Date: Tue, 17 Aug 1999 09:22:32 -0700
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Security Bug in Oracle
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.6i
Message-ID: <19990817092232.B7591@securityfocus.com>
Date: Tue, 17 Aug 1999 09:22:32 -0700
Reply-To: aleph1@SECURITYFOCUS.COM
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
Subject: Security Bug in Oracle
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Length: 1179
Subject: Security Bug in Oracle
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Length: 1179
Sender: jason.axley@attws.com
Subject: Security Bug in Oracle
---------- Forwarded message ----------
Date: Mon, 16 Aug 1999 23:51:53 +0200
From: Gilles PARC <gparc@online.fr>
Subject: Security Bug in Oracle
Hi Listers,
I discover a new security problem with Oracle on Unix.
Once again, it's with a setuid program.
Do not confuse with a similar problem corrected
by ORACLE some month ago with a patch called setuid_patch.sh.
NEW PROBLEM :
if you have installed Oracle Intelligent agent, you will find in
$ORACLE_HOME/bin a program called dbsnmp.
This program is setuid root and was DELIBERATELY EXCLUDED
by Oracle in the forementioned patch.
The security hole resides in the fact that this program executes
a tcl script ( nmiconf.tcl ) located by default in
$ORACLE_HOME/network/agent/config.
Needless to say that you can easily bypass this default and have
your own malicious nmiconf.tcl script run under root privileges.
I verify this on HP-UX 10.20 with Oracle 7.3.3 and 8.0.4.3
on AIX 4.3 with Oracle 8.0.5.1
But it's probably Unix generic.
Regards
Gilles Parc
Email : gparc@mail.dotcom.fr
carpe diem !!
----- End forwarded message -----
--
Elias Levy
Security Focus
http://www.securityfocus.com/
