Bugtraq mailing list archives

Re: Security Bug in Oracle

From: jonz () NETRAIL NET (Jonathan A. Zdziarski)
Date: Fri, 27 Aug 1999 12:21:58 -0400


does anyone know if they have made a Solaris_x86 patch for this?  they
have the patches openly available on http://technet.oracle.com, however
the only 'Solaris' patch there was unlabeled and turned out to be for
sun.

On Tue, 17 Aug 1999, Elias Levy wrote:

Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.6i
Message-ID:  <19990817092232.B7591 () securityfocus com>
Date:         Tue, 17 Aug 1999 09:22:32 -0700
Reply-To: aleph1 () SECURITYFOCUS COM
Sender: Bugtraq List <BUGTRAQ () SECURITYFOCUS COM>
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Subject:      Security Bug in Oracle
X-To:         bugtraq () securityfocus com
To: BUGTRAQ () SECURITYFOCUS COM
Content-Length: 1179

Subject:      Security Bug in Oracle
X-To:         bugtraq () securityfocus com
To: BUGTRAQ () SECURITYFOCUS COM
Content-Length: 1179

Sender: jason.axley () attws com
Subject: Security Bug in Oracle

---------- Forwarded message ----------
Date: Mon, 16 Aug 1999 23:51:53 +0200
From: Gilles PARC <gparc () online fr>
Subject: Security Bug in Oracle

Hi Listers,

I discover a new security problem with Oracle on Unix.
Once again, it's with a setuid program.

Do not confuse with a similar problem corrected
by ORACLE  some month ago with a patch called setuid_patch.sh.

NEW PROBLEM :

if you have installed Oracle Intelligent agent, you will find in
$ORACLE_HOME/bin a program called dbsnmp.
This program is setuid root and was DELIBERATELY EXCLUDED
by Oracle in the forementioned patch.

The security hole resides in the fact  that this program executes
a tcl script ( nmiconf.tcl ) located by default  in
$ORACLE_HOME/network/agent/config.

Needless to say that  you can easily bypass this default and have
your own malicious nmiconf.tcl script run under root privileges.

I verify this on HP-UX 10.20 with  Oracle 7.3.3 and 8.0.4.3
                    on AIX 4.3  with Oracle 8.0.5.1
But  it's probably Unix generic.

Regards

Gilles Parc
Email : gparc () mail dotcom fr

carpe diem !!

----- End forwarded message -----

--
Elias Levy
Security Focus
http://www.securityfocus.com/


Thank you,

Jonathan A. Zdziarski
Sr. Systems Administrator
Netrail, inc.
888.NET.RAIL x240
http://www.netrail.net

Current thread:

Microsoft Security Bulletin (MS99-030), (continued)
- - - Microsoft Security Bulletin (MS99-030) Aleph One (Aug 20)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Alan Cox (Aug 22)
    - libtermcap exploit fix ... smashcap.c Hudin Lucian (Aug 22)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Pavel Kankovsky (Aug 26)
    - OCE' 9400 plotters Larry W. Cashdollar (Aug 19)
    - Re: OCE' 9400 plotters Patrick Cantwell (Aug 23)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 18)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
  - Security Bug in Oracle Elias Levy (Aug 17)
    - Re: Security Bug in Oracle Jonathan A. Zdziarski (Aug 27)
    - [RHSA-1999:030-02] Buffer overflow in cron daemon Bill Nottingham (Aug 27)