Re: Oracle 8 root exploit

[levins () WESTNET COM (Adam and Christine Levin)]

On Tue, 16 Nov 1999, Elias Levy wrote:
> One must wonder if Oracle fixed the real problem (dbsnmp being suid root
> and trusting ORACLE_HOME) or whether they simply fixed the way the exploit
> the problem originally posted by Gilles, thus leaving the exploit by Brook
> still working.
> I would appreciate it if someone could apply the patch and verify that
> neither of the attack methods work any longer.

I installed the patch.  I'm running Oracle 8.0.5 on SPARC Solaris 2.6 with
recommended patches and y2k patches.

The Oracle patch changed dbsnmp so that other had no permissions.  When I
set my group to Oracle and ran it without ORACLE_HOME set, it did create
the log files in the current dir (/tmp), but it didn't follow the symlink
to /.rhosts and create that, so it looks like they did in fact fix it.

> Finally, Martin Mevald <martinmv () hornet cz> claims that "tnslsnr" suid
> program is similarly vulnerable under Linux Oracle 8.0.5. Can someone
> verify this claim? Can someone verify Oracle versions other than Linux for
> this vulnerability? Can someone let us know whether this binary is part
> of the Oracle Intelligent Agent? And if so, can someone let us know if
> the Oracle patch fixes the vulnerability in tnslsnr?

This binary is not suid on SPARC Solaris 2.6.  I don't believe it is part
of Intelligent Agent.  If I remember correctly, tnslsnr is the product
that listens for Oracle connections from other machines, so it's part of
the core product.

-Adam