Bugtraq mailing list archives
Re: Oracle 8 root exploit
From: levins () WESTNET COM (Adam and Christine Levin)
Date: Tue, 16 Nov 1999 15:58:09 -0500
On Tue, 16 Nov 1999, Elias Levy wrote:
One must wonder if Oracle fixed the real problem (dbsnmp being suid root and trusting ORACLE_HOME) or whether they simply fixed the way the exploit the problem originally posted by Gilles, thus leaving the exploit by Brook still working. I would appreciate it if someone could apply the patch and verify that neither of the attack methods work any longer.
I installed the patch. I'm running Oracle 8.0.5 on SPARC Solaris 2.6 with recommended patches and y2k patches. The Oracle patch changed dbsnmp so that other had no permissions. When I set my group to Oracle and ran it without ORACLE_HOME set, it did create the log files in the current dir (/tmp), but it didn't follow the symlink to /.rhosts and create that, so it looks like they did in fact fix it.
Finally, Martin Mevald <martinmv () hornet cz> claims that "tnslsnr" suid program is similarly vulnerable under Linux Oracle 8.0.5. Can someone verify this claim? Can someone verify Oracle versions other than Linux for this vulnerability? Can someone let us know whether this binary is part of the Oracle Intelligent Agent? And if so, can someone let us know if the Oracle patch fixes the vulnerability in tnslsnr?
This binary is not suid on SPARC Solaris 2.6. I don't believe it is part of Intelligent Agent. If I remember correctly, tnslsnr is the product that listens for Oracle connections from other machines, so it's part of the core product. -Adam
Current thread:
- Oracle 8 root exploit Tellier, Brock (Nov 13)
- Re: Oracle 8 root exploit Adam and Christine Levin (Nov 15)
- Re: Oracle 8 root exploit Jared Still (Nov 16)
- <Possible follow-ups>
- Re: Oracle 8 root exploit Martin Mevald (Nov 15)
- Re: Oracle 8 root exploit Antonomasia (Nov 15)
- Re: Oracle 8 root exploit Elias Levy (Nov 16)
- Re: Oracle 8 root exploit Adam and Christine Levin (Nov 16)
- Re: Oracle 8 root exploit Chris Calabrese (Nov 16)
- Re: Oracle 8 root exploit Alan Olsen (Nov 19)
- [RHSA-1999:055-01] Denial of service attack in syslogd Bill Nottingham (Nov 19)
- [ COBALT ] Security Advisory - syslog Jeff Bilicki (Nov 20)
- IE 5.0 XML HTTP redirect problems Georgi Guninski (Nov 22)
- DoS with sysklogd, glibc (Caldera) Alfred Huger (Nov 22)
- Re: DoS with sysklogd, glibc (Caldera) Balazs Scheidler (Nov 22)
- Re: Oracle 8 root exploit Steve D'Angona (Nov 18)
- Re: Oracle 8 root exploit Chris Calabrese (Nov 18)