[10429] in bugtraq
Re: *Huge* security hole in Oracle 8.0.5 with Intellegent agent
daemon@ATHENA.MIT.EDU (Jeff Long)
Mon May 3 22:01:37 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <372E31D8.721A19F1@kestrel.cc.ukans.edu>
Date: Mon, 3 May 1999 18:31:36 -0500
Reply-To: Jeff Long <long@KESTREL.CC.UKANS.EDU>
From: Jeff Long <long@KESTREL.CC.UKANS.EDU>
To: BUGTRAQ@NETSPACE.ORG
David Adrian wrote:
>
> John Ritchie wrote:
>
> > On Fri, 30 Apr 1999, Anthony Clarke wrote:
<snip>
> > So if you've installed Oracle's Intelligent Agent or aren't sure if it's
> > installed then check your oratclsh and fix that bit. The only systems
> > I've had experience on are 8.0.5 for Solaris and Linux but I'd check any
> > 8.x release on any platform if it were mine.
<snip>
> I patched my Linux version of oracle to 8.0.5.1. When I checked for this
> vulnerability, the suid bit was not set, and the ownership of oratclsh was
> oracle.oracle.
> So it seems likely that upgrading to 8.0.5.1 will fix the problem. On Linux,
> this was necessary to fix many other nasty bugs anyway.
Well, I patched to 8.0.5.1 on Digital Unix a while ago and discovered on
Friday that oratclsh was still suid root so at least on my platform
8.0.5.1 did not solve the problem.
Jeff Long
