| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> ASI Oracle Security Alert: Oracle Home Environment Variable Validation
"This electronic message contains information which may be confidential, privileged or otherwise protected from disclosure. The information is intended to be used solely by the named recipient(s). If you are not a named recipient, any review, disclosure, copying, distribution or use of this transmission or its contents is prohibited. If you have received this transmission in error, please notify me immediately."
"Aaron C.
Newman" To: <bugtraq_at_securityfocus.com>
<aaron_at_newman-f cc:
amily.com> Subject: ASI Oracle Security Alert:
Oracle Home Environment Variable
Validation Vulnerability
11/30/01 12:40
PM
Please respond
to aaron
Oracle Home Environment Variable Validation Vulnerability
For additional details, the official advisories from Oracle
Corporation can be downloaded from:
http://otn.oracle.com/deploy/security/pdf/dbsmp_alert.pdf
Summary:
The dbsnmp executable can be manipulated to run programs from the
wrong directory. This is accomplished by modifying the ORACLE_HOME
environmental variable to point to a location other than the actual
location of Oracle. Because the dbsnmp process runs setuid, this
allows an attacker to elevate his or her privilege to the level of
the oracle operating system account.
Fix:
Remove the setuid bit from the file (chmod -s dbsnmp) or apply the
available patch which can be downloaded from
http://metalink.oracle.com.
Background:
This vulnerability is based on the Oracle Enterprise Manager
Intelligent Agent. This issue exists because the executable file for
this process, dbsnmp, runs with the setuid bit enabled. That means
this problems ONLY EXIST ON UNIX (OR LINUX) VERSIONS OF ORACLE. If
you are not using the Intelligent Agent, you should remove the setuid
bit from this process. You can also avoid this issue by restricting
access to the Oracle operating system files. Only database
administrators should have access to these files.
The Oracle Intelligent Agent performs the following functions:
-Provides local services or calling operating system dependent
services to interact locally with the managed targets.
-Checks for events, and queuing the resulting event reports for
Oracle Enterprise Manager.
-Runs Oracle Enterprise Manager jobs, collecting their results and
output, and/or queuing the results as required.
-Cancels jobs or events as directed by the Console or other
applications.
-Handles requests to send SNMP traps for events if SNMP is supported
on the Intelligent Agent's platform.
Thank you,
support_at_appsecinc.com
Application Security, Inc.
phone: 212-490-6022
-Protection Where It Counts-
As pioneers in application security, we are an organization dedicated to the security, defense, and protection of one of the most commonly overlooked areas of security ? the application layer. Application Security, Inc. provides solutions to proactively secure (penetration testing/vulnerability assessment), actively defend/monitor (intrusion detection), and protect (encryption) your most critical applications.
"Aaron C.
Newman" To: <bugtraq_at_securityfocus.com>
<aaron_at_newman-f cc:
amily.com> Subject: ASI Oracle Security Alert:
CHOWN Path Environment Variable
Vulnerability
11/30/01 12:40
PM
Please respond
to aaron
CHOWN Path Environment Variable Vulnerability
For additional details, the official advisories from Oracle
Corporation can be downloaded from:
http://otn.oracle.com/deploy/security/pdf/dbsmp_alert.pdf
Summary:
The vulnerability only affects Oracle 8.0.5 and 8.1.5.
The dbsnmp file executes the CHOWN and CHGRP commands on several
files. It references these files without fully-qualifying the path.
This allows an attacker to set the PATH environment variable to run
the CHOWN and CHGRP commands on the attacker's version of the files.
This vulnerability can result in an attacker gaining root access if
the dbsnmp is setuid root.
Fix: Remove the setuid bit from the file (chmod -s dbsnmp) or upgrade the database to Oracle release 8.1.6 or higher. It does not appear that Oracle will be releasing a patch for this vulnerability.
