On Tue, 16 Nov 1999, Elias Levy wrote: > One must wonder if Oracle fixed the real problem (dbsnmp being suid root > and trusting ORACLE_HOME) or whether they simply fixed the way the exploit > the problem originally posted by Gilles, thus leaving the exploit by Brook > still working. > I would appreciate it if someone could apply the patch and verify that > neither of the attack methods work any longer. I installed the patch. I'm running Oracle 8.0.5 on SPARC Solaris 2.6 with recommended patches and y2k patches. The Oracle patch changed dbsnmp so that other had no permissions. When I set my group to Oracle and ran it without ORACLE_HOME set, it did create the log files in the current dir (/tmp), but it didn't follow the symlink to /.rhosts and create that, so it looks like they did in fact fix it. > Finally, Martin Mevald <martinmvat_private> claims that "tnslsnr" suid > program is similarly vulnerable under Linux Oracle 8.0.5. Can someone > verify this claim? Can someone verify Oracle versions other than Linux for > this vulnerability? Can someone let us know whether this binary is part > of the Oracle Intelligent Agent? And if so, can someone let us know if > the Oracle patch fixes the vulnerability in tnslsnr? This binary is not suid on SPARC Solaris 2.6. I don't believe it is part of Intelligent Agent. If I remember correctly, tnslsnr is the product that listens for Oracle connections from other machines, so it's part of the core product. -Adam
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:05 PDT