TUCoPS :: Unix :: General
:: oracle07.htm
Oracle 8 (8.03, 8.04, 8.05 and 8.15.) - UNIX only - superuser owned executables issues
Vulnerability
Oracle
Affected
Oracle 8 (8.03, 8.04, 8.05 and 8.15.) - UNIX only
Description
Followin is based on ISS Security Advisory. Internet Security
Systems (ISS) X-Force has discovered vulnerabilities in superuser
owned executables that may allow local root compromise. Attackers
may uses these vulnerabilities to create, destroy, or modify any
file on the system, including files owned by the superuser. This
attack may be particularly useful to gain complete control of the
database system, to manipulate Oracle database files, or to deny
service.
Oracle has made a recent effort to secure setuid administrative
tools shipped with Oracle 8. Certain utilities are still shipped
with the setuid bit enabled. The superuser also owns these
utilities. ISS X-Force has determined that these vulnerabilities
are still exploitable in the most current revisions of Oracle 8.
The vulnerabilities described in this advisory are similar to
those described in the May 6th ISS X-Force Advisory titled,
"Multiple File system Vulnerabilities in Oracle 8." These
vulnerabilities are also a result of implicit trust of Oracle
system environment variables, as well as insecure file creation
and manipulation. The combined effect of these vulnerabilities
may allow local attackers to create, append to, or overwrite any
file on the file-system as well as privileged oracle files.
Temporary files that follow symbolic links are a common source of
vulnerabilities in setuid executables. Administrators should
remove or restrict access to setuid executables if possible.
Developers of setuid programs need to take special precautions to
prevent the introduction of vulnerabilities of this nature. The
ISS X-Force recommends that all Unix developers become familiar
with Matt Bishop's secure programming guide, available at
http://olympus.cs.ucdavis.edu/~bishop/secprog.html
Following describes additional Oracle Intelligent Agent
vulnerabilities. The Intelligent Agent binary, 'dbsnmp' is a
setuid root executable. The Intelligent Agent is a host-based
agent that can be used to monitor, configure, and maintain remote
database instances with the Oracle Enterprise manager. The
Intelligent Agent is part of the Oracle distribution.
Solution
ISS X-Force has worked with Oracle to provide a patch for the
vulnerabilities described in this advisory. This patch is
available to the public on technet.oracle.com. The direct URL is
http://technet.oracle.com/misc/agent/section.htm
Take a look at this FAQ regarding vulnerability:
http://technet.oracle.com/misc/agent/faq.htm