Steal TOraSession password and crack database SERIOUS SAFETY PROBLEM
There is a very serious safety problem in ODAC: in runtime a hacker can steal the database password, user, server parameters and can crack your database. Only needs to steal theese data: download and run userdump.exe from
http://www.microsoft.com/en-us/download/details.aspx?id=4060
than save the memory into a file. This dump file containts the password, user and server properties of TOraSession.
dorfer
shared this idea
-
André Sandri
commented
-------------------------
SAFETY PROBLEM
-------------------------PLEASE, PRIORITIZE THIS SAFETY PROBLEM!
Conventional users can steal the database password property viewing the application executable content in notepad.exe when the password is informed in design time (and stored in the dfm file).
Another way is creating a "full/mini dump" from a process with the Microsoft Debug Diagnostic Tool v1.2 (http://www.microsoft.com/en-us/download/details.aspx?id=26798) to recover the password informed in a runtime approach.
We are adopting ODAC for enterprise usage, and we have plans to encapsulate the TOraSession.Password property runtime attribution in a protected enterprise component to prevent exposure of production passwords to our TI staff (as the primary goal).
Recommendation: Add a new option in the TOraSession.Options property, "UseEncryptedStoredPassword" (boolean, default false). When this is defined true, the component must always encrypt the password informed in the "Password" field (in runtime and design modes), storing it encrypted in the private FPassword field. The goal is prevent exposure of password in the Passord property, ConnectString property, and related variables (FPassword, and so on). The component must decrypt it internally as necessary, but can not expose a way to developers (or users) to retrieve it.
Related ideias:
------------------
* http://devart.uservoice.com/forums/104635-delphi-data-access-components/suggestions/1624575-connect-dialog