Bugtraq mailing list archives
Re: *Huge* security hole in Oracle 8.0.5 with Intellegent agent
From: ritchiej () OSSHE EDU (John Ritchie)
Date: Fri, 30 Apr 1999 16:49:03 -0700
On Fri, 30 Apr 1999, Anthony Clarke wrote:
------------- Begin Forwarded Message ------------- Subject: *Huge* security hole in Oracle 8.0.5 with Intellegent agent installed From: Dan Sugalski <sugalskd () ous edu> Date: Thu, 29 Apr 1999 08:34:30 -0700 X-Message-Number: 46 Subject: oracle-digested Folks, This is a big heads up for everyone. If you're running Oracle 8.0.5 on a Unix box, do *not* install and configure the Intellegent Agent option. If you have, find the bin/oratclsh file and REMOVE THE SUID BIT! oratclsh is a Tcl app that provides full access to Tcl. It's also installed as suid root. Running oratclsh gives anyone with even the most modest Tcl knowledge the ability to execute arbitrary Tcl commands *while running as root*! This includes the exec command, which spawns off a subshell (as root) to run any command on the system. Anyone with half a brain is exactly three commands away from full root access. Anyone with a whole brain is exactly *one* command away from full root access. This hole has been verified on both Linux and Solaris with Oracle 8.0.5. It probably exists in all Unix versions of 8.0.5. Whether it exists in later versions is unknown. (I don't believe it exists in 8.0.4, but I can't verify that at the moment) I also don't know if it affects non-Unix versions of 8.0.5. Once again, Intellegent Agent only needs to be *installed* (and the root.sh part of the setup run) to open this hole. The agent does *not* need to be started--just installed. Dan
Here's the followup for this (rather, the original story): I opened a TAR with Oracle on this and, after typical Oracle shuffling ("It's not a bug it's a feature", "We don't know how that got there", "You'll have to file an Enhancement Request", etc) they finally got back to me today to say that this will be fixed in future releases (8.0.6, etc.). On current releases one should just chown the $ORACLE_HOME/bin/oratclsh to oracle (or whoever the install userid is); on Linux and Solaris that will also remove the suid bit. When I pressed them as to whether or not they would release patches and information to users who already have 8.0.5 installed they said they had no mechanism to do that. In other words, YOYO. (They could learn something about patch releases and access from their good buddies at Sun). So if you've installed Oracle's Intelligent Agent or aren't sure if it's installed then check your oratclsh and fix that bit. The only systems I've had experience on are 8.0.5 for Solaris and Linux but I'd check any 8.x release on any platform if it were mine. John Ritchie Systems Software Analyst Oregon University System
Current thread:
- Re: *Huge* security hole in Oracle 8.0.5 with Intellegent agent John Ritchie (Apr 30)
- <Possible follow-ups>
- Re: *Huge* security hole in Oracle 8.0.5 with Intellegent agent Markus Friedl (May 01)
- Re: *Huge* security hole in Oracle 8.0.5 with Intellegent agent Dave Diehl (May 03)
- NAI AntiVirus Update Problem Simple Nomad (Oct 29)
- Re: NAI AntiVirus Update Problem Simple Nomad (May 05)
- Follow up - Domain user to Domain Admin - Profiles and the Mnemonix (May 05)
- Re: Oracle Intellegent agent installedoracle-digested Kis-Szabo Andras (May 03)
- Re: *Huge* security hole in Oracle 8.0.5 with Intellegent agent Dave Diehl (May 03)
- anonymizing unix van Hauser (May 03)
- Re: *Huge* security hole in Oracle 8.0.5 with Intellegent agent David Adrian (May 03)
- Re: *Huge* security hole in Oracle 8.0.5 with Intellegent agent Jeff Long (May 03)
- Re: *Huge* security hole in Oracle 8.0.5 with Intellegent agent Paul Diehl (May 04)