Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Security Bug in Oracle

From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Tue, 17 Aug 1999 09:22:32 -0700

---------- Forwarded message ----------
Date: Mon, 16 Aug 1999 23:51:53 +0200
From: Gilles PARC <gparc () online fr>
Subject: Security Bug in Oracle

Hi Listers,

I discover a new security problem with Oracle on Unix.
Once again, it's with a setuid program.

Do not confuse with a similar problem corrected
by ORACLE  some month ago with a patch called setuid_patch.sh.

NEW PROBLEM :

if you have installed Oracle Intelligent agent, you will find in
$ORACLE_HOME/bin a program called dbsnmp.
This program is setuid root and was DELIBERATELY EXCLUDED
by Oracle in the forementioned patch.

The security hole resides in the fact  that this program executes
a tcl script ( nmiconf.tcl ) located by default  in
$ORACLE_HOME/network/agent/config.

Needless to say that  you can easily bypass this default and have
your own malicious nmiconf.tcl script run under root privileges.

I verify this on HP-UX 10.20 with  Oracle 7.3.3 and 8.0.4.3
                    on AIX 4.3  with Oracle 8.0.5.1
But  it's probably Unix generic.

Regards

Gilles Parc
Email: gparc () mail dotcom fr

carpe diem !!

----- End forwarded message -----

--
Elias Levy
Security Focus
http://www.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: