Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

*Huge* security hole in Oracle 8.0.5 with Intellegent agent

From: Anthony.Clarke () one2one co uk (Anthony Clarke)
Date: Fri, 30 Apr 1999 14:11:39 +0100

------------- Begin Forwarded Message -------------

Subject: *Huge* security hole in Oracle 8.0.5 with Intellegent agent installed
From: Dan Sugalski <sugalskd () ous edu>
Date: Thu, 29 Apr 1999 08:34:30 -0700
X-Message-Number: 46
Subject: oracle-digested

Folks,

This is a big heads up for everyone. If you're running Oracle 8.0.5 on a
Unix box, do *not* install and configure the Intellegent Agent option. If
you have, find the bin/oratclsh file and REMOVE THE SUID BIT!

oratclsh is a Tcl app that provides full access to Tcl. It's also installed
as  suid root. Running oratclsh gives anyone with even the most modest Tcl
knowledge the ability to execute arbitrary Tcl commands *while running as
root*! This includes the exec command, which spawns off a subshell (as
root) to run any command on the system. Anyone with half a brain is exactly
three commands away from full root access. Anyone with a whole brain is
exactly *one* command away from full root access.

This hole has been verified on both Linux and Solaris with Oracle 8.0.5. It
probably exists in all Unix versions of 8.0.5. Whether it exists in later
versions is unknown. (I don't believe it exists in 8.0.4, but I can't
verify that at the moment) I also don't know if it affects non-Unix
versions of 8.0.5.

Once again, Intellegent Agent only needs to be *installed* (and the root.sh
part of the setup run) to open this hole. The agent does *not* need to be
started--just installed.

                                        Dan

---------------------------------------------"it's like this"--------------
Dan Sugalski   (541) 737-3346                even samurai
SysAdmin                                     have teddy bears
Oregon University System                     and even the teddy bears
sugalskd () ous edu                             get drunk

----------------------------------------------------------------------

------------- End Forwarded Message -------------


============                    ==================================
Ian Harrison                    Phone:  +44 (0)181 214 2121
Oracle DBA                      Fax:    +44 (0)181 214 4473
One2One                         Email:  ian.harrison () one2one co uk
============                    ==================================

------------- End Forwarded Message -------------
Previous By Date Next
Previous By Thread Next

Current thread: