Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: cpujan2006 client issues

Re: cpujan2006 client issues

From: Mark Brinsmead <>
Date: Wed, 01 Feb 2006 18:27:41 -0700
Message-id: <>

Please see comments inline below:

Ray Stell wrote:

>1. 343382.1 says, "One vulnerability (DBC02) is in a utility that can
>be forced to terminate if given long arguments, potentially allowing
>code of an attacker's choice to be executed. However, this utility is
>not installed with setuid (elevated) privileges, so the risk that it
>can be effectively exploited is very low."

This sounds like a pretty fair assessment. So long as the program does not run with
setuid privileges, the risk is only modest. In order to exploit the bug, one would have
to "trick" a user (or program) with "elevated" privileges to invoke the affected executable
on their behalf, supplying very carefully crafted arguments.

Is this a risk? Sure. But not a big one. If I can fool somebody with "root" or "oracle"
privileges to run /bin/sh (or vi, or emacs, or find, or ...) with arbitrary parameters that
I supply, I will pretty much "own" that system. Given that there are hundreds (or
thousands) of programs whose "normal" (and bug-free) operation provides this kind
of "exposure", I don't think I'll lose much sleep over some "bug" that provides a
similar exposure.

Still, if it doesn't take extraordinary effort to correct (e.g., patching the Oracle client
software on 10,000 end-user workstations), the extra precaution is probably worthwhile.

> Do we know if a patched server vulnerable to this client issue?

Probably. In general, the "database server" is a (large) superset of the database client,
isn't it?

> Isn't is a bit absurd to think the risk is low because of
> the default install characteristics? What, black hats
> don't know how to use the chmod cmd?

Sure they do. So what?

If a "blackhat" is able to 'chmod' ANY executable to make it setuid to "oracle" or
"root" (or anything other than him/her self) it's pretty much all over, isn't it? "chmod"
(setuid) is a privileged operation. If the blackhat can do that, you're already hacked.

I suppose, though, that this *could* be a (not so) subtle way to install a backdoor on
a system that has already be broken, though...

>2. 343384.1 says, "Please do not open an issue with Support for additional
>information on the vulnerabilities.
> So, how do I get an answer to the above questions?

How did I do?

>3. I asked these questions on the metalink unix installation forum yesterday.
>Today, my note is gone. "I'm speechless, I am without speech."

Interesting... I wonder if somebody hacked the Metalink Forums database... ;-)

I understand your annoyance, though. I understand the ban on opening TARs (I guess)
but shutting down user discussion on the forums is another thing entirely...

Received on Wed Feb 01 2006 - 19:27:41 CST

Original text of this message