During the installation of Oracle 11g and 10g all accounts, including the SYS and SYSTEM accounts, have their default passwords and only at the end of the install are the passwords changed. This means that there is a window of opportunity for an attacker to log into the database server during the install process. Because the Listener is running remote attackers can exploit this. After doing some testing I've found that if a default install is performed then the window of opportunity is c. 2 minutes 15 secs. If you use the Database Configuration Assistant and install the default options for a General Purpose or Transaction Processing (i.e. without sample schemas but install jvm, text, xml db, multimedia, ultrasearch etc) the window is around 20 to 25 seconds. If creating a database using the Datawarehouse option then the window is 35 to 40 seconds. If the Custom is selected from DBCA there is not window. This is because Custom doesn't use a template.
Now the chances of this being exploited are of course really small but it does pose questions when it comes to assurance. If you base line your system after an install can we be really sure it wasn't 0wn3d during the install process and a couple of backdoors planted? The best approach to solving this is not installing Oracle whilst connected to the network. I reported this to Oracle on the 3rd of November and they've since updated their security checklist.