Bugtraq mailing list archives

Re: Oracle 8 root exploit

From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Tue, 16 Nov 1999 12:17:21 -0800

The vulnerability discovered by Brook Tellier is actually the
same as BUGTRAQ ID 585. This vulnerability was originally discovered
by Gilles PARC <gparc () online fr> and published in a message to BUGTRAQ
on August 16, 199.

http://www.securityfocus.com/bid/585

http://www.securityfocus.com/templates/archive.pike?list=1&msg=19990817092232.B7591 () securityfocus com

The basic vulnerability is that the suid program dbsnmp trust the
environment variable ORACLE_HOME. Gilles describes a way to exploit
this by making the vulnerable program execute his own version of
the nmiconf.tcl file. Brook describes a way to exploit the problem
by making the vulnerable program create files in the system via
symlinks.

ISS published an advisory "describing" this vulnerability in August 23,
1999 title "Additional Root Compromise Vulnerabilities in Oracle 8".
http://www.securityfocus.com/templates/advisory.html?id=1692

Whether ISS found the vulnerability independently or just republished
Gilles findings is unknown.

Oracle has published fixed for the original problem. They can be found
at http://technet.oracle.com/misc/agent/section.htm . They also
have a FAQ on the issue at http://technet.oracle.com/misc/agent/faq.htm .

One must wonder if Oracle fixed the real problem (dbsnmp being suid root
and trusting ORACLE_HOME) or whether they simply fixed the way the exploit
the problem originally posted by Gilles, thus leaving the exploit by Brook
still working.

I would appreciate it if someone could apply the patch and verify that
neither of the attack methods work any longer.

<soapbox>
We received some email from ISS letting us know this was the same issue
as described in their advisory. While encourage and appreciate feedback
and participation on BUGTRAQ and the vulnerability database, had the
original ISS advisory given enough details to figure out what the problem
was this would not be an issue.

I don't mind putting up with 20 lines for company information and marketing
drivel in security advisories as long as the contain useful information.
But it seems that advisories from security companies that should know
better are more and more resembling advisories from CERT, with little or no
information.
</soapbox>

Finally, Martin Mevald <martinmv () hornet cz> claims that "tnslsnr" suid
program is similarly vulnerable under Linux Oracle 8.0.5. Can someone
verify this claim? Can someone verify Oracle versions other than Linux for
this vulnerability? Can someone let us know whether this binary is part
of the Oracle Intelligent Agent? And if so, can someone let us know if
the Oracle patch fixes the vulnerability in tnslsnr?

http://www.securityfocus.com/templates/archive.pike?list=1&msg=http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.20.9911151248050.2500-100000@localhost.localdomain

--
Elias Levy
Security Focus
http://www.securityfocus.com/

Current thread:

Oracle 8 root exploit Tellier, Brock (Nov 13)
- Re: Oracle 8 root exploit Adam and Christine Levin (Nov 15)
- Re: Oracle 8 root exploit Jared Still (Nov 16)
- <Possible follow-ups>
- Re: Oracle 8 root exploit Martin Mevald (Nov 15)
- Re: Oracle 8 root exploit Antonomasia (Nov 15)
- Re: Oracle 8 root exploit Elias Levy (Nov 16)
  - Re: Oracle 8 root exploit Adam and Christine Levin (Nov 16)
- Re: Oracle 8 root exploit Chris Calabrese (Nov 16)
  - Re: Oracle 8 root exploit Alan Olsen (Nov 19)
  - [RHSA-1999:055-01] Denial of service attack in syslogd Bill Nottingham (Nov 19)
  - [ COBALT ] Security Advisory - syslog Jeff Bilicki (Nov 20)
  - IE 5.0 XML HTTP redirect problems Georgi Guninski (Nov 22)
  - DoS with sysklogd, glibc (Caldera) Alfred Huger (Nov 22)
    - Re: DoS with sysklogd, glibc (Caldera) Balazs Scheidler (Nov 22)
- Re: Oracle 8 root exploit Steve D'Angona (Nov 18)
- Re: Oracle 8 root exploit Chris Calabrese (Nov 18)