Background:
This vulnerability is based on the Oracle Enterprise Manager
Intelligent Agent. This issue exists because the executable file for
this process, dbsnmp, runs with the setuid bit enabled. That means
this problems ONLY EXIST ON UNIX (OR LINUX) VERSIONS OF ORACLE. If
you are not using the Intelligent Agent, you should remove the setuid
bit from this process. You can also avoid this issue by restricting
access to the Oracle operating system files. Only database
administrators should have access to these files.
The Oracle Intelligent Agent performs the following functions:
-Provides local services or calling operating system dependent
services to interact locally with the managed targets.
-Checks for events, and queuing the resulting event reports for
Oracle Enterprise Manager.
-Runs Oracle Enterprise Manager jobs, collecting their results and
output, and/or queuing the results as required.
-Cancels jobs or events as directed by the Console or other
applications.
-Handles requests to send SNMP traps for events if SNMP is supported
on the Intelligent Agent's platform.
Thank you,
support_at_appsecinc.com
Application Security, Inc.
phone: 212-490-6022
-Protection Where It Counts-
As pioneers in application security, we are an organization dedicated to the security, defense, and protection of one of the most commonly overlooked areas of security ? the application layer. Application Security, Inc. provides solutions to proactively secure (penetration testing/vulnerability assessment), actively defend/monitor (intrusion detection), and protect (encryption) your most critical applications.
"Aaron C.
Newman" To: <bugtraq_at_securityfocus.com>
<aaron_at_newman-f cc:
amily.com> Subject: ASI Oracle Security Alert:
Oracle Home Environment Variable
Buffer Overflow
11/30/01 12:40
PM
Please respond
to aaron
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Oracle Home Environment Variable Buffer Overflow
For additional details, the official advisories from Oracle
Corporation can be downloaded from:
http://otn.oracle.com/deploy/security/pdf/dbsmp_alert.pdf
Summary:
By setting a long ORACLE_HOME value (more than 750 bytes), an
attacker can manipulate the dbsnmp executable to run tasks for them.
Because the dbsnmp process runs setuid, this allows an attacker to
elevate his or her privilege to the level of the oracle operating
system account.
Fix:
Remove the setuid bit from the file (chmod -s dbsnmp) or apply the
available patch which can be downloaded from
http://metalink.oracle.com.
Background:
This vulnerability is based on the Oracle Enterprise Manager
Intelligent Agent. This issue exists because the executable file for
this process, dbsnmp, runs with the setuid bit enabled. That means
this problems ONLY EXIST ON UNIX (OR LINUX) VERSIONS OF ORACLE. If
you are not using the Intelligent Agent, you should remove the setuid
bit from this process. You can also avoid this issue by restricting
access to the Oracle operating system files. Only database
administrators should have access to these files.
The Oracle Intelligent Agent performs the following functions:
- -Provides local services or calling operating system dependent
services to interact locally with the managed targets.
- -Checks for events, and queuing the resulting event reports for
Oracle Enterprise Manager.
- -Runs Oracle Enterprise Manager jobs, collecting their results and
output, and/or queuing the results as required.
- -Cancels jobs or events as directed by the Console or other
applications.
- -Handles requests to send SNMP traps for events if SNMP is supported
on the Intelligent Agent's platform.
Thank you,
support_at_appsecinc.com
Application Security, Inc.
phone: 212-490-6022
- -Protection Where It Counts-
As pioneers in application security, we are an organization dedicated to the security, defense, and protection of one of the most commonly overlooked areas of security ? the application layer. Application Security, Inc. provides solutions to proactively secure (penetration testing/vulnerability assessment), actively defend/monitor (intrusion detection), and protect (encryption) your most critical applications.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPAfux5FBAgFQ9JykEQLfUwCdErCFHrwpir6NUhS+F7OcOfoGY9UAnAk6
i/2Faxt+w2fQAnd6zh0m0Pqf
=jkb7
-----END PGP SIGNATURE-----
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author:
INET: Jared.Still_at_radisys.com
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Liststo: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Tue Dec 04 2001 - 16:49:43 CST
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
 |
 |