The vulnerability discovered by Brook Tellier is actually the same as BUGTRAQ ID 585. This vulnerability was originally discovered by Gilles PARC <gparcat_private> and published in a message to BUGTRAQ on August 16, 199. http://www.securityfocus.com/bid/585 19990817092232.B7591at_private">http://www.securityfocus.com/templates/archive.pike?list=1&msg=19990817092232.B7591at_private The basic vulnerability is that the suid program dbsnmp trust the environment variable ORACLE_HOME. Gilles describes a way to exploit this by making the vulnerable program execute his own version of the nmiconf.tcl file. Brook describes a way to exploit the problem by making the vulnerable program create files in the system via symlinks. ISS published an advisory "describing" this vulnerability in August 23, 1999 title "Additional Root Compromise Vulnerabilities in Oracle 8". http://www.securityfocus.com/templates/advisory.html?id=1692 Whether ISS found the vulnerability independently or just republished Gilles findings is unknown. Oracle has published fixed for the original problem. They can be found at http://technet.oracle.com/misc/agent/section.htm . They also have a FAQ on the issue at http://technet.oracle.com/misc/agent/faq.htm . One must wonder if Oracle fixed the real problem (dbsnmp being suid root and trusting ORACLE_HOME) or whether they simply fixed the way the exploit the problem originally posted by Gilles, thus leaving the exploit by Brook still working. I would appreciate it if someone could apply the patch and verify that neither of the attack methods work any longer. <soapbox> We received some email from ISS letting us know this was the same issue as described in their advisory. While encourage and appreciate feedback and participation on BUGTRAQ and the vulnerability database, had the original ISS advisory given enough details to figure out what the problem was this would not be an issue. I don't mind putting up with 20 lines for company information and marketing drivel in security advisories as long as the contain useful information. But it seems that advisories from security companies that should know better are more and more resembling advisories from CERT, with little or no information. </soapbox> Finally, Martin Mevald <martinmvat_private> claims that "tnslsnr" suid program is similarly vulnerable under Linux Oracle 8.0.5. Can someone verify this claim? Can someone verify Oracle versions other than Linux for this vulnerability? Can someone let us know whether this binary is part of the Oracle Intelligent Agent? And if so, can someone let us know if the Oracle patch fixes the vulnerability in tnslsnr? http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.20.9911151248050.2500-100000at_private -- Elias Levy Security Focus http://www.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:12:57 PDT