Bugtraq mailing list archives
Re: Oracle 8 root exploit
From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Tue, 16 Nov 1999 12:17:21 -0800
The vulnerability discovered by Brook Tellier is actually the same as BUGTRAQ ID 585. This vulnerability was originally discovered by Gilles PARC <gparc () online fr> and published in a message to BUGTRAQ on August 16, 199. http://www.securityfocus.com/bid/585 http://www.securityfocus.com/templates/archive.pike?list=1&msg=19990817092232.B7591 () securityfocus com The basic vulnerability is that the suid program dbsnmp trust the environment variable ORACLE_HOME. Gilles describes a way to exploit this by making the vulnerable program execute his own version of the nmiconf.tcl file. Brook describes a way to exploit the problem by making the vulnerable program create files in the system via symlinks. ISS published an advisory "describing" this vulnerability in August 23, 1999 title "Additional Root Compromise Vulnerabilities in Oracle 8". http://www.securityfocus.com/templates/advisory.html?id=1692 Whether ISS found the vulnerability independently or just republished Gilles findings is unknown. Oracle has published fixed for the original problem. They can be found at http://technet.oracle.com/misc/agent/section.htm . They also have a FAQ on the issue at http://technet.oracle.com/misc/agent/faq.htm . One must wonder if Oracle fixed the real problem (dbsnmp being suid root and trusting ORACLE_HOME) or whether they simply fixed the way the exploit the problem originally posted by Gilles, thus leaving the exploit by Brook still working. I would appreciate it if someone could apply the patch and verify that neither of the attack methods work any longer. <soapbox> We received some email from ISS letting us know this was the same issue as described in their advisory. While encourage and appreciate feedback and participation on BUGTRAQ and the vulnerability database, had the original ISS advisory given enough details to figure out what the problem was this would not be an issue. I don't mind putting up with 20 lines for company information and marketing drivel in security advisories as long as the contain useful information. But it seems that advisories from security companies that should know better are more and more resembling advisories from CERT, with little or no information. </soapbox> Finally, Martin Mevald <martinmv () hornet cz> claims that "tnslsnr" suid program is similarly vulnerable under Linux Oracle 8.0.5. Can someone verify this claim? Can someone verify Oracle versions other than Linux for this vulnerability? Can someone let us know whether this binary is part of the Oracle Intelligent Agent? And if so, can someone let us know if the Oracle patch fixes the vulnerability in tnslsnr? http://www.securityfocus.com/templates/archive.pike?list=1&msg=http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.20.9911151248050.2500-100000@localhost.localdomain -- Elias Levy Security Focus http://www.securityfocus.com/
Current thread:
- Oracle 8 root exploit Tellier, Brock (Nov 13)
- Re: Oracle 8 root exploit Adam and Christine Levin (Nov 15)
- Re: Oracle 8 root exploit Jared Still (Nov 16)
- <Possible follow-ups>
- Re: Oracle 8 root exploit Martin Mevald (Nov 15)
- Re: Oracle 8 root exploit Antonomasia (Nov 15)
- Re: Oracle 8 root exploit Elias Levy (Nov 16)
- Re: Oracle 8 root exploit Adam and Christine Levin (Nov 16)
- Re: Oracle 8 root exploit Chris Calabrese (Nov 16)
- Re: Oracle 8 root exploit Alan Olsen (Nov 19)
- [RHSA-1999:055-01] Denial of service attack in syslogd Bill Nottingham (Nov 19)
- [ COBALT ] Security Advisory - syslog Jeff Bilicki (Nov 20)
- IE 5.0 XML HTTP redirect problems Georgi Guninski (Nov 22)
- DoS with sysklogd, glibc (Caldera) Alfred Huger (Nov 22)
- Re: DoS with sysklogd, glibc (Caldera) Balazs Scheidler (Nov 22)
- Re: Oracle 8 root exploit Steve D'Angona (Nov 18)
- Re: Oracle 8 root exploit Chris Calabrese (Nov 18)