[10465] in bugtraq
Re: Oracle Intellegent agent installedoracle-digested
daemon@ATHENA.MIT.EDU (John Ritchie)
Thu May 6 17:20:10 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.3.96.990506132812.24941A-100000@netserve.ous.edu>
Date: Thu, 6 May 1999 13:36:33 -0700
Reply-To: John Ritchie <ritchiej@OSSHE.EDU>
From: John Ritchie <ritchiej@OSSHE.EDU>
X-To: Chris Hallenbeck <cthallen@BINGHAMTON.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.04.9905050021550.12447-100000@DarkThunder.cc.binghamton.edu>
On Wed, 5 May 1999, Chris Hallenbeck wrote:
> On Tue, 4 May 1999, Kis-Szabo Andras wrote:
>
> > Oracle8i 8.1.5 Solaris 7
> > -rwsr-s--x 1 root dba 1402152 May 3 01:08
> /oracle/bin/oratclsh
> >
> > After the install. This version never run here before.
>
> Solaris 2.6 with Oracle8.0.5 ...installed by the userid "oracle", hence
> we have:
> -rwsr-s--x 1 oracle dba 1492432 Jan 7 08:19 oratclsh
>
> Solution? Try running the majority of the install as the "oracle" user.
>
> Comments?
>
> HTH!
>
> -Chris Hallenbeck
The root setuid gets set when you run the post-install root.sh as root
(per the install instructions). If you don't run root.sh as root
(directly after the Intelligent Agent install - remember Oracle creates a
new root.sh with every install) then the file will be owned by the
installer ID (typically oracle).
I would suggest that setuid oracle on that file is bad enough. The simple
exploit will then get you oracle:dba privs instead of root, but that would
be enough to have full control of the database. Oracle's recommended fix
of removing the setuid bit would still apply.
John Ritchie
Oregon University System
