Re: vulnerability in oracle binary in Oracle 8.0.5 - 8.1.6

[Pete Finnigan <pete () peterfinnigan demon co uk>]

Hi

Oracle creates trace files in the directory pointed at by the parameter
"user_dump_dest". This parameter is set in the init.ora file. The value
can be read by select name,value
from v$parameter
where name='user_dump_dest';

or SQL> sho parameter user_dump_dest

Its been this location since at least oracle 7.1 as far as i can
remember. Its also possible to set client trace files to reside in a
directory pointed to by the parameter TRACE_DIRECTORY_CLIENT in the
sqlnet.ora file in the network admin direcory on the client. Server side
trace files are not written here tho. 

The permissions of the trace files on the server are governed by the
umask of the user generating them, "oracle" or whoever is running the
oracle shadow processes and the umask of the directory and internal
rules that make the file not readable to to anyone except the software
owner and the SYSDBA Unix group, usually dba. There is one other
parameter that can make trace files readable. This is the un-documented
init.ora parameter _trace_files_public=true, of this is set then the
trace files are world readable. This can be seen by selecting the X$
tables owned by SYS, so you need to be SYS to do this.

select * 
from x$ksppi
where ksppinm='_trace_files_public';

This parameter can only be added to the init.ora file and not set in the
current session by an alter session command. The database has also to be
bounced for this to take affect.

I didnt see the original vulnerability, could you please forward the 
information to me.

Thanks

Pete Finnigan
Pentest Limited
Manchester UK

In message <EEEJIAELPOCPHHCNFKKPIEPCCGAA.sec () rony clara net>, Ron Cohen
<sec () rony clara net> writes
> Looking again at the log you provided, it is not clear to me how
> you was able to create the trc file in the log directory.
> the permission on that directory is 775, pask:pask. the trc file
> created with the owner:group of oracle:pask. does user pask
> belong to the dba group?
> also, there is an option in the ora.ini file to set a specific
> area for the trc files. i have seen this option with 8.1.x,
> i'm not sure about 8.0.x.
>
>       _rony
>
> -----Original Message-----
> From: pask () plazasite com [mailto:pask () plazasite com]
> Sent: 02 August 2001 08:57
> To: bugtraq () securityfocus com; oracle-l () faticity com
> Subject: vulnerability in oracle binary in Oracle 8.0.5 - 8.1.6
>
>
>
>
>
>                      WWW.PLAZASITE.COM
>
>                  System & Security Division
>
>
>
>
>
>   Title:     Vulnerability in oracle binary in Oracle 8.0.5
>
>    Date:     11-12-2000
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.265 / Virus Database: 137 - Release Date: 18/07/2001

-- 
Pete Finnigan