[12617] in bugtraq
Re: Oracle 8 root exploit
daemon@ATHENA.MIT.EDU (Adam and Christine Levin)
Wed Nov 17 12:28:55 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.SUN.4.10.9911161553180.11573-100000@westnet.com>
Date: Tue, 16 Nov 1999 15:58:09 -0500
Reply-To: Adam and Christine Levin <levins@WESTNET.COM>
From: Adam and Christine Levin <levins@WESTNET.COM>
X-To: Elias Levy <aleph1@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991116121721.N12923@securityfocus.com>
On Tue, 16 Nov 1999, Elias Levy wrote:
> One must wonder if Oracle fixed the real problem (dbsnmp being suid root
> and trusting ORACLE_HOME) or whether they simply fixed the way the exploit
> the problem originally posted by Gilles, thus leaving the exploit by Brook
> still working.
> I would appreciate it if someone could apply the patch and verify that
> neither of the attack methods work any longer.
I installed the patch. I'm running Oracle 8.0.5 on SPARC Solaris 2.6 with
recommended patches and y2k patches.
The Oracle patch changed dbsnmp so that other had no permissions. When I
set my group to Oracle and ran it without ORACLE_HOME set, it did create
the log files in the current dir (/tmp), but it didn't follow the symlink
to /.rhosts and create that, so it looks like they did in fact fix it.
> Finally, Martin Mevald <martinmv@hornet.cz> claims that "tnslsnr" suid
> program is similarly vulnerable under Linux Oracle 8.0.5. Can someone
> verify this claim? Can someone verify Oracle versions other than Linux for
> this vulnerability? Can someone let us know whether this binary is part
> of the Oracle Intelligent Agent? And if so, can someone let us know if
> the Oracle patch fixes the vulnerability in tnslsnr?
This binary is not suid on SPARC Solaris 2.6. I don't believe it is part
of Intelligent Agent. If I remember correctly, tnslsnr is the product
that listens for Oracle connections from other machines, so it's part of
the core product.
-Adam